In January 2020, law firms and their clients doing business with Californians will need to ensure they are complying with the state’s new consumer privacy protection law. While enforcement does not begin until mid-year, firms should determine whether they or their clients are regulated under the new law, identify any necessary compliance measures they are lacking and begin their implementation now.


What is the CCPA?

The California Consumer Privacy Act of 2018 (CCPA) broadly provides California citizens the rights to know what personal information a business has collected, sold or disclosed about them; to learn to whom their information was given; to access their information and to opt-out of its sale.


Business failing to comply with the law’s provisions face financial penalties that start small but quickly add up.


Specifically, the CCPA requires that businesses provide consumers the rights to:


  • Disclosure: Businesses that collect personal information must disclose to requesting consumers free-of-charge within 45 days:
    • The categories of personal information it collected,
    • The categories of sources from which the information was collected,
    • The business or commercial purpose for the collection or sale of such data,
    • The categories of third parties with whom the business shares personal information,
    • The specific pieces of personal information it has collected about that consumer.
  • Opt-out: They must also allow consumers to stop the further sharing of their information upon request.
  • Access: Compliant businesses will inform consumers before or upon the collection of information and provide access to that information to consumers upon request.
  • Deletion: Businesses must delete and direct their service providers to delete personal information upon request from consumers.
  • Nondiscrimination: A business cannot discriminate against a consumer because they exercised any of their rights to data privacy.


Does the CCPA Apply to Me?

The CCPA applies to businesses engaged in collecting, processing, sharing or selling Californians’ data if:

  • They gross over $25 million in revenue annually; or
  • They (solely or in combination with others) deal with the personal information of 50,000 or more consumers, households, or devices; or
  • They make over 50 percent of their revenue from the trading of consumer data.


Many small- to medium-sized businesses will be exempt from the CCPA because they don’t trade in consumer data as a main course of business and don’t meet the minimum revenue threshold. Nonetheless, it is important that business owners consult with their legal professionals to discuss possible areas in which compliance with these new regulations may be necessary.


What Do I Need to Do?

Next week, we’ll look at what the CCPA requires subject businesses to do, such as posting notices on their Web sites.


In the meantime, be sure to review the California Attorney General’s site for more information on the law’s implementation. You can also sign up to receive email updates on the law on the Attorney General’s site.