U.S. Consumer Privacy, the CCPA and the CPRA

Overview

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, which brought an unprecedented change to the U.S. data protection law landscape. Businesses that are not fully compliant with the CCPA’s sweeping restrictions on the handling of consumers’ personal information can face severe financial penalties. The CCPA is the first of what is likely to be a coming wave of consumer data privacy regulations at the state and even federal level, much as the General Data Protection Regulation (GDPR) is changing how business is done in the EU. On November 3, 2020, California voters passed a ballot measure – the California Privacy Rights Act (CPRA) – which increases consumer privacy rights and the limitations on and obligations of businesses.

Our privacy governance attorneys are deeply familiar with the implications of the CCPA/CPRA and other legislative proposals and we provide clients with customized, practical advice regarding:

  • Compliance readiness assessment
  • Compliance program development and implementation
  • Inventory data and mapping data flows
  • Privacy and data security assessments
  • Risk management
  • Tracking legislative and regulatory developments
  • Vendor contract drafting and review
  • Identifying, engaging and managing IT consultants and solutions

The California Attorney General’s authority to commence enforcement actions for non-compliance began July 1, 2020, and dozens of investigations were immediately opened. On August 14, 2020, the long-awaited regulations supplementing the CCPA became final and immediately effective. Rulemaking is ongoing and as a result of the passage of the CPRA, California will be creating a dedicated data protection authority, which will take over rulemaking as early as July 2021 and will share enforcement authority with the Attorney General.

We provide guidance on the CCPA/CPRA and other privacy compliance issues for companies across industries, including:

  • Advertising, marketing and digital media
  • Financial services/wealth management
  • Healthcare
  • Hospitality
  • Human resource services and employee benefit providers
  • Manufacturing
  • Professional services organizations
  • Real estate
  • Retail
  • Software and Software-as-a-Service providers
  • Technology

We have developed thousands of privacy notices, policies and compliance programs pursuant to various U.S. laws and self-regulatory programs. Our team has advised more than 200 clients on their potential compliance obligations under the GDPR, including through the development and implementation of internal programs and policies. We leverage this experience to assist clients as they work through the complexities of complying with the CCPA/CPRA and other legislation, and have helped hundreds of clients develop, implement and operate CCPA-compliant consumer privacy programs. Combining our strength in privacy and advertising law, we help publishers, advertisers and ad tech companies address complex issues regarding the impact of CCPA/CPRA on digital advertising, and work with the leading trade associations in this regard.

The CCPA/CPRA and other proposed state and federal legislation are similar in certain ways to the GDPR, but each has differing provisions that will require even businesses that are already GDPR-compliant to undertake new data privacy efforts. We counsel clients not only on the current state of the law, but also how to develop information governance that allows them to be prepared to address changes in the law and industry self-regulation.

What You Need to Know about the CCPA/CPRA

CCPA/CPRA’s protections apply to all California residents, regardless of their relationship with an organization (e.g., employees, customers, business leads) or whether their personal information is collected online or offline, although through the end of calendar year 2022 not all aspects of the CCPA will apply to certain human resources and business-to-business communications data. Companies that handle personal information – any information that identifies a consumer or household – of as few as 50,000 devices, individuals or households annually may be subject to the Act (although when CPRA is in full effect this will become 100,000, and devices alone will not be used to calculate if the threshold is met). Businesses with revenues of $25 million or more may have compliance obligations no matter how much personal information they collect from Californians.

The CCPA provides California residents with a right to be informed of the categories of personal information that a business collects or otherwise receives, sells or discloses about them; the sources of that data; the purposes for these activities; and the categories of parties to which their personal information is disclosed. The CPRA adds a right of correction as well as control over sharing of personal information for cross-context behavioral advertising, use of sensitive personal information, and profiling and automated decision making. The CPRA also adds data retention limitations and more restrictive data use limitations, essentially adopting GDPR Article 13 and 30 concepts. This will necessitate even more robust data inventories and information governance practices.

The CCPA also grants California residents the right to request detailed information about the personal information a business holds specifically about them, and the right to obtain portable copies of their personal information from the business. The CCPA gives Californians the right to prohibit a business from selling their personal information, and has a very broad definition of “sale,” and to request that a business delete their personal information, subject to certain retention purposes. The CPRA expands these rights and adds additional opt-outs of sharing of personal information for certain advertising purposes, certain uses and disclosures of sensitive information and, likely once new regulations are promulgated, certain types of profiling and automated decision making.

Violations of the CCPA are enforceable by the California Attorney General, who may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per intentional violation, and as of July 1, 2023, California’s new data protection authority will share enforcement jurisdiction with the Attorney General. Notably, the CCPA includes a private right of action with the potential for statutory damages, though as currently drafted this remedy is most likely intended to be limited to certain types of data security incidents. While the private right of action is subject to an opportunity to cure, the CPRA clarifies that a post-breach remediation is not a cure that can preclude the cause of action. The CPRA further will end the opportunity to cure privacy non-compliance and avoid enforcement actions and penalties. For more on how the CPRA changes the CCPA click here.

Professionals

Name Title Office Email
Associate New York
Associate Costa Mesa
Partner Atlanta
Associate San Francisco
Partner Denver
Associate New York
Partner Los Angeles
Associate Atlanta
Partner Los Angeles
Associate Seattle
Associate Los Angeles
Partner New York
Partner Philadelphia
Associate Atlanta
Partner New York
Partner Washington, D.C.
Associate New York
Associate Los Angeles

News

News

Publications

Alerts

Articles

Blog Posts

Key Contacts

Blog

In The Blogs

Previous Next
Data Counsel
New York Legislature Introduces CCPA Clone with Private Right of Action
By Kyle R. Fath, Melinda L. McLellan
January 8, 2021
The 2021-22 New York State legislative session started off with a bang, featuring nearly a dozen consumer privacy bills introduced in the House and Senate on the opening day. A number of the proposals, including the New York Privacy Act...
Read More ->
Data Counsel
Privacy and Product Counseling: 2020 in Review
By Carolina A. Alonso, Orga Cadet, Kyle R. Fath, Gerald J. Ferguson, Alan L. Friel, Barbara D. Linney, Melinda L. McLellan, Veronica Reynolds, Nichole L. Sterling, Patrick R. Waldrop
December 17, 2020
Advising our clients on compliance with laws and regulations is, hands down, the most important aspect of our role as attorneys. In addition to seeking counsel on their obligations under laws and regulations, however – motivated by...
Read More ->
AD-ttorneys Law Blog
California Ballot Referendum on CCPA Will Have Significant Effects on AdTech
By Kyle R. Fath, Alan L. Friel
November 18, 2020
On Election Day, California voters approved a ballot measure, Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA). Referred to by some as CCPA 2.0, the CPRA amends certain provisions of the paradigm shifting 2018...
Read More ->
Data Counsel
California Voters Approve Reworking of Landmark Consumer Privacy Law – What CCPA 2.0 Will Mean for Businesses and Consumers
By Kyle R. Fath, Alan L. Friel
November 4, 2020
The nation awoke the morning after Election Day 2020 with much still unresolved. However, what seemed clear was that California voters almost certainly approved a ballot measure, Proposition 24, known as the California Privacy Rights Act...
Read More ->
Data Counsel
California OAG Proposes New CCPA Regs Two Weeks Before Voters Decide on the Fate of CCPA 2.0
By Alan L. Friel, Shea M. Leitch, Andrew M. Serrao, Patrick R. Waldrop
October 20, 2020
On Monday, Oct. 12, the California Office of the Attorney General (the Attorney General or OAG) released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations (the Regulations). The full text can...
Read More ->
Privacy and Product Counseling: 2020 in Review