Skip to main content

California Consumer Privacy Act (CCPA)

California is the newest “privacy battleground” and the CCPA will apply to a wide scope of business and an even wider scope of personal information. Since February, Mintz has run a webinar series focused on the CCPA and our team is working on assessments of collection and use of personal information and CCPA exposure to help clients start planning now for the January 1, 2020 effective date.

Click to View the Statute (as amended on October 11, 2019)


CCPA Webinar Recordings

California Consumer Privacy Act: Overview (2/6/2019)

This webinar, the first in our California Consumer Privacy Act Series, provides an overview of the act including who it applies to, the types of data covered, and the new rights granted by the act such as data access, deletion, and portability. Actionable, business-focused advice is provided regarding preparing data inventories and process flows to support these new rights, as well as business model considerations in light of the act’s guidance on data monetization and the sanctions and remedies that companies may face. Click to View Recording

California Consumer Privacy Act: Is the CCPA really “GDPR-Lite”? (3/27/2019)

In May of 2018, the EU’s General Data Protection Regulation (GDPR) took effect. Not to be outdone, California passed its own sweeping data protection legislation in August of 2018 — the California Consumer Privacy Act of 2018 (CCPA). In this webinar, Sue Foster and Cynthia Larose discuss the key similarities and differences between the GDPR and the CCPA, as well as practical steps your company can take to assess gaps and map out your path to compliance. Click to View Recording

California Consumer Privacy Act: Health Care and Life Sciences (4/10/2019)

The CCPA includes an exemption for personal health information collected by HIPAA-covered entities. But, health care organizations and life sciences companies still have obligations under CCPA and are not completely “home free.” In this webinar, Dianne Bourque and Cynthia Larose discuss the requirements of the CCPA for health care organizations – both HIPAA-covered entities and business associates – and life sciences companies, and discuss the scope of the HIPAA, Confidentiality of Medical Information Act, and clinical research exemptions. Click to View Recording

California Consumer Privacy Act: Sea Change for Retailers and the Hospitality Industry? (6/26/2019)

With the January 1, 2020 deadline for compliance with the California Consumer Privacy Act fast approaching, companies that serve California residents want to know how the act will affect their businesses. The retail and hospitality industries depend on knowing and understanding consumers to both attract and retain them. In this webinar, Cynthia Larose and Brian Lam focus on how to retool common process flows to become compliant with the act while maintaining user experience, provide a checklist on best practices for complying with the new regulations, and discuss current developments with amendments to the act. Click to View Recording

California Consumer Privacy Act: Enforcement and That Private Right of Action (7/31/2019)

With the California Consumer Privacy Act (CCPA) set to take effect on January 1, 2020, many businesses dealing with California consumers and their information are under immediate pressure to comply. Despite the deadline, the CCPA remains a work in progress. From ways to institute compliance practices in such a short amount of time, to strategies for avoiding the incoming flood of litigation, many unanswered questions remain. This session will focus on: the latest CCPA legislative updates, tips for anticipating and avoiding CCPA class actions, the CCPA's private right of action, strategically responding to CCPA request, and a checklist on best practices for complying with the new regulations and how to avoid pitfalls. Click to View Recording

California Consumer Privacy Act for Employers: Now What? (10/22/2019)

We are continuing our webinar series on the impact of the California Consumer Privacy Act (CCPA) now that amendments have been passed and are awaiting signature by the governor. One of the amendments, AB 25, narrows the definition of “consumer” to exclude employees (at least until January 2021) but still imposes certain obligations on employers. Jennifer Rubin, a Member in the firm’s Employment, Labor & Benefits Practice, will review the CCPA’s implications for employers who have California operations and provide practical suggestions as to next steps. Click to View Recording


EU General Data Protection Regulation (GDPR) Webinar Series

Click to View Recordings


CCPA Blog Posts

CCPA QOTD: Isn’t every vendor a “service provider” under the CCPA? (12/23/2019)

The short answer is “no”.  The CCPA has a specific definition for “service provider” at Section 1798.140(v) – see our annotated version of the CCPA here – and it also requires a vendor to be bound by a written contract that prohibits it from:

  • Retaining the personal information for “any purpose other than for the specific purpose of performing the services specified in the contract … or as otherwise permitted by this title”
  • Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract … or as otherwise permitted by this title”
  • Disclosing the personal information “for any purpose …”  you get the drift.   See Section 1798.140(v)

CCPA QOTD: What are the employee/applicant and “business to business” exemptions? (12/19/2019)

Because the term “consumer” is so broad in the CCPA (remember:  it’s any California resident), it would have applied to employee and job applicant data and all business contact information across the board.  After much negotiation, the legislature enacted (and the Governor signed) two amendments dealing with this information.  Until January 1, 2021, the CCPA will not apply to information collected about employees or job applicants, or in typical business-to-business (B2B) transactions by a business otherwise required to comply with CCPA.

CCPA QOTD: What are the penalties for non-compliance with the CCPA? (12/18/2019)

Unless you have been living off the grid for the past year, you likely know that we are now down to 13 days and counting to the effective date of the California Consumer Privacy Act (CCPA).   We have received hundreds of questions and concerns from clients over the past few weeks in the preparations of compliance programs and thought we would share a question of the day (QOTD).

The California Consumer Privacy Act – A Brief Guide for Covered Employers (10/29/2019)

The California Consumer Privacy Act becomes effective on January 1, 2020 with an amendment that impacts California employers. Covered businesses should, of course, already be in the process of preparing CCPA privacy notices and disclosures. And while the amendment carves out some of the direct CCPA provisions applicable to California employers, employee data – and how it is handled – should also be on every covered employers’ to do list.

Analysis of Attorney General Regulations to CCPA – Part 4: Special Rules Regarding Minors (10/21/2019)

The California Attorney General’s CCPA draft regulations impose additional requirements for collection of data from children under 13 on top of those imposed by the federal Children’s Online Privacy Protection Act (COPPA), and also create additional requirements for minors between the ages of 13 and 16. Businesses will need to have reasonable processes in place to ensure that the person providing consent for the sale of a child’s data on his or her behalf is actually their parent or legal guardian. Minors must also be able to opt in, and later, opt out, of the sale of their PI. Businesses should include these practices in their privacy policies.

Analysis of Attorney General Regulations to CCPA – Part 3: Verification Procedures (10/18/2019)

The California Attorney General’s draft regulations specify how businesses verify consumers’ identities when they receive consumers’ data requests.  Specifically, Section 999.323 requires a business (i) to verify consumers’ requests by using available data and implementing reasonable security measures, (ii) not to collect new data for verification unless necessary for security purposes, and (iii) to promptly delete newly collected information.

Analysis of Attorney General Regulations to CCPA – Part 2: Business Practices for Handling Consumer Requests (10/17/2019)

Within Article 3 (pages 10-18), the regulations detail important requirements that every business must follow when providing and fulfilling consumer rights under the CCPA.

Analysis of Attorney General Regulations to the CCPA – Part 1: Notices to Consumers (10/16/2019)

Article 2 of the California Attorney General’s draft regulations specify certain notices that must be given to consumers at the time of collection of their personal information, including consumers’ rights to opt-out of the sale of their personal information, and notices of financial incentives a business may offer in exchange for consumers’ personal information. Article 2 also provides specific CCPA requirements for company privacy policies.

Analysis of Attorney General Regulations to the California Consumer Privacy Act – A Series (10/15/2019)

The California Attorney General’s office (CA AG) has published the long-awaited implementing regulations to the California Consumer Privacy Act (CCPA).  In addition to the regulations, the CA AG also released a Notice of Proposed Rulemaking and Initial Statement of Reasons  to support the draft regulations. The CA AG will hold a series of public hearings as outlined in the Notice of Proposed Regulations, and will be accepting written comments from the public on the regulations until 5:00 PM PST on December 6, 2019.

BREAKING NEWS: California AG Issues Draft CCPA Regulations (10/10/2019)

The California Attorney General has issued draft regulations to the California Consumer Privacy Act.  View the draft regulations in this post.

2019 CCPA Amendment Process Comes to a Close (9/20/2019)

Interested parties and privacy professionals have all been anxiously awaiting how legislative activity would shake out before the California Consumer Privacy Act (“CCPA”) is implemented January 1, 2020.  Now that the dust has settled inside the golden dome in Sacramento and the state legislature’s 2019 session has come to a close, we can see which bills passed and will be provided to Governor Gavin Newsom, who has until October 13th to either veto these bills or sign them into law.

#CCPA Legislative Update: “And the days dwindle down … to a precious few….” (September Song, Kurt Weill) (9/11/2019)

The California 2019 legislative session closes on Friday, and thus all bills must be finalized to move to the Governor’s desk for signature.  That means that all CCPA pending amendments have a few more days.   Last Friday marked the last day on the legislative calendar that changes could be made from the floor to pending amendments, and the California Senate did just that with several of the CCPA Assembly bills.

California Legislature Working Through Data Privacy Amendments (9/6/2019)

In California's Senate session on September 5, AB 1130 was passed, which amends the state’s data breach notification law. The amendment would include passports, biometric data, and taxpayer and military identification numbers to the definition of “personal information” requiring notice under the breach notification law if breached.

And the CCPA Amendment Countdown Begins … (8/13/2019)

The California Legislature has returned from its summer recess and got right to work on the pending amendments to the California Consumer Privacy Act (CCPA). The Legislature has 30 days from today to send any amendments to the Governor’s desk for signature.

Nevada Moves the Goalpost with New Privacy Law (6/7/2019)

Get ready:  October 1, 2019 is the new date for many U.S. businesses to begin providing consumers the right to opt-out of the sale of their personal information.  While January 1, 2020 was the date upon which many businesses were prepared to provide notice of consumers’ right to opt-out of the sale of their personal information to comply with California’s Consumer Privacy Act (CCPA), Nevada moved the goalpost last week and signed Nevada Senate Bill 220 (SB-220) into law, which requires many businesses to provide a similar opt-out, and becomes effective on October 1, 2019.

INSIGHT: California’s Privacy Act—Watch for an Expanding Private Right of Action (5/3/2019)

The California Consumer Privacy Act takes effect on January 1, 2020, but amendments are expected. In an article recently published by Bloomberg Law, Mintz attorneys Joshua Briones, Esteban Morales and Matthew Novian discuss the April 9 hearing on SB-561, a bill that would expand the private right of action and remove compliance opportunities for businesses, and explain why the bill should be closely watched.

Complying with the California Consumer Privacy Act: Are Health Care Organizations "Home Free"? (4/4/2019)

On June 28, 2018, California passed the California Consumer Privacy Act (CCPA) and then further amended it on September 23, 2018. CCPA breaks new state law privacy ground, and this post addresses some of the confusion surrounding the exemptions for health information.

SB 561 Aims to Make CCPA More Consumer-Friendly by Expanding a Private Right of Action and Removing the Right to Cure (4/4/2019)

Last week, California State Senator Jackson and state Attorney General Becerra introduced a new bill, Senate Bill 561.  If passed, it will greatly expand the consumers’ right to bring private lawsuits for violations of the California Consumer Privacy Act (“CCPA”).  SB 561 will: (1) provide for a private right of action for all CCPA violations—not just those stemming from a data breach; (2) eliminate the 30-day safe-harbor provision that currently allows companies to cure the violation and thereby avoid a private right of action; and (3) prevent companies from seeking specific opinions from the Attorney General and instead allow the AG’s office to provide “general guidance” via publications.

CCPA Amendment May Answer Employee Question (3/28/2019)

We’ve now presented two webinars (links will be posted ICYMI) on the scope of the California Consumer Privacy Act, and have been talking with scores of clients about preparation and planning.   One of the most frequently asked questions is whether the CCPA really applies to employee personal data processe by employers for business purposes.  

California Governor Floats “Data Dividend” Proposal (2/16/2019)

On the heels of the passing one of the nation’s leading pieces of privacy legislation, the California Consumer Privacy Protection Act (“CCPA”), Governor Newsom, used his first “State of the State” address, to highlight his position on data protection and privacy, by saying that technology companies “make billions of dollars collecting, curating and monetizing our personal data have a duty to protect it” and that “Consumers have a right to know and control how their data is being used.”  

California AG’s Office Gets Public Input on CCPA (1/29/2019)

The California Attorney General’s Office (CAGO) is conducting a series of public hearings around the state to gather input on the California Consumer Privacy Act of 2018 (CCPA). We attended the CAGO’s January 25th, 2019 hearing.  The panel of CAGO staff informed those in attendance to anticipate a Notice of Proposed Regulatory Action in the fall of 2019.

“Hey Alexa – Tell Me About Your Security Measures” (10/4/2018)

California continues to lead the nation in cybersecurity and privacy legislation on the heels of the recent California Consumer Privacy Act of 2018 (“CCPA”).  Governor Brown recently signed into law two nearly identical bills, Assembly Bill No. 1906 and Senate Bill No. 327 (the “Legislation”) each of which required the signing of the other to become law, on September 28th, 2018.

More Privacy Legislative Activity in California (9/4/2018)

Labor Day is passed, and the Privacy & Security Matters blog is back after a bit of a hiatus.    The California State Legislature was busy up to the last day of the session working on privacy legislation.

PRIVACY ALERT: California Leads the Privacy Parade Again with Groundbreaking Privacy Legislation (6/29/2018)

June 28, 2018 will be a watershed day in the history of U.S. data privacy legislation.   California has become the first state to move away from the U.S. approach of legislating data privacy in slow bits.


Subscribe To Viewpoints