Why CCPA Doesn’t Do Enough To Protect Consumer Data

Why CCPA Doesn’t Do Enough To Protect Consumer Data

By Laurence Williams   |    March 12, 2021


To know the personal information that businesses collect. To delete personal information that has been collected. To opt out of the sale of personal information. To non-discrimination for exercising CCPA rights.

CCPA Gives Consumers  the Right:

The law affects any organization doing business in California or collecting data on Californian users. The protections apply to California residents even when they’re temporarily outside of the state.

CCPA Only Applies to California Residents

CCPA is the first major step taken in the US to improve consumer data protections. While it doesn’t automatically establish a secure digital environment, it is a roadmap to a more secure internet.

An Important First Step

The liability of not complying might be enough to bring improvements to general data security. Still, there are issues with the scope of the law and how it is written.

Drawbacks  of CCPA

There is no obligation to maintain security practices other than that failure to provide sufficient safety would, in a breach, make you liable for statutory damages to consumers if proven in court.

No Obligation to Maintain Security

Cases are brought through the court system whereby consumers can sue businesses. This might be a barrier to entry for a lot of consumers, especially consumers weary about dealing with the court system.


The 30 day “cure” clause requires consumers to give a written notice of the CCPA violation before taking any legal action. If the business cures the violation, and provides a written statement saying so, statutory damages are not available.

The “Cure” Clause Favors Businesses

CCPA defines “consumer” as a California resident, even if out of state temporarily. Only protecting Californian consumers leaves a large swath of the country unprotected.

How CCPA Defines Consumers

CCPA applies to businesses that trade in the data of more than 50,000 Californians annually, have a revenue of $25+ million, or get over 50% of annual revenue from selling personal information. This leaves out a lot of small businesses.

How CCPA Defines Data Controllers

Only the Californian AG has authority to investigate CCPA violations, and consumers can only start litigation in the case they are involved in a breach – and that only initiates court proceedings.

Limited Investigatory Powers

As it currently exists, CCPA alone might not be enough of a deterrent to fix the issue of data insecurity in the United States.

CCPA has not had  the same level of enforcement  as GDPR

Protect Your Business From Liability

Protect Your Business From Liability

We are not lawyers; we cannot help you audit and achieve compliance in cybersecurity, but we can build a kick-ass website that meets CCPA requirements.

Want to  know more?