20th Anniversary SAC Attorneys
Elite Lawyers
Lawyers of Distinction
Avvo Rating 10.0
Santa Clara County Bar Association
Association of American Trial Lawyers
Elite Lawyers Business James Cai 2017
Best Litigation Attorneys in San Jose
Expertise - Best Employment Lawyers in Santa Clara 2021
Expertise - Best Employment Lawyers in Santa Clara 2022

What Consumers and Businesses Must Know About CCPA: California’s New Data Privacy Law

Data tracking and selling has erupted into a large business for many companies but things may be taking a turn soon. The California Consumer Privacy Act (CCPA), the strictest data privacy law in the United States, will begin to be enforced July 1, 2020. As the only federal data privacy law, this is the first law in the U.S. to set up an extensive set of rules regarding consumer data. How this law becomes implemented and enforced has significant implications and may set the national standard towards data security and privacy.

Consumers’ Right to Data Privacy Under CCPA Regulations

The CCPA mandates all Californians to be able to find out what personal information a business is collecting about them and gives consumers the power to opt out of sale of their personal information.

The law will apply to the following companies that:

  1. Make at least $25 million in revenue
  2. Make at least half its money by selling data
  3. Gather information on at least 50,000 consumers

Companies can still collect data, such as information about consumer purchasing preferences, their locations, photos, emails. However, what has changed is that consumers now have the “right to know what information is collected” and the “right to opt out”. Companies must tell you what information they are collecting and delete it permanently upon request.

Companies can no longer legally sell your data if you refuse. However, if they do anyway, consumers cannot sue. This law reserves cause for lawsuits only for data breaches. If the company fails to implement reasonable security practices and consumers’ personal information is breached, consumers can sue those companies.

Companies that don’t fix violations within 30 days of being notified can be fined up to $2500 per violation or $7500 for each intentional violation. Some exceptions that allow companies to deny requests to delete data apply when the data collection is necessary to complete a financial transaction or to protect against fraud. Also, there are exemptions when the obligations imposed by the CCPA restrict the company’s ability to comply with other legislation, comply with an investigation and law enforcement, use information that is deidentified or use information outside of California’s jurisdiction.

Next Steps for Businesses to Comply with New Data Privacy Regulations

Review Privacy Notices. Notice for information collection, notice of the right to opt out of a sale of personal information and notice of financial incentives must be provided to consumers. The CCPA provides guidance on where notices should be posted and new obligations that were not described initially in January. Construct procedures to respond to consumer requests.

Review Processes for Verifying Consumer Requests. If businesses cannot verify the consumer, businesses are not obligated to provide information. The CCPA regulations include updated requirements for verification and steps to take for consumers who can’t be verified. The regulations also provide guidance on responding to requests made via an authorized agent.

Record and Track Consumer Requests. The regulations introduce new guidelines to publish records of consumer requests received and the response times. Companies should implement a process for tracking and maintaining this record for 24 months.

Review Security Standards and Service Provider Agreements. Since the only private right of action under the CCPA is a data breach due to the company’s failure to reasonably protect data, it is imperative to review security measures. The CCPA also clarifies required restrictions on a Service Provider’s use of personal information.

The CCPA could trigger a new age of stronger data privacy legislation so it is extremely important for businesses to stay ahead of the curve on data privacy laws by taking the necessary precautions.

If you would like to know more about the legal implications of this new data security law, you are welcome to contact SAC Attorney LLP. Our attorneys located in San Jose, California will provide you with individualized legal solutions for each business client in San Francisco Bay Area and beyond.

1. What does the CCPA do?

Companies must tell you what information they’re collecting when you ask and delete it all if requested. You can refuse to sell your data. Children under 16 need to explicitly be asked to opt in before companies sell their information.

2. What companies are affected under CCPA?

Companies that make at least $25 million in annual gross revenue, make at least half their annual revenue by selling data, or those that gather information on at least 50,000 consumers.

3. How is this law different from the GDPR?

The CCPA is the strictest data privacy law in the United States. A similar equivalent may be the European Union General Data Protection Regulation (GDPR). However, CCPA does not require companies to minimize their data collection and allows consumers to opt out of selling their data. It also includes family and household data.

4. Can I sue companies if I think they are violating my security rights?

Right now, only the California attorney general can file lawsuits and enforce the CCPA. Consumers will be able to file lawsuits if the cause is a data security breach due to negligent company security measures. Companies can still be fined for data violations.

5. What does “personal information” under the CCPA mean?

The CCPA broadly defines it as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.“ This includes information that could identify you, like your address, financial identifiers, to even your unique online identifiers like “cookies”.

6. What information isn’t covered?

Sensitive information like health data or your SSN is protected. Information that’s already public or information that doesn’t identify you isn’t. Some businesses are exempt by a few existing privacy laws, such as banks and doctor’s offices.

7. What does “selling data” mean?

“Sale” of personal information under the CCPA is defined by “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” the Personal Information of a Consumer to another business or third party “for monetary or other valuable consideration”. In other words, when one company pays for your personal information for their potential monetary gain.

8. For business owners, what details should be prepared to be disclosed?
  • New rights for consumers
  • Categories of personal information collected in the last 12 months and the business purpose for collecting data
  • Categories of third parties to whom you “sell”, “share”, or “disclose for a business purpose” personal information
  • Specific pieces of personal information regarding the consumer

Back to top

Client Reviews
Mr. Cai Is a Diligent Attorney. My sister and I were defendants in a civil litigation case. We hired James Cai and his law firm, SAC Attorneys LLP. Mr. Cai is a diligent attorney and responded to our questions in a timely fashion. He and his staff were very helpful in keeping us informed of the proceedings of the case and in explaining each step. Mr. Cai is also very conscientious of fees and costs, and avoided unnecessary charges. The results of the Summary Adjudication sided with us. The Court Trial resulted in the “Final Statement of Decision” and “Judgment after Court Trial” overwhelmingly siding with us. Cynthia F.
I Am Truly Impressed. After spending a significant amount of time, money and efforts with my previous counsel at a larger law firm without getting meaningful results, I transferred my employment matter to SAC Attorneys LLP. The attorneys there were able to understand the complex situations of my case and put together an aggressive litigation strategy. We were able to file a compelling complaint within a week and forced the opposing party, which was represented by one of the largest law firms in California, to make a substantial settlement offer shortly thereafter. I am truly impressed by the no nonsense and results oriented approach by SAC Attorneys LLP attorneys. A job well done! X. Gao
They Took Time to Understand Our Technology. I am the founder of a bioinformatics start-up in the Silicon Valley and chose SAC Attorneys LLP as our corporate counsels. Their attorneys have great experience with high tech start-ups and were able to offer a highly competitive service plan while not sacrificing a bit of their quality of services. They took time to understand our technology and provided value added services by introducing investors and job candidates to us. We regard our attorneys at SAC Attorneys LLP not only as our legal advisors but also our venture partners. Dr. Pete S.