U.S. Consumer Privacy and the CCPA

Overview

NV SB-220 Deadline
CCPA Deadline

For more information on becoming prepared for the two new state privacy laws, please contact Alan Friel.

The California Consumer Privacy Act (CCPA) is scheduled to become effective on January 1, 2020, bringing unprecedented change to the U.S. data protection law landscape. Businesses that are not fully prepared to comply with the CCPA’s sweeping restrictions on the handling of consumers’ personal information face severe financial penalties. The CCPA is the first of what is likely to be a coming wave of consumer data privacy regulations at the state and even federal level, much as the General Data Protection Regulation (GDPR) is changing how business is done in the EU.

Our nationally ranked and highly respected Privacy and Data Protection team is deeply familiar with the implications of the CCPA and other legislative proposals and we provide clients with customized, practical advice regarding:

  • Compliance readiness assessment
  • Compliance program development and implementation
  • Inventory data and mapping data flows
  • Privacy and data security assessments
  • Risk management
  • Tracking legislative and regulatory developments
  • Vendor contract drafting and review
  • Identifying, engaging and managing IT consultants and solutions

Time is short. Companies subject to the CCPA should begin mapping their inventories of personal information and identifying all collection, uses, sales and sharing of that information given that the CCPA includes requirements that are subject to a 12-month lookback (i.e., to January 1, 2019).

We provide guidance on the CCPA and privacy compliance issues for companies across industries, including:

  • Advertising, marketing and digital media
  • Financial services/wealth management
  • Healthcare
  • Hospitality
  • Human resource services and employee benefit providers
  • Manufacturing
  • Professional services organizations
  • Real estate
  • Retail
  • Software and Software-As-a-Service providers
  • Technology

We have developed hundreds of privacy notices, policies and compliance programs pursuant to various U.S. laws and self-regulatory programs. Our team has counseled more than 175 clients on GDPR compliance, including through the development and implementation of internal programs and policies and we leverage this experience to assist clients as they work through the complexities of complying with the CCPA and other legislation.

The CCPA and other proposed state and federal legislation are similar in certain ways to the GDPR, but each has differing provisions that will require even businesses that are already GDPR-compliant to undertake new data privacy efforts.

What You Need to Know about the CCPA
  • CCPA’s protections apply to all California residents, regardless of their relationship with an organization (e.g., employees, customers, business leads) or whether their personal information is collected online or offline.
  • Companies that handle personal information – any information that identifies a consumer or household – of as few as 50,000 devices, individuals or households annually may be subject to the act.
  • Businesses with revenues of $25 million or more may have compliance obligations no matter how much personal information they collect from Californians.
  • The CCPA provides California residents with a right to be informed of the categories of personal information that a business collects or otherwise receives, sells or discloses about them; the purposes for these activities; and the categories of parties to which their personal information is disclosed.
  • The Act also grants California residents the right to request more detailed information about the personal information a business holds specifically about them, and the right to obtain portable copies of their personal information from the business.
  • The CCPA gives Californians the right to prohibit a business from selling their personal information, and to request that a business delete their personal information.
  • Violations of the CCPA are enforceable by the California Attorney General, who may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per intentional violation.
  • Notably, the CCPA includes a private right of action with the potential for statutory damages, though as currently drafted this remedy is most likely intended to be limited to certain types of data security incidents.

Professionals

Name Title Office Email
Associate New York
Associate Costa Mesa
Partner Atlanta
Associate Denver
Associate New York
Associate New York
Partner Los Angeles
Associate Atlanta
Partner Washington, D.C.
Partner Los Angeles
Associate Los Angeles
Associate Washington, D.C.
Associate Los Angeles
Partner New York
Counsel Philadelphia
Associate Atlanta
Associate Costa Mesa
Partner Washington, D.C.

News

News

Press Releases

Publications

Alerts

Articles

Blog Posts

Related Services

Featured Video

California Consumer Privacy Act (CCPA) [as amended by SB-1121]
Play Video

Alan Friel Presents on the California Consumer Privacy Act (CCPA) at UCLA's Big Data Conference

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Less Than a Month to Go Until Nevada Privacy Law Effective Date
By Alan L. Friel, Shea M. Leitch
September 12, 2019
As discussed in our previous blog post on the topic, Nevada’s amendments to its privacy law are set to go into effect Oct. 1, 2019. Less comprehensive in scope than the much-heralded CCPA, the Nevada privacy law amendment has received...
Read More ->
Data Privacy Monitor
Summer Is Over – It's CCPA and NV Crunch Time
By Alan L. Friel
September 9, 2019
It is less than 120 days until California’s ground-shifting new privacy regimen – the California Consumer Privacy Act (CCPA) – goes into effect. There is only a week left for the Legislature to pass the handful of amendment bills that...
Read More ->
Data Privacy Monitor
CCPA Amendment Progress Report: July Update
By Taylor A. Bloom, Melinda L. McLellan
July 25, 2019
As we reported in April, May and June, a number of potentially significant amendments to the California Consumer Privacy Act (CCPA) continue to make their way through the state legislative process. Below we provide a summary of recent...
Read More ->
Data Privacy Monitor
Attempt to Expand CCPA Private Right of Action Fails, While Bills Exempting Employee Data and Otherwise Refining CCPA Advance
By Taylor A. Bloom, Alan L. Friel, Niloufar Massachi
June 5, 2019
Over the past several weeks, the California State Assembly has voted in favor of advancing to the California Senate bills that would narrow the reach of the California Consumer Privacy Act (CCPA). Senate bills did not fare as well and have...
Read More ->
Data Privacy Monitor
Nevada Adds "Do Not Sell" Requirement to Privacy Law
By Alan L. Friel, Shea M. Leitch
June 5, 2019
Last week, Nevada Governor Steve Sisolak signed new privacy legislation into law in Nevada. Senate Bill 220 (SB-220) updates Nevada Revised State 603A to provide consumers a new right to opt out of the sale of their data. Effective Oct. 1...
Read More ->