U.S. Consumer Privacy and the CCPA

Overview

The California Consumer Privacy Act (CCPA) is scheduled to become effective on January 1, 2020, bringing unprecedented change to the U.S. data protection law landscape. Businesses that are not fully prepared to comply with the CCPA’s sweeping restrictions on the handling of consumers’ personal information face severe financial penalties. The CCPA is the first of what is likely to be a coming wave of consumer data privacy regulations at the state and even federal level, much as the General Data Protection Regulation (GDPR) is changing how business is done in the EU.

Our nationally ranked and highly respected Privacy and Data Protection team is deeply familiar with the implications of the CCPA and other legislative proposals and we provide clients with customized, practical advice regarding:

  • Compliance readiness assessment
  • Compliance program development and implementation
  • Inventory data and mapping data flows
  • Privacy and data security assessments
  • Risk management
  • Tracking legislative and regulatory developments
  • Vendor contract drafting and review
  • Identifying, engaging and managing IT consultants and solutions

Time is short. Companies subject to the CCPA should begin mapping their inventories of personal information and identifying all collection, uses, sales and sharing of that information given that the CCPA includes requirements that are subject to a 12-month lookback (i.e., to January 1, 2019).

We provide guidance on the CCPA and privacy compliance issues for companies across industries, including:

  • Advertising, marketing and digital media
  • Financial services/wealth management
  • Healthcare
  • Hospitality
  • Human resource services and employee benefit providers
  • Manufacturing
  • Professional services organizations
  • Real estate
  • Retail
  • Software and Software-As-a-Service providers
  • Technology

We have developed hundreds of privacy notices, policies and compliance programs pursuant to various U.S. laws and self-regulatory programs. Our team has counseled more than 175 clients on GDPR compliance, including through the development and implementation of internal programs and policies and we leverage this experience to assist clients as they work through the complexities of complying with the CCPA and other legislation.

The CCPA and other proposed state and federal legislation are similar in certain ways to the GDPR, but each has differing provisions that will require even businesses that are already GDPR-compliant to undertake new data privacy efforts.

What You Need to Know about the CCPA
  • CCPA’s protections apply to all California residents, regardless of their relationship with an organization (e.g., employees, customers, business leads) or whether their personal information is collected online or offline.
  • Companies that handle personal information – any information that identifies a consumer or household – of as few as 50,000 devices, individuals or households annually may be subject to the act.
  • Businesses with revenues of $25 million or more may have compliance obligations no matter how much personal information they collect from Californians.
  • The CCPA provides California residents with a right to be informed of the categories of personal information that a business collects or otherwise receives, sells or discloses about them; the purposes for these activities; and the categories of parties to which their personal information is disclosed.
  • The Act also grants California residents the right to request more detailed information about the personal information a business holds specifically about them, and the right to obtain portable copies of their personal information from the business.
  • The CCPA gives Californians the right to prohibit a business from selling their personal information, and to request that a business delete their personal information.
  • Violations of the CCPA are enforceable by the California Attorney General, who may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per intentional violation.
  • Notably, the CCPA includes a private right of action with the potential for statutory damages, though as currently drafted this remedy is most likely intended to be limited to certain types of data security incidents.

Professionals

Name Title Office Email
Associate New York
Associate Costa Mesa
Partner Atlanta
Associate Denver
Associate New York
Partner Los Angeles
Associate Atlanta
Partner Washington, D.C.
Partner Los Angeles
Associate Los Angeles
Associate Washington, D.C.
Associate Los Angeles
Partner New York
Counsel Philadelphia
Associate Atlanta
Partner Washington, D.C.

News

News

Press Releases

Blog Posts

Related Services

Featured Video

California Consumer Privacy Act (CCPA) [as amended by SB-1121]
Play Video

Alan Friel Presents on the California Consumer Privacy Act (CCPA) at UCLA's Big Data Conference

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Attempt to Expand CCPA Private Right of Action Fails, While Bills Exempting Employee Data and Otherwise Refining CCPA Advance
By Taylor A. Bloom, Alan L. Friel, Niloufar Massachi
June 5, 2019
Over the past several weeks, the California State Assembly has voted in favor of advancing to the California Senate bills that would narrow the reach of the California Consumer Privacy Act (CCPA). Senate bills did not fare as well and have...
Read More ->
Data Privacy Monitor
Nevada Adds "Do Not Sell" Requirement to Privacy Law
By Alan L. Friel, Shea M. Leitch
June 5, 2019
Last week, Nevada Governor Steve Sisolak signed new privacy legislation into law in Nevada. Senate Bill 220 (SB-220) updates Nevada Revised State 603A to provide consumers a new right to opt out of the sale of their data. Effective Oct. 1...
Read More ->
Data Privacy Monitor
Ad and Publishing Industries Confront CCPA Challenges While Congress Considers Privacy
By Alan L. Friel
May 29, 2019
The California Consumer Privacy Act (CCPA), effective Jan. 1, 2020, will require more privacy transparency and choice for consumers than they have ever had under U.S. law, but its approach to providing consumers with the right to opt out...
Read More ->
Data Privacy Monitor
Washington Privacy Act Dies in the House While California Continues to Consider Refinements to the CCPA
By Shea M. Leitch, Niloufar Massachi
May 6, 2019
After passing the Senate nearly unanimously, the Washington Privacy Act (SB 5376) has stalled in the House of Representatives. The bill failed to achieve passage out of committee by the April 17 deadline for consideration of bills...
Read More ->
Data Privacy Monitor
California Assembly Privacy Committee Votes in Favor of Advancing CCPA Amendments
By Alan L. Friel, Niloufar Massachi
April 30, 2019
Last Tuesday, the California Assembly’s Committee on Privacy and Consumer Protection (Assembly Privacy Committee), which has jurisdiction over matters related to privacy, the protection of personal information and information technology...
Read More ->