U.S. Consumer Privacy and the CCPA

Overview

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, which brought an unprecedented change to the U.S. data protection law landscape. Businesses that are not fully compliant with the CCPA’s sweeping restrictions on the handling of consumers’ personal information can face severe financial penalties. The CCPA is the first of what is likely to be a coming wave of consumer data privacy regulations at the state and even federal level, much as the General Data Protection Regulation (GDPR) is changing how business is done in the EU.

Our nationally ranked and highly respected Privacy and Data Protection team is deeply familiar with the implications of the CCPA and other legislative proposals and we provide clients with customized, practical advice regarding:

  • Compliance readiness assessment
  • Compliance program development and implementation
  • Inventory data and mapping data flows
  • Privacy and data security assessments
  • Risk management
  • Tracking legislative and regulatory developments
  • Vendor contract drafting and review
  • Identifying, engaging and managing IT consultants and solutions

While the California Attorney General cannot commence enforcement actions for non-compliance until July 1, 2020, he has publicly stated that this is not a safe harbor period and that his office is free to bring claims in July for non-compliance in January, and that he takes a narrow view of the right to cure. Companies that missed the January 1 effective date should work expeditiously to provide the transparency and choice that the CCPA requires, even if they have to roll out their compliance programs incrementally. Some aspects of compliance will be dependent on what the final regulations, which have not yet been promulgated, provide. Companies that have not yet completed inventories of personal information and identified all collection, uses, sales and sharing of that information subject to the CCPA’s 12-month lookback (i.e., to January 1, 2019), will need to do so in order to be able to comply with even the most unambiguous requirements of the CCPA.

We provide guidance on the CCPA and other privacy compliance issues for companies across industries, including:

  • Advertising, marketing and digital media
  • Financial services/wealth management
  • Healthcare
  • Hospitality
  • Human resource services and employee benefit providers
  • Manufacturing
  • Professional services organizations
  • Real estate
  • Retail
  • Software and Software-As-a-Service providers
  • Technology

We have developed thousands of privacy notices, policies and compliance programs pursuant to various U.S. laws and self-regulatory programs. Our team has counseled more than 175 clients on GDPR compliance, including through the development and implementation of internal programs and policies and we leverage this experience to assist clients as they work through the complexities of complying with the CCPA and other legislation, and has been working with over 100 companies on CCPA readiness.

The CCPA and other proposed state and federal legislation are similar in certain ways to the GDPR, but each has differing provisions that will require even businesses that are already GDPR-compliant to undertake new data privacy efforts.

What You Need to Know about the CCPA
  • CCPA’s protections apply to all California residents, regardless of their relationship with an organization (e.g., employees, customers, business leads) or whether their personal information is collected online or offline, though for calendar year 2020 not all aspects of the CCPA will apply to certain human resources and business-to-business communications data.
  • Companies that handle personal information – any information that identifies a consumer or household – of as few as 50,000 devices, individuals or households annually may be subject to the act.
  • Businesses with revenues of $25 million or more may have compliance obligations no matter how much personal information they collect from Californians.
  • The CCPA provides California residents with a right to be informed of the categories of personal information that a business collects or otherwise receives, sells or discloses about them; the sources of that data; the purposes for these activities; and the categories of parties to which their personal information is disclosed.
  • The Act also grants California residents the right to request detailed information about the personal information a business holds specifically about them, and the right to obtain portable copies of their personal information from the business.
  • The CCPA gives Californians the right to prohibit a business from selling their personal information, and has a very broad definition of “sale,” and to request that a business delete their personal information, subject to certain retention purposes.
  • Violations of the CCPA are enforceable by the California Attorney General, who may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per intentional violation.
  • Notably, the CCPA includes a private right of action with the potential for statutory damages, though as currently drafted this remedy is most likely intended to be limited to certain types of data security incidents. The private right of action provisions of the law became fully effective on January 1, 2020 and are not subject to any enforcement delay.

Professionals

Name Title Office Email
Associate New York
Associate Costa Mesa
Partner Atlanta
Partner Denver
Associate New York
Partner Los Angeles
Associate Atlanta
Partner Los Angeles
Associate Seattle
Associate Los Angeles
Associate Los Angeles
Partner New York
Partner Philadelphia
Associate Atlanta
Associate Costa Mesa
Partner New York
Partner Washington, D.C.
Associate New York
Associate Los Angeles

News

News

Press Releases

Publications

Alerts

Articles

Blog Posts

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Version of Proposed CCPA Regulations Available
By Alan L. Friel
February 7, 2020
On February 7, 2020 the California Attorney General published a second version of the proposed regulations to implement the California Consumer Protection Act available here. A redline against the first draft is available here. A new...
Read More ->
AD-ttorneys Law Blog
The Ad Industry Wants a Delay to CCPA Enforcement As It Considers CCPA Cookie Compliance Frameworks and Ongoing Rulemaking
By Taylor A. Bloom, Alan L. Friel
January 31, 2020
A letter penned by the top ad industry trade associations (the American Association of Advertising Agencies, the Interactive Advertising Bureau (IAB), the Association of National Advertisers, the American Advertising Federation and the...
Read More ->
Data Privacy Monitor
California AG Press Release Clarifies CCPA's Jan. 1 Effective Date and Data Broker Registry, Provides No Update on Draft Regulations
By Kyle R. Fath
January 14, 2020
On Jan. 6, 2020, the California attorney general (AG) released a CCPA advisory press release outlining the new data privacy rights under the California Consumer Privacy Act (CCPA) afforded to California consumers and clearly stating that...
Read More ->
Data Privacy Monitor
Hoping for a New Year's Resolution: Clarity on the Sale of Personal Information of California Minors
By Carolina A. Alonso, Alan L. Friel
January 9, 2020
Those who keep an eye on privacy laws may be familiar with how monumental the Children’s Online Privacy Protection Act (COPPA) was when it first became effective in 1998. COPPA requires online services that directly target children under...
Read More ->
Data Privacy Monitor
Is the CCPA's Private Right of Action Provision Retroactive?
By Sean B. Solis
January 9, 2020
With the California Consumer Privacy Act (CCPA) – the strictest privacy law in the nation – now in effect, an important question for businesses to consider is whether it applies to conduct that occurred prior to the law’s effective date of...
Read More ->