The California Consumer Privacy Act of 2018 (CCPA), which goes into effect in January 2020, guarantees new data privacy rights for California’s 40 million consumers, with kids under 16 winning extra protections.

Common Sense Media has put out a complete report on Protecting Digital Privacy for Parents and Kids which clarifies those new rights:


  • Notice: It guarantees consumers the right to know what data about them is being collected.
  • Consent: It guarantees consumers the right to opt out of their data being sold.
  • Deletion: It guarantees consumers the right to delete all their private data, with exceptions.
  • Access & portability: It guarantees consumers the right to access, download, or transfer their data.
  • Kids’ rights: Kids under 16, or their parents, must opt in to consent to the sale of their data.
  • Enforcement: The attorney general can levy fines, and consumers can sue for breaches.

How does California’s law compare to the EU’s GDPR?

In general, the CCPA provides many of the key data subject rights of the GDPR, but it does not provide all of them. It also does not contain the internal record-keeping, auditing, and data privacy officer requirements.

Around the country, states are working to protect the online privacy and safety of Americans, especially younger Americans.

Key recent steps forward include:

More than 30 states have passed laws protecting students’ privacy since California’s Student Online Personal Information Protection Act passed in 2014.

Vermont passed a law shining a light on “data brokers.” These are the companies that collect, aggregate, and resell information about you and your family—and they usually operate in secrecy. The new law will require data brokers to register publicly, to keep your data secure, and inform you if there is a data breach.

Illinois has worked to protect its residents’ “biometric privacy.” Illinois has the strongest law in the country protecting your fingerprints, face, and other biological identifiers. Civil rights and kids’ groups are working to protect the 2008 law from legislative and legal challenges.

New Mexico is suing app manufacturers for violating kids’ privacy. The state filed suit under the Childrens’ Online Privacy Protection Act (COPPA) in 2018 accusing the makers of thousands of apps of illegally collecting and storing the data of kids who signed up for them. This is an important case for social media privacy protections. Other states like New York and New Jersey announced COPPA settlements in 2018. 

Alabama became the 50th state to oversee data breaches. Almost every American has had their data stolen—and now all 50 states have given them tools to respond. Generally these laws require data to be held securely and for companies to quickly warn consumers when it is stolen.

Parental controls are not enough. Companies should build in privacy and security from the ground up by incorporating sound privacy and security policies and practices at every stage of product development. By incorporating privacy and security into the architecture of a product and involving designers and engineers from the beginning, companies will be in a better position to protect consumers and their market share.

Review the full report for yourself at