The future of the CCPA: What about a Federal law?

September 27, 2019
Written by Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.


This blog discusses the potential issues around implementing CCPA compliance if a superseding federal law is enacted. It covers:

The fragmented states of data privacy

The United States is facing a data privacy crisis. As hacks, leaks and other breaches find the daily headlines, the response seems to be delayed at the federal level, forcing a highly fragmented response by individual states.

There are no comprehensive Federal laws in place that address personal data privacy. Instead, 26 states published different laws as an attempt to address the concerns of their citizens.

For companies within the United States (and in the case of the CCPA, any company that maintains personal data on California consumers), this is a compliance nightmare. Many of these companies already battle compliance on the global stage as they operate in different jurisdictions where often mutually incompatible laws need to be maintained. To maintain additional compliance on a growing list of states becomes nearly impossible.

The impact of this patchwork of data privacy laws is that it overcomplicates product and service delivery, as well as creating the risk of non-compliance as new laws crop up with new requirements.

The global data privacy drive hits the US

Even though a few countries like Canada and Japan developed comprehensive data privacy laws early on, in 2018 the GDPR became a legal behemoth that created a wave of awareness among ordinary citizens. The slew of data breaches exposed in recent times didn’t help. Now, American citizens are demanding the same rights as their European counterparts.

Internally, the United States is getting tremendous pressure to consolidate data privacy laws as well. Recently, a group of 51 highly influential tech CEOs signed an open letter to Congress, asking for a Federal data privacy law that supersedes state laws, in an attempt to simplify compliance and strengthen individual data privacy rights.

The CCPA: a template for Federal law?

The CCPA is possibly the most prominent data privacy law in the United States at the moment. As one of the largest economies in the world, and as a hub for technology companies, California couldn’t avoid implementing some form of legislation.

As a data privacy law, there is some overlap with GDPR, but there are also a number of fundamental differences, chief of which is the broad definition of personal information, and an “opt-out” approach focused on the sale of data rather than GDPR’s consent model.

Webinar: CCPA and SAP: Prepare nowWebinar: CCPA vs GDPR


One might expect that with its prominence, the CCPA could serve as a template for a Federal law. However, the CCPA is written in a way that doesn’t obstruct the sale of data, making it more lenient to companies that built their operations on the sale of consumer data.

It seems that the general direction for Federal privacy laws is to copy or mirror the GDPR, which is much stricter and would impede the ability of many businesses to sell personal data. From the perspective of individuals, this would be a good thing, but from the perspective of many such businesses, this could spell disaster.

The US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress, already promotes the idea of a GDPR-like Federal law to govern data privacy, giving the SEC the power to enforce it. Even Tim Cook, CEO of Apple, publicly asked that Congress adopts laws that are similar to the GDPR. It is therefore unlikely that a Federal law will closely match the CCPA.

Should I wait before tackling a CCPA compliance project?

The short answer is “no.” It is very risky to ignore any state laws, and particularly the CCPA, as if you have data on California citizens, it will remain the de facto compliance requirement for the foreseeable future. Non-compliance will open up your organization to serious fines and civil action.

The reality is that law at the Federal level is unlikely to be adopted in the near future. It takes tremendous time, effort and legislative grappling to push a law of this magnitude and impact through Congress, leaving organizations to comply with whichever state law applies to them.

What can I do to prepare for a Federal law?

There are some steps you can take to ensure you are prepared for a Federal data privacy law:

The future of the CCPA Graphics-01-1The future of the CCPA Graphics-02-1

The future of the CCPA Graphics-03The future of the CCPA Graphics-04The future of the CCPA Graphics-05

Still unsure? We have developed a comprehensive CCPA implementation guide that includes a comparison with GDPR. We also developed a white paper that gives you practical insights on how technology can support your data privacy compliance journey.

Making CCPA compliance easier - from an SAP perspective


This blog is not intended as legal advice and should not be construed as such. Its purpose is to provide information for educational purposes only and makes no claims or guarantees with regards to efficacy, accuracy or full compliance with the law discussed herein.

Please consult with an appropriate legal advisor before implementing any part of a CCPA compliance project. EPI-USE Labs will not take any responsibility for misinterpretation or incorrect application of practical measures towards compliance resulting from the use of this information.



Explore Popular Tags

GDPR Data Privacy data security data secure data scrambling GDPR compliance POPI Act POPIA Data Sync Manager Data Redaction Right to be forgotten GDPR readiness General Data Protection Regulation SAP GDPR Data Archiving Data Redact GDPR deadline personal data sap Data privacy compliance SAP data privacy and compliance SAP systems SAR Subject Access Request CCPA European operations Federal Law May 2018 Right to Erasure anonymised data compliance test data management Access risk controls Australian Privacy Act 1988 Breach Notification Brexit Budget COVID-19 Canada data privacy legislation Client Sync Cloud migrations Consent DSM Data Portability Data privacy by design Data privacy regulations Documentation Europe Friday 25 May 2018 GDPR-type legislation GRC for SAP HCM HR ICO Information Commissioner’s Office Information transfer Infotype 41 Object Sync Penalties Privacy by Design Proportional Data Right to Access Risk management Risk monitoring S/4HANA Migrations SAP Data Security SAP S/4HANA SAP data SAP security Secure scrambled production data for testing Security Security for SAP. Live South African data privacy legislation Success Factors Territorial Scope UK Government Virtual conference What does the European GDPR mean for Australia? masking rules quality of test data system copy
+ See More

Get Instant Updates

Leave a Comment: