Background - Privacy & Cybersecurity

California Consumer Privacy Act

CONTACTS +

"The California Consumer Privacy Act is California’s answer to the EU’s GDPR and like the GDPR establishes sweeping consumer rights and business obligations. Crowell & Moring’s full service privacy and cybersecurity practice is well-positioned to help companies navigate this significant change to the U.S. privacy and cybersecurity regulatory environment and harmonize the CCPA’s requirements with other US and global standards."

— Paul Rosen

Does the CCPA apply to you?

The CCPA applies to any for-profit entity that does business in California, alone or jointly determines the purposes and means of the processing of consumers’ personal information, and meets one of the three thresholds:

  1. Earns more than $25 million in annual gross revenue,
  2. Annually buys, receives, sells or shares for commercial purposes the personal information of more than 50,000 consumers, households, or devices, OR
  3. Earns more than 50% of annual revenue from selling California residents’ personal information.

What the CCPA Means For You

On January 1, 2020, the California Consumer Privacy Act (CCPA) took effect. Enforcement of the law by the California Attorney General will not begin until July 1, 2020, with violators subject to penalties of up to $2,500 for negligent violations and up to $7,500 for malicious or intentional malfeasance, per violation. Businesses, however, are already obligated to comply with the CCPA’s requirements. Moreover, the law creates a private right of action for consumers whose “nonencrypted or nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Penalties under the civil cause of action are not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater. This private right of action is already effective.

The CCPA is a first-of-its-kind law in the United States, imposing substantial obligations to for-profit businesses that meet its broad jurisdictional criteria while also creating a number of affirmative rights for covered consumers.

The CCPA provides consumers, broadly defined as “natural person[s] who [are] California resident[s],” affirmative rights that have never previously been available to the U.S. residents. Under CCPA, consumers can request access to and deletion of their information when it is processed by covered businesses. They also retain the right to be informed when information is being collected about them and to opt out of the sale of the information by a covered business to a third party. Businesses that have never devoted serious time to privacy compliance will need to create robust compliance programs with built-in mechanisms for receiving and processing these requests. Businesses with existing privacy regimes will need to adjust their practices to comply with the CCPA’s requirements.

Our CCPA Services

Scope: Analyze company operations and determine CCPA applicability.

Training: Lead workshops, seminars, and table top simulations to increase awareness and prepare organizations for CCPA obligations.

Issue Management: Interface with regulators, consumers, and internal stakeholders to provide on-the-ground support for life cycle issues.

Gap Analysis: Map current data flows, review current practices, policies, third-party agreements, and identify potential gaps.

Litigation: Defend class action litigation.

Risk Mitigation: Identify areas of greatest concern, design risk-minimization frameworks, and craft a unique strategy.

Program Integration: Work with existing privacy programs to meet CCPA requirements while efficiently utilizing previous investments.

Regulatory Engagement: Engage California regulators to ensure compliance and address incidents.

Building a Strong Compliance Program for the Future: Working hand-in-hand with our clients, we build strong, enduring and practical compliance programs to meet today’s challenges and prepare for tomorrow’s. Some of the benefits of our program include:

  • Enhancing cybersecurity and reducing risk of a cyber or privacy incident.
  • Minimizing legal and reputational risk associated with CCPA enforcement, including potential fines and private litigation.
  • Building trust with consumers (and employees) and thereby enhancing the business’s brand.
  • Tailoring Incident Response Plans to the CCPA’s requirements
  • Helping companies better understand how the data entrusted to them is being collected, stored, transferred, and used, along with the corporate policies associated with this data.
  • Creating a strong organizational culture better prepared for tomorrow’s privacy compliance regimes.

Team Members

Our team is comprised of privacy experts, many of whom are former high-ranking government officials, with deep experience assisting companies comply with global data protection laws and defending clients against regulatory investigations and class action lawsuits. Our team members include:

Representative Matters

  • Advised major U.S. government prime contractors regarding CCPA and general privacy practices, cybersecurity, privacy and incident response.
  • Advised a major global technology services provider regarding CCPA governance, policies and procedures regarding cybersecurity, privacy and incident response.
  • Assisted major regional health insurance provider with CCPA scope analysis and compliance.
  • Assisted major industrial manufacturers in preparing for the implementation of the California Consumer Privacy Act (CCPA).
  • Assisted large California-based national personal health provider network with CCPA compliance efforts.
  • Advised major international clothing retailer on CCPA compliance for multiple owned brands.