Black Logo

Our site uses cookies to give you the best user experience and to collect and share information for analytics, advertising and personalization on this and other sites. Please select whether you consent to our use of cookies and related technologies (“Cookies”), as described in our Cookie Policy. You can return at any time from the same web browser to update your preferences. Please note that resetting your browser’s cookies will reset your preferences. You can control the use of some types of cookies through the Cookie Settings below, but note that if you choose to disable certain cookies, it may limit your use of certain features or functions on our services and websites.

Privacy Policy
Strictly Necessary Cookies

These cookies are required to enable core site functionality.

Functionality Cookies

Functionality cookies allow us to provide enhanced and more personalized content and features. In order to permit your connection our website, our servers receive and record information about your computer and browser, potentially including your IP address, browser type, and other software or hardware information. All of these features help us to improve your visit and assist in navigation of the sites’ features.

Analytics Cookies

We and our service providers may use analytics cookies, which are sometimes called performance cookies, to collect information about your use of our website, for instance, which pages you go to most. The information allows us to see the overall patterns of usage, help us record any difficulties users may have while using our website and can show us whether or not our advertising is effective.

Advertising And Targeting Cookies

We may use third party advertising and targeting cookies to correlate your use of our website to personal information obtained about you so that we may more clearly target the information we provide you to the specific items we think you will find interesting, based on your prior online activities and preferences. We also may use these cookies to deliver ads that we believe are relevant to you and your interests.

For more information, view our Cookie Policy


The CCPA is Coming. Are You Ready?

Sarah Brown 12 / 03 / 19

During a recent CLE presented by Natalya Northrip, Global Chief Privacy Officer at Arthur J. Gallagher & Co.; David Shonka, Partner at Redgrave LLP; Alex Pilmer, Partner at Kirkland & Ellis LLP; and Erin Plante, Director of Strategy & Consulting at Inventus, we learned a lot about the pending California Consumer Privacy Act – from what it covers (and what it doesn’t), who is subject to its regulations, what the consequences for noncompliance may entail, and some of the steps we should be taking to prepare. Read on below for some of our key takeaways.

 Set to go into effect next month, the California Consumer Privacy Act (CCPA) will grant Californians the right to see what data a company holds on them. It has many similarities to the 2018 European General Data Protection Regulation (GDPR), which lets Europeans access and delete their data in many circumstances.

 Even though the law is a California one, it affects every significant business that may hold the personal data of California residents – essentially extending to any medium to large-size company that has, does, or ever will do business in or sell products or services to citizens of California.



What Exactly Is the California Consumer Privacy Act?

Put simply, the Act will provide all California residents with the right to:

  1. Know what personal data is being collected about them.
  2. Know whether their personal data is sold or disclosed, the purposes of such disclosures and the types of businesses with which that data is disclosed.
  3. Say no to the sale of their personal data.
  4. Access their personal data.
  5. Request a business to delete any personal information held about them.
  6. Not be discriminated against for exercising theirprivacy rights.

Who is Affected by the CCPA?

All California residents will be affected by the CCPA. The regulation opens up a world of transparency for consumers who for years have had their person data used for various purposes with very little insight into what exactly is known about them and by whom; where their data has gone; how it’s been used; how long it’s been stored; or the security practices applied to it. 

But it’s primarily businesses who will be tasked with updating their processes to comply with this new regulation. How do you know if your organization will be affected? The CCPA sets out some very clear guidelines:

The CCPA applies to any for-profit entity that does business in California, and satisfies at least one of the following thresholds:

  • Has annual gross revenues of more than $25 million
  • Buys, sells, shares, or receives for commercial purposes the personal information of 50,000 or more consumers, households, or devices
  • Earns more than half of its annual revenue from selling consumers' personal information


CCPA Violations Can Be Expensive

Organizations that fail to comply with the CCPA can face potentially stiff fines in two specific categories:


Private rights of action

In the event of a data breach involving nonencrypted, nonredacted personal information, California residents are entitled to private rights of action.

In those cases, each injured consumer may get statutory damages ranging between $110 and $750 per incident – or actual damages, whichever is greater.

No notice is required for consumers who file suits for statutory or actual damages – presumably because the harms of a data breach of personal information cannot be remedied on mere notice.


Attorney General action

Conversely, the Attorney General can bring actions seeking between $2500 and $7500 per violation of the Act or the AG's regulations. 

In this case, organizations found in violation of the Act or regulations will receive 30 days notice and an opportunity to cure. If they do not remedy the violation, they will be subject to AG action.  (See 1798.150(a),(b))

While at first glance these fines may appear low, keep in mind they are per violation, per consumer. Privacy or data breach incidents often affect thousands or tens of thousands of consumers – which means these fines could reach well into the hundreds of thousands or millions of dollars.


What the CCPA Means for You: Specific Actions

Organizations can get ahead of the new regulations by taking a proactive look at their data collection policies and privacy policies and evaluating and updating current compliance procedures. At a minimum, evaluate:

  • Risk Management: Begin identifying risks in your data policies and procedures and, where necessary, create new and/or updated risk management policies.
  • Privacy Policy and Data Collection: Organizations should rethink their communication methods and privacy policy. They must ensure that every consumer is aware of their data collection policy and that consent has been given in order to rightfully store the personal information collected.
  • Necessary Data: In order to minimize their risks, organizations should only keep data that is necessary to provide whatever service or product they are in the business of delivering.
  • Data Tracking System: Because consumers will have the right to request data collected within the past twelve months starting on January 1, 2020, organizations should have a data tracking – and secure data storing – system in place as soon as possible.

The CCPA represents a new level of privacy requirements as it relates to personal data within the United States. All organizations subject to this statutemust put processes in place to ensure compliance and the ability to respond in a timely manner to any and all consumer requests for data deletion or data collection opt-out.


About the author

Sarah Brown
Sarah Brown

Sarah Brown is a legal technology thought leader with more than a decade of experience in the eDiscovery and information management fields. At Legility, her primary focus is on driving awareness for the company’s innovative services and solutions. Prior to Legility, Brown spent eight years as head of marketing communications at Epiq, where she led global marketing communications and built thought leadership, PR, and analyst relations programs. Prior to Epiq, she led marketing communications at Exterro, an eDiscovery software company, where she founded and led their content-driven marketing organization. She has a journalism background and holds a master’s degree in strategic communications from Columbia University and a bachelor’s degree in journalism.

Subscribe to Insights

Your one-stop shop for the Legility logo & more.

Your one-stop shop for the Legility logo, brand guidelines, photography assets, and more.

Subscribe to insights