Tannenbaum Helpern Syracuse & Hirschtritt, LLP
About Us Careers Contact Us Search
Home Practice Areas Industries Case Results Attorneys Publications Events Press Room

Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted

Click here to download PDF

After only a few days of legislative debate, Governor Jerry Brown of California signed a bill enacting the California Consumer Privacy Act of 2018 (the “CCPA”) on June 28, 2018. The CCPA is a comprehensive new data privacy law that will impact businesses around the world that obtain, use, store or otherwise process the “personal information” of California residents (including California residents who are temporarily located in other places).

The CCPA was enacted very quickly, to forestall a proposed November 2018 statewide ballot initiative that would have imposed even more restrictions on businesses. The CCPA represents a rough compromise between the government and the proponents of the ballot initiative. Shortly after Governor Brown signed the bill, the ballot initiative’s proponents agreed to withdraw that initiative.

The purpose of the CCPA is to give California residents “an effective way to control their personal information,” by ensuring the following rights:

  • The right to know what personal information is being collected about them.
  • The right to know whether their personal information is sold or disclosed and to whom.
  • The right to say “no” to the sale of personal information.
  • The right to access their personal information.
  • The right to the same service and the same price, even if they exercise their privacy rights.

The CCPA will become effective on January 1, 2020. Because the law was drafted so hastily in light of the pending proposed ballot initiative, many of its provisions are confusing, and may conflict with other California laws. Accordingly, one should not be surprised if the law is amended sometime before its effective date. Moreover, this law may be subject to future challenges in court.

As a general matter, the requirements under the new law are similar to those of the European Union’s General Data Protection Regulation (“GDPR”), which came into force on May 25, 2018. However, the CCPA as currently drafted is even more severe than the GDPR in many respects. Thus, even businesses that are currently GDPR-compliant will need to take additional steps by January 1, 2020 to become compliant with the CCPA. Unfortunately for businesses that are not GDPR-compliant, or that are not subject to the GDPR, they will have even more work to do before 2020.

  1. Whose Personal Information is Protected Under the California Consumer Privacy Act?

The CCPA is designed to protect California residents, who are generally defined as:

  • Individuals who are in California for other than a temporary or transitory purpose, and
  • Individuals who are domiciled in California but who are physically outside the state for a temporary or transitory purpose. (This means that the CCPA will protect the personal information of California residents, even if they are not physically in California at the time the personal information is processed.)
  1. What Types of “Personal Information” Will Be Protected?

The CCPA defines the term Personal Information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The term Personal information is defined very broadly and includes (but is not limited to):

  • The real name, alias, postal address, unique personal identifier, online identifier Internet Protocol (IP) address, email address, account name, Social Security Number, driver’s license number, passport number, or other similar identifiers.
  • Characteristics of protected classifications under California or federal law.
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Biometric information.
  • Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
  • Geolocation data.
  • Audio, electronic, visual, thermal, olfactory or similar information.
  • Professional or employment-related information.
  • Education information that is not publicly available.
  • Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

Personal information does not include “publicly available information,” which is any information that is lawfully made available from government records. Notably, however, many types information that one might expect to be considered “publicly available” are not within the scope of the term “publicly available” under the CCPA. For example, the CCPA specifies that information is not considered “publicly available” if it is used for a purpose that is not compatible with the purpose for which it is maintained and made available in the government records. Moreover, “publicly available” does not include consumer information that is de-identified or aggregate consumer information.

  1. What Types of Businesses Will Be Subject to This Law?

The CCPA applies to for-profit entities that do business in California (including any same-branded parent or subsidiary company) that meet any one of the following three criteria:

  • Has gross revenues of more than $25 million;
  • Receives or shares personal information for more than 50,000 consumers, households or devices; or
  • Receives more than 50 percent of its annual revenue from the sale of personal information.

A company that lacks a physical presence in California might not be subject to this law, so long as it is not doing “business in the State of California.” However, the concept of “doing business” in California is interpreted very broadly. Accordingly, businesses that may think they are not subject to this law may find that they indeed will be ensnared.

  1. What Rights and Obligations Do the CCPA Impose?

The CCPA provides the following rights to California residents and imposes obligations on businesses that process California residents’ personal information:

  • Up to two times in any 12-month period, California residents may request that businesses disclose the categories and specific pieces of personal information that they collect, the types of sources from which the businesses collect the personal information, the business purposes for collecting or selling the personal information, and the types of third parties with which the information is shared.
  • California residents will have the right to request deletion of personal information, with certain exceptions. Businesses will be required to delete such information upon receipt of a verified request, as specified.
  • California residents will have the right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and the identity of third parties to which the information was sold or disclosed. Businesses will be required to provide this information in response to a verifiable consumer request.
  • California residents will have the ability to opt out of the sale of personal information by a business. Businesses must make available, in a form reasonably accessible to consumers, a clear and conspicuous link to the homepage, titled “Do Not Sell My Personal Information.” The business must wait at least 12 months before requesting to sell the personal information of any California resident who has opted out.
  • Businesses will be prohibited from discriminating against the consumer for exercising their right to opt out of the sale of their personal information. For example, businesses will not be able to charge the consumer who opts out a different price or providing the consumer a different quality of goods or services (except if the difference is reasonably related to the value provided by the consumer’s data).
  • Businesses will be prohibited from selling the personal information of a child, unless they obtain an “opt-in” from an appropriate party. Children between the ages of 13 and 16 can opt in for themselves. For children under the age of 13, businesses must obtain an opt-in from a parent or guardian. (Note that the online collection of data of children under the age of 13 remains subject to the federal Children’s Online Privacy Protection Act.)
  1. How Does the CCPA Differ From the GDPR?


  • Defines “personal information” more broadly than the term “personal data” is defined under the GDPR.
  • Requires the use of disclosures, communication channels and other measures that are not required under the GDPR.
  • Establishes broad rights for California residents to direct the deletion of their personal information (a.k.a., the “right to be forgotten”), with different exceptions than those available under GDPR.
  • Establishes broader rights to access personal information than the GDPR offers.
  • Requires businesses not to discriminate against a consumer because he or she exercised any rights under the law.
  • Imposes more rigid restrictions on data sharing for commercial purposes than the GDPR does.
  1. What Steps Should Businesses Consider Taking?

The CCPA may be revised before its January 1, 2020 effective date, and the law may still be challenged in court. Nevertheless, because eighteen months come and go quickly when there is much work to do, businesses should consider taking several actions in the near future to prepare for the CCPA. Such steps may include:

  • Determining and mapping where the business maintains the personal information of California residents, households and devices.
  • Establishing a mechanism for California residents to make requests as to their personal information, including a toll-free telephone number.
  • Implementing appropriate technological and organizational systems to comply with the law’s new requirements.
  • Updating privacy policies to explain California residents’ rights under the CCPA.
  • Implementing processes to obtain the appropriate affirmative consent with respect to sharing of children’s personal information.
  1. What Are the Potential Penalties For Non-Compliance?

Businesses may face penalties of up to $7,500 for each “intentional” violation of any provision of the CCPA. Additionally, businesses that suffer a data breach may be obligated to pay damages of not less than $100 to $750 per California resident and incident.

If you have any questions about this article, please contact Michael J. Riela at riela@thsh.com or your usual contact at Tannenbaum Helpern.

Business Litigation Bulletin
Employment Notes
Note from the Real Estate Group
THSH E-Alert
Other Publications
Inclement Weather Policy
Other Publications Archive
President Obama Seeks to Broaden Overtime Protections for Employees
Privacy regulation in the United States
The Broad Scope of Franchise Laws: Traps for the Distribution Contract Drafter
Managing Distribution: How to Develop a Corporate Legal Compliance Program
Internet Distribution, E-Commerce and Other Computer Related Issues
Distribution Contracts
What Impact Will FATCA Have on Offshore Hedge Funds and How Should Such Funds Prepare for FATCA Compliance?
The American Taxpayer Relief Act of 2012: What It Means to You
Privilege and the In-House Counsel: Protecting Your Communications Through Proper Registration and Careful Understanding
Are your digital communications protected by attorney-client privilege and what if privileged information is disclosed?
THSH Private Equity Roundtable Summary
Post Grant Review Under the America Invents Act
Bench-Bar Conversation with Justice Carolyn E. Demarest
Proposed Changes Set to Alter Estate and Gift Tax Structure in New York: Time to Make a Gift?
New York City Paid Sick Leave – What Staffing Firms Need to Know
New York State Estate and Gift Tax: The Hidden Costs of Tax Reform
Assessing Never-Examined SEC-Registered Investment Advisers: An SEC NEP Priority
Changes to NY Minimum Wage
NLRB Strikes Again
Bench-Bar Conversations with Justice Elizabeth Emerson
Attorney Professionalism Forum: What should an attorney do when the client wants to present false information and what happens
Reducing the risk of violating competition law
NY Rings in 2015 with a Minimum Wage Increase
Distribution & Agency 2015 - Q&A on the distribution of goods and services in 17 jurisdictions worldwide
Fair Chance Act
Sales Taxes on Construction Projects
Forget Big Brother, What Happens When it’s Opposing Counsel is Doing the Recording?
E-Discovery Identification & Preservation Guide For Lawyers (Version 2.0)
On the Horizon: What to do before selling your staffing business
Striking the Right Encryption Balance after FBI, Apple Fracas
Delaware Court Reiterates Need for Unambiguous Non-Reliance Provisions in M&A Agreements
Finalizing a Divorce? Wait, Just One More Thing …
IRS Proposed Changes to IRC 2704 Affect Business Succession and Estate Planning Valuation Discounts
Trump and the Estate Tax: What We Know
Actual-Intent Fraudulent Transfers and the Crime/Fraud Exception
Proposed NYS DFS Cybersecurity Regulations to Significantly Impact FS Companies
New Guidance for Human Resource Professionals to Avoid Antitrust Violations
Merger and Scènes à Faire: Two Defenses to Substantial Similarity in Copyright Litigation
What’s New in the Revised New York State Proposed Cybersecurity Regulation?
The Law of Insider Trading: A Primer For Investment Managers
Recent Cyber Attack On Law Firms Serves As A Wake-Up Call For Professional Services Firms
The Ambac Decision and the Future of the Common Interest Privilege Under the New York Law
Overview of Data Privacy and Cybersecurity Regulatory Landscape for Investment Advisers and Other Financial Services Companies
Global Ransomware Attack: Basic Security Measures Every Business Should Adopt
Distribution & Agency 2017- Q&A on the distribution of goods and services in 17 jurisdictions worldwide
New Copyright of Resource: Copyright Protection
Attorney Professionalism Forum: Using Per Diem Attorneys Plus An Addendum To The June Forum On Cybersecurity Ethics
Congressional Republicans Propose Sweeping Tax Reform
Attorney Professionalism Forum: Attorney-Client Confidentiality vs. the Customs Agent: Who Wins?
Attorney Professionalism Forum: Confidentiality Issues When Clients Don’t Tell The Truth
Rules for Equity Crowdfunding Effective May 16, 2016
Estate Planning Under Comprehensive Tax Reform
Attorney Professionalism Forum: Attorney Websites, Branding and Using Social Media
Attorney Professionalism Forum: Attorney Advertising And Self Promotion
NY Appellate Court Shifts Balance of Power in Commercial Real Estate Leases: Upholds Yellowstone Injunction Waiver
Recent Developments in Neighbor Litigation
Attorney Professionalism Forum: Communicating With Clients With Diminished Capacity
Attorney Professionalism Forum: Litigation Financing
Groundbreaking bipartisan Congressional Legislation could pave the way to fully legalized Marijuana
Conditions Precedents in Construction Contracts
Distribution & Agency 2018 - Q&A on the distribution of goods and services in 18 jurisdictions worldwide
Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted
Attorney Professionalism Forum: Litigation Financing Confidentiality and Marijuana Ethics For Lawyers
U.S. Markets See First Cannabis IPO
NYS Department of Financial Services Issues Guidance to Banks on Servicing the Marijuana Industry
THSH Cyber Alert: GoDaddy the latest to leave S3 Bucket Unsecured
Legalized Adult-Use Marijuana Coming to New York?
NYS and NYC Sexual Harassment Prevention Laws
Are Your Website and Privacy Policy GDPR Compliant?
Attorney Professionalism Forum: Ethics and Best Practices For Law School Clinics
Beware of the AIA Form of Performance Bond
Attorney Professionalism Forum: Referral Fees and Using a Client as an Expert
Anecdotes from World’s Largest B2B Cannabis Conference
Attorney Professionalism Forum: Restrictive Covenants In Agreements Employing Lawyers
Turndown Service with that Hack: Marriott Hotels Announce Massive Data Breach
Attorney Professionalism Forum: Handling Confidential Client Information
Groundbreaking 2018 Farm Bill Portends Huge Changes to U.S. Cannabis and Hemp Industries
Attorney Professionalism Forum: The Challenges of Litigating Against Pro Se Parties
Articles By Topic
Cyber & Privacy Alert
New York Law Journal
Attorney Professionalism Forum
Join Our Mailing List
Like us on FaceBook Follow us on Twitter Get LinkedIn with us Pin It! Email Us Print this Page

Sitemap |Terms of Use | Privacy | Attorney Advertising

Tannenbaum Helpern Syracuse & Hirschtritt LLP provides legal advice only to individuals or entities with which it has established an attorney-client relationship and such advice is based on the particular facts and circumstances of each matter. Contacting us through this site, or otherwise, will not establish an attorney-client relationship with us. Any e-mail or other communication sent to THSH or its lawyers through this site will not be treated as subject to the attorney-client privilege or as otherwise confidential and you should not include any confidential information in any such communication.