U.S. Consumer Privacy and the CCPA

Overview

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, which brought an unprecedented change to the U.S. data protection law landscape. Businesses that are not fully compliant with the CCPA’s sweeping restrictions on the handling of consumers’ personal information can face severe financial penalties. The CCPA is the first of what is likely to be a coming wave of consumer data privacy regulations at the state and even federal level, much as the General Data Protection Regulation (GDPR) is changing how business is done in the EU.

Our privacy governance attorneys are deeply familiar with the implications of the CCPA and other legislative proposals and we provide clients with customized, practical advice regarding:

  • Compliance readiness assessment
  • Compliance program development and implementation
  • Inventory data and mapping data flows
  • Privacy and data security assessments
  • Risk management
  • Tracking legislative and regulatory developments
  • Vendor contract drafting and review
  • Identifying, engaging and managing IT consultants and solutions

The California Attorney General’s authority to commence enforcement actions for non-compliance began July 1, 2020, and dozens of investigations were immediately opened. On August 14, 2020, the long-awaited regulations supplementing the CCPA became final and immediately effective.

We provide guidance on the CCPA and other privacy compliance issues for companies across industries, including:

  • Advertising, marketing and digital media
  • Financial services/wealth management
  • Healthcare
  • Hospitality
  • Human resource services and employee benefit providers
  • Manufacturing
  • Professional services organizations
  • Real estate
  • Retail
  • Software and Software-as-a-Service providers
  • Technology

We have developed thousands of privacy notices, policies and compliance programs pursuant to various U.S. laws and self-regulatory programs. Our team has counseled more than 200 clients on GDPR compliance, including through the development and implementation of internal programs and policies. We leverage this experience to assist clients as they work through the complexities of complying with the CCPA and other legislation.

The CCPA and other proposed state and federal legislation are similar in certain ways to the GDPR, but each has differing provisions that will require even businesses that are already GDPR-compliant to undertake new data privacy efforts. The CCPA is up for a complete overhaul in the form of a voter initiative that will be on the November 3, 2020 ballot, which proposes to add new consumer rights and corresponding obligations on businesses.

What You Need to Know about the CCPA
  • CCPA’s protections apply to all California residents, regardless of their relationship with an organization (e.g., employees, customers, business leads) or whether their personal information is collected online or offline, though for calendar year 2020 not all aspects of the CCPA will apply to certain human resources and business-to-business communications data. Companies that handle personal information – any information that identifies a consumer or household – of as few as 50,000 devices, individuals or households annually may be subject to the Act. Businesses with revenues of $25 million or more may have compliance obligations no matter how much personal information they collect from Californians.
  • The CCPA provides California residents with a right to be informed of the categories of personal information that a business collects or otherwise receives, sells or discloses about them; the sources of that data; the purposes for these activities; and the categories of parties to which their personal information is disclosed. The Act also grants California residents the right to request detailed information about the personal information a business holds specifically about them, and the right to obtain portable copies of their personal information from the business. The CCPA gives Californians the right to prohibit a business from selling their personal information, and has a very broad definition of “sale,” and to request that a business delete their personal information, subject to certain retention purposes.
  • Violations of the CCPA are enforceable by the California Attorney General, who may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per intentional violation.
  • Notably, the CCPA includes a private right of action with the potential for statutory damages, though as currently drafted this remedy is most likely intended to be limited to certain types of data security incidents.

Professionals

Name Title Office Email
Associate New York
Associate Costa Mesa
Partner Atlanta
Associate San Francisco
Partner Denver
Associate New York
Partner Los Angeles
Associate Atlanta
Partner Los Angeles
Associate Seattle
Associate Los Angeles
Associate Los Angeles
Partner New York
Partner Philadelphia
Associate Atlanta
Partner New York
Partner Washington, D.C.
Associate New York
Associate Los Angeles

News

News

Publications

Alerts

Articles

Blog Posts

Key Contacts

Blog

In The Blogs

Previous Next
Data Counsel
California OAG Proposes New CCPA Regs Two Weeks Before Voters Decide on the Fate of CCPA 2.0
By Alan L. Friel, Shea M. Leitch, Andrew M. Serrao
October 20, 2020
On Monday, Oct. 12, the California Office of the Attorney General (the Attorney General or OAG) released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations (the Regulations). The full text can...
Read More ->
Data Counsel
Jeewon Kim Serrato Co-Authors Article about Pricing, Value of Consumer Data and CCPA's Non-Discrimination Requirement
By Jeewon K. Serrato
October 19, 2020
Partner Jeewon Kim Serrato co-authored an article published in the California Lawyer Association’s Fall 2020 issue of the “Competition Journal” of the Antitrust, UCL and Privacy Section. The article, “Privacy, Pricing, and the Value of...
Read More ->
Data Counsel
Employee Training and Record-Keeping Requirements in the Final CCPA Regulations and a Preview of New Retention Requirements in the CPRA
By James A. Sherer, Nichole L. Sterling
September 15, 2020
The California Consumer Privacy Act (CCPA) does not in itself outline specific employee training or record-keeping requirements that demonstrate business compliance with the law. However, the California attorney general’s final CCPA...
Read More ->
Data Counsel
Return to Work: What Employers Should Know About AB 1281, CCPA Notice Requirements and Recent Labor Law Guidance
By Alan L. Friel, Jeewon K. Serrato, Catrina W. Wang
September 8, 2020
While most privacy news and alerts have been focused on the collection and processing of customer data (see our earlier posts about interest-based advertising and the House Judiciary Committee’s Antitrust Hearing with Big Tech, for...
Read More ->
Data Counsel
IAB Launches CCPA Benchmark Survey
By Taylor A. Bloom, Kyle R. Fath, Gerald J. Ferguson, Alan L. Friel, Linda A. Goldstein
August 27, 2020
The Interactive Advertising Bureau (IAB), a leading advertising industry organization, has launched a CCPA Benchmark Survey to assess how companies across the digital advertising ecosystem are approaching CCPA compliance. The survey...
Read More ->