The future of the CCPA: What about a Federal law?

September 27, 2019
Written by Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.


This blog discusses the potential issues around implementing CCPA compliance if a superseding federal law is enacted. It covers:

The fragmented states of data privacy

The United States is facing a data privacy crisis. As hacks, leaks and other breaches find the daily headlines, the response seems to be delayed at the federal level, forcing a highly fragmented response by individual states.

There are no comprehensive Federal laws in place that address personal data privacy. Instead, 26 states published different laws as an attempt to address the concerns of their citizens.

For companies within the United States (and in the case of the CCPA, any company that maintains personal data on California consumers), this is a compliance nightmare. Many of these companies already battle compliance on the global stage as they operate in different jurisdictions where often mutually incompatible laws need to be maintained. To maintain additional compliance on a growing list of states becomes nearly impossible.

The impact of this patchwork of data privacy laws is that it overcomplicates product and service delivery, as well as creating the risk of non-compliance as new laws crop up with new requirements.

The global data privacy drive hits the US

Even though a few countries like Canada and Japan developed comprehensive data privacy laws early on, in 2018 the GDPR became a legal behemoth that created a wave of awareness among ordinary citizens. The slew of data breaches exposed in recent times didn’t help. Now, American citizens are demanding the same rights as their European counterparts.

Internally, the United States is getting tremendous pressure to consolidate data privacy laws as well. Recently, a group of 51 highly influential tech CEOs signed an open letter to Congress, asking for a Federal data privacy law that supersedes state laws, in an attempt to simplify compliance and strengthen individual data privacy rights.

The CCPA: a template for Federal law?

The CCPA is possibly the most prominent data privacy law in the United States at the moment. As one of the largest economies in the world, and as a hub for technology companies, California couldn’t avoid implementing some form of legislation.

As a data privacy law, there is some overlap with GDPR, but there are also a number of fundamental differences, chief of which is the broad definition of personal information, and an “opt-out” approach focused on the sale of data rather than GDPR’s consent model.

Webinar: CCPA and SAP: Prepare nowWebinar: CCPA vs GDPR


One might expect that with its prominence, the CCPA could serve as a template for a Federal law. However, the CCPA is written in a way that doesn’t obstruct the sale of data, making it more lenient to companies that built their operations on the sale of consumer data.

It seems that the general direction for Federal privacy laws is to copy or mirror the GDPR, which is much stricter and would impede the ability of many businesses to sell personal data. From the perspective of individuals, this would be a good thing, but from the perspective of many such businesses, this could spell disaster.

The US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress, already promotes the idea of a GDPR-like Federal law to govern data privacy, giving the SEC the power to enforce it. Even Tim Cook, CEO of Apple, publicly asked that Congress adopts laws that are similar to the GDPR. It is therefore unlikely that a Federal law will closely match the CCPA.

Should I wait before tackling a CCPA compliance project?

The short answer is “no.” It is very risky to ignore any state laws, and particularly the CCPA, as if you have data on California citizens, it will remain the de facto compliance requirement for the foreseeable future. Non-compliance will open up your organization to serious fines and civil action.

The reality is that law at the Federal level is unlikely to be adopted in the near future. It takes tremendous time, effort and legislative grappling to push a law of this magnitude and impact through Congress, leaving organizations to comply with whichever state law applies to them.

What can I do to prepare for a Federal law?

There are some steps you can take to ensure you are prepared for a Federal data privacy law:

The future of the CCPA Graphics-01-1The future of the CCPA Graphics-02-1

The future of the CCPA Graphics-03The future of the CCPA Graphics-04The future of the CCPA Graphics-05

Still unsure? We have developed a comprehensive CCPA implementation guide that includes a comparison with GDPR. We also developed a white paper that gives you practical insights on how technology can support your data privacy compliance journey.

Making CCPA compliance easier - from an SAP perspective


This blog is not intended as legal advice and should not be construed as such. Its purpose is to provide information for educational purposes only and makes no claims or guarantees with regards to efficacy, accuracy or full compliance with the law discussed herein.

Please consult with an appropriate legal advisor before implementing any part of a CCPA compliance project. EPI-USE Labs will not take any responsibility for misinterpretation or incorrect application of practical measures towards compliance resulting from the use of this information.



Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance data scrambling Data Redaction Data Redact General Data Protection Regulation POPI Act POPIA Data Archiving Data Sync Manager SAP GDPR Right to be forgotten SAP Data Security GDPR readiness SAP data privacy and compliance Data privacy compliance GDPR deadline Personal data SAP SAP security Data privacy regulations Access risk controls Data minimisation GRC for SAP SAP data privacy and security SAP systems compliance Access Risk management COVID-19 Data privacy by design Data security breaches Governance, Risk Management and Compliance (GRC) Risk monitoring SAR Subject Access Request Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation SAP data SAP data copying and masking Soterion Test Data Management anonymised data security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Portability Data Privacy suite Data Removal Data Replication Data integrity Data masking Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act Online shopping Penalties Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Risk management S/4HANA Migrations S4HANA SAP Data Privacy Suite SAP S/4HANA SAP access risk simulations SAP data encryption SAP data privacy & security SIEM SOX Sarbanes-Oxley (SOX) legislation Secure scrambled production data for testing Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates

Leave a Comment: