The California Consumer Privacy Act of 2018 (CCPA) is a sweeping new law that introduces a host of privacy rights for California consumers and creates robust obligations for many businesses that collect personal information about California consumers.

WEBINAR: CCPA Litigation Outlook and Defense

The California Consumer Privacy Act (CCPA) becomes effective on January 1, 2020. As the compliance deadline rapidly approaches, the first wave of class actions referencing the CCPA have been filed.

Learn More

Blockchain image

Are you Ready for the CCPA?

Perkins Coie’s Privacy & Data Security practice hosted CCPA Week, which included a series of webinars focused on getting your business ready to comply with this complex statutory scheme.


CCPA Services - How Perkins Coie Can Help

Perkins Coie’s Privacy & Security practice attorneys have deep experience helping clients comply with privacy laws around the world and are positioned to help businesses understand the implications of the CCPA. We help our clients take stock of their current data practices, including assisting with the creation of data maps or data inventory systems to identify the personal information their businesses collect and how such information is used, stored, shared, secured, retained and destroyed. We also provide guidance on required updates to data management practices to clients that already employ an information governance strategy. We work with clients to minimize risk and also defend clients in privacy-related enforcement actions and private litigation.

Our attorneys counsel clients on all aspects of CCPA compliance, including privacy policy updates, user interface adjustments, possible amendments to vendor contracts, as well as possible amendments or interpretation of the CCPA. Our team also advises companies that have already adjusted their business practices—such as customer service, vendor management and information technology infrastructure—to comply with the General Data Protection Regulation (GDPR) or other privacy laws on ways in which they can use similar practices to minimize the burden of complying with the CCPA.


What Entities Are Subject To The CCPA?

The CCPA applies to any for-profit entity that does business in California, collects personal information about California consumers and meets at least one of the following threshold criteria:

  • Earns annual gross revenue above $25 million,
  • Annually buys, sells or, for commercial purposes, receives or shares personal information of at least 50,000 California consumers, households or devices, or
  • Derives at least 50% of its annual revenue from selling California consumers’ personal information.

In addition, if a business is subject to the CCPA, its subsidiaries and affiliates may also be covered if they share common branding, including a shared name, service mark or trademark. 

Although portions of the CCPA will go into effect January 2020, the California attorney general is not permitted to enforce the CCPA until July 1, 2020, or six months after the attorney general issues regulations to implement the law, whichever is sooner. We also expect additional legislative changes and regulatory interpretation related to the CCPA prior to 2020. Companies should consider whether the CCPA applies to them, and, if so, start thinking about how to comply with the law’s mandates.

Who has Rights Under the CCPA?

The CCPA applies to “consumers,” which is broadly defined as any natural person who is a California resident. Although the law appears to be focused on protecting individuals in the consumer context, this definition is arguably broad enough to include employees as well.

The CCPA requires greater transparency in data practices and give consumers more control over their personal information. Under the law, “personal information” means any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes obvious identifiers, such as names, addresses and email addresses, but it also covers categories of information not typically considered to be personal information in the United States, such as web browsing information and inferences drawn from other information to create a consumer profile.

What Rights Does The CCPA Provide?

The CCPA expands upon rights afforded under existing California legislation—including the California Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act (often referred to as SB 568) and the Shine the Light law—and creates some new rights for California consumers. These rights generally fall into the following categories:

  • Transparency. Several provisions of the CCPA address consumers’ rights to know about a company’s data collection practices, such as the categories of personal information collected, the sources from which personal information is collected, the business or commercial purpose of such collection and categories of third parties with whom personal information is shared. Additionally, consumers have a right to know whether and to whom their personal information was sold or disclosed for a business purpose. Some of this information must be provided through notices, such as in privacy policy disclosures, whereas other disclosures must be made in response to verifiable consumer requests.
  • Access. Consumers have a right to access information about the personal information a business collects about them, including a right to the specific pieces of personal information collected. Upon receipt of a verifiable consumer request, a company must provide the requesting consumer with access to the specific pieces of information collected about that consumer over the prior 12 months, sometimes in a portable format.
  • Choices Related to Sale of Personal Information. In addition to requiring businesses to make disclosures about the sale of personal information, the CCPA gives consumers more control over this business activity. Like other aspects of the law, “sale” is defined broadly to include “renting, releasing, disclosing or otherwise communicating a consumer’s personal information to a third party for monetary or other valuable consideration.” Some data sharing is exempt from the definition of sale, including certain information sharing with service providers. Generally, businesses that sell personal information to other businesses or third parties must permit consumers to opt-out of such sales. Note, however, that explicit opt-in consent to the sale of personal information is required if such information relates to consumers under the age of 16. Finally, companies that sell personal information must also include a clear link on their websites’ homepage (or platform or download page for mobile apps) and in their privacy policies labeled “Do Not Sell My Personal Information” that enables consumers to exercise their opt-out rights.
  • Deletion. Consumers have the right to request deletion of their personal information. Upon receipt of a verifiable request, a company must delete personal information held about a consumer unless an exception applies, such as the need to retain the information to complete a transaction, comply with a legal obligation, exercise free speech or enable internal uses that are aligned with consumer expectations, among others.
  • Non-Discrimination. Consumers also enjoy a general right to equal service and price, meaning that companies generally cannot discriminate against those who have exercised their privacy rights, subject to some exceptions. The law specifically prohibits denying good or services, charging different prices, or providing different levels or quality of products or services to consumers who exercise their rights under the law, although certain exceptions may apply. At the same time, the CCPA also permits businesses to offer financial incentives in exchange for the collection or sale of personal information.

What Obligations Does The CCPA Impose On Businesses?

To comply with the CCPA, businesses will need to consider implementing processes and procedures to authenticate and respond to verifiable consumer requests. A business must offer at least two methods through which consumers can make requests to exercise their rights, including at a minimum, a toll-free phone number, and if the business maintains a website, a web address. In addition, companies must update disclosures in their privacy policies at least annually. Any employees or contractors that handle consumer inquiries related to the company’s privacy practices must receive training, so they are familiar with consumer rights available under the CCPA and how consumers can exercise them. The CCPA also sets forth certain provisions businesses should include in their contracts with service providers.

Who Can Enforce the CCPA and What Are the Penalties for Claimed Violations?

The California attorney general has broad enforcement authority under the CCPA. The attorney general may initiate civil actions against companies that fail to cure violations under the CCPA, with penalties reaching $2,500 per violation or up to $7,500 per intentional violation. The CCPA also contains a limited private right of action for uncured breaches of unencrypted data that are reportable under California’s breach notification law. If such breaches occur as a result of a company’s failure to implement reasonable security standards, individuals may each seek to recover the greater of actual damages or statutory damages up to $750 per violation (or such damages may be sought in a class action).

Industry Reputation

  • Ranked nationally (2003-2019) and globally (2018 and 2019) in Privacy and Data Security Law by Chambers USA
  • Ranked Tier 1 nationally for both Information Technology Law and Technology Law by U.S. News—Best Lawyers®, 2019
  • Ranked in the Top 10 Best Law Firms for “Privacy and Data Security” by Vault, 2018 and 2019
  • Ranked Tier 2 nationally for Regulatory Enforcement Litigation (Telecom) by U.S. News—Best Lawyers®, 2019
  • Named as one of the top law firm “Litigation Powerhouses” by Law360, 2016
  • Named a “Leader” among tech-savvy law firms based on corporate counsel feedback to BTI Brand Elite, 2016
  • Named “Law Firm of the Year” for Technology Law by U.S. News—Best Lawyers®, 2015