general practice area category

California Consumer Privacy Act (CCPA)

We have helped clients with state and federal privacy laws for years. And our exclusive focus on internet, e-commerce, and digital media legal matters is beneficial when tackling complicated privacy issues. Contact us to help get your company compliant with the California Consumer Privacy Act (the "CCPA") in advance of the January 1, 2020 deadline.

Ready to get started?

Submit your case online

Now is the Time to Get Compliant.

California passed what many describe as the most sweeping and comprehensive consumer privacy law in the county. The law is called the California Consumer Privacy Act (the "CCPA" for short), and it becomes effective January 1, 2020.

The law creates many new requirements for businesses worldwide that collect or maintain information about California consumers and involves new rights for consumers. The new consumer rights include a consumer’s right to know what categories of personal information are being collected, used, shared, and/or sold, the right to know what third parties the personal information is shared with or sold to, and the right to force a business to delete certain personal information about the consumer. This information must be provided in the company’s privacy policy, and further detail must be provided upon individual request by a consumer, with limited exceptions.

Consumer consent to the collection, sharing, and sale of their personal information is a key component of the CCPA. This is true whether the information is knowingly and voluntarily provided by the consumer (such as through a web form on registration) or whether it is collected through cookies and other technological means. Additional consent is required when the personal data is passed through a chain of third parties. Moreover, where the consumer’s information is sold, the CCPA requires express consent as well as a means of opting out of such sale, whether at the time the information is provided, or down the road. This is accomplished through the inclusion of a "Do Not Sell My Personal Information" web form, links to which are required to be included on the footer of the homepage of the website and in the privacy policy. Thus, in addition to an updated privacy policy, businesses are required to add consent and opt-out mechanisms to their site.

For many businesses, getting compliant with this law is time-consuming and labor-intensive, and for that reason businesses need to start on their compliance efforts now in order to make certain they are compliant by the deadline.

The first thing businesses must ask is whether the law even applies to them. The law states that it applies to businesses:

  • That have annual gross revenues over $25 million; or
  • That annually buy or receive the personal information of 50,000 or more California residents; or
  • That derive 50% or more of their annual revenue from selling consumers’ personal information, which includes renting, transferring, making available, or disclosing consumers’ personal information.

If the law applies to a business, the next step is to engage in so-called data-mapping or a data impact assessment, which is to identify every point at which a business collects or shares information about consumers and thereafter to break each of those data collection/sharing events down into categories. This information will be vital to drafting the key disclosures that will be placed in a revised privacy policy and a template response to consumers who request further detail, to be later customized based on the request. Also, as part of this data mapping process, businesses need to analyze all consumer data in their possession that they did not collect and for which they did not get consent from consumers.

Need Help Becoming CCPA Compliant?

We welcome you to submit your details using our online case submission form

Submit your case online


by giving us a call at


ext. 120 for new legal matters

Open Newsletter Signup Popup