Comprehensive data privacy regulation is now a reality in the United States. From the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) to the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CoPA) to the host of industry and subject matter-specific regulations in place at the state and federal levels, our dedicated privacy compliance attorneys know this space inside and out. We have guided hundreds of companies through the compliance process, provide strategic advice on every aspect of consumer privacy, and are leading advocates for businesses facing regulatory investigations and consumer lawsuits. We proactively monitor new developments in this dynamic area of regulation and help our clients stay ahead of the curve.
What You Need to Know
When the CCPA took effect in January 2020, it ushered in a new era for privacy laws in the United States. Beyond regulation of specific types of information or specific industries, the CCPA’s protections apply to all California residents, regardless of their relationship with a business, the industry in which the business operates, or whether the business collects personal information online or offline. The CPRA further expanded consumer privacy rights, created additional requirements for businesses, established a new enforcement agency dedicated to data privacy, and will end exemptions for personal information collected from employees, job applicants and business-to-business contacts.
Meanwhile, California is no longer alone in enacting comprehensive consumer privacy laws. When the VCDPA and CoPA take effect in 2023, more than 16 percent of the U.S. population will have the right to ask businesses what personal information is held about them, to delete or correct that information, and to limit certain uses and sharing, among other rights. With dozens of comprehensive privacy bills pending in state legislatures, other states will drive even further expansion of this type of regulation. While there are many commonalities that can be leveraged for compliance with these laws, it is critical to know the details of each, the nuances of when they apply, and how they fit with other privacy laws like the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA) and the Gramm-Leach-Bliley Act (GLBA).
At its core, compliance with consumer privacy laws requires a thorough understanding of how your business collects and uses personal information; how it shares personal information with business partners, vendors and others; the rights available to consumers; and what actions must be taken on personal information the business holds in order to delete it, correct it or provide a portable copy to a consumer.
How We Can Help
Compliance
Our privacy compliance attorneys are deeply familiar with the implications of the California, Virginia and Colorado privacy laws as well as legislative proposals in many other states. We provide clients with customized, practical advice that includes:
- Compliance readiness assessments
- Compliance program development and implementation
- Inventory data and mapping data flows
- Privacy policies and notices
- Processing and responding to consumer rights requests
- Privacy and data security assessments
- Risk management
- Vendor contract negotiation and drafting
- Tracking legislative and regulatory developments
- Due diligence for mergers, acquisitions and other transactions
- Identifying, engaging and managing privacy and technology consultants and solutions
We provide privacy guidance for companies across all industries, including:
- Advertising, marketing and digital media
- Retail
- Manufacturing
- Hospitality
- Technology, including software as a service
- Healthcare
- Financial services/wealth management
- Human resource services and employee benefit providers
- Professional services organizations
- Real estate
We have helped hundreds of clients develop, implement and operate CCPA- and CPRA-compliant consumer privacy programs. We leverage this experience and our deep knowledge of the EU General Data Protection Regulation to assist clients as they work through the complexities of complying with VCDPA, CoPA and other new legislation. Combining our strength in privacy and advertising law, we also help publishers, advertisers and ad tech companies address complex issues regarding the impact of CCPA/CPRA on digital advertising, and work with the leading trade associations in this regard.
Enforcement
When the California Attorney General began enforcement of the CCPA on July 1, 2020, our firm was there to defend businesses caught in the first wave of enforcement. Businesses facing regulatory scrutiny continue to seek our unique knowledge in this regard, which includes:
- Compliance readiness assessment
- Compliance program development and implementation
- Inventory data and mapping data flows
- Privacy and data security assessments
- Risk management
- Tracking legislative and regulatory developments
- Vendor contract drafting and review
Whatever the future brings in terms of new regulators like the California Privacy Protection Agency or new privacy laws that may include a private right of action, our regulatory and litigation teams will be at the ready to advocate for our clients.