In 2018, when businesses were preparing for the European Union’s General Data Privacy Regulation (GDPR), California quietly and quickly passed its own legislation: the California Consumer Privacy Act (CCPA). This regulation, with its emphasis on consumer privacy rights, has an interesting history of grassroots consumer advocacy coupled with swift legislative action provoked by the fear of a ballot initiative. But what security professionals may have missed is that the CCPA contains a surprise in the form of a provision devoted to “reasonable” cybersecurity procedures and policies.