California Consumer Privacy Act (CCPA)

We help entities doing business in California comply with the CCPA and defend them when litigation ensues.

Our Approach

When the California Consumer Privacy Act (CCPA) goes into effect in January 2020, it will impose obligations not seen before in U.S. data security legislation. In order to avoid liability, entities doing business in California need to prepare now to comply with the new statute.

Despite efforts to revise the CCPA since its initial passage in 2018, uncertainty persists as to its scope and enforcement. In general, it applies to any business: of a certain size (over $25 million in gross revenue); or which buys, receives, or shares a material amount of consumer data (over 50,000 persons annually); or which derives more than half its revenue from selling the data of California consumers.

While the statute is full of ambiguities—some of which are the basis for ongoing efforts at clarification through the legislature or the Attorney General of California—businesses should not wait for complete certainty to get ready.

The CCPA grants consumers a host of new rights regarding their data. Businesses must prepare to handle customer requests directed to these new rights and update their privacy disclosures, including at the point of personal data collection.

The statute imposes burdens beyond regulatory compliance. The CCPA gives consumers a private right of action if their data is stolen or otherwise breached. With statutory damages of $100 to $750 per “consumer incident,” businesses can expect an uptick in civil privacy litigation. However, consumers can only base claims on breaches of “nonencrypted or nonredacted personal information,” which is one more reason businesses must act now to ensure such data is protected in accordance with the statute.

Selling or sharing customer data will make compliance more complicated and costly. Businesses that do not monetize data should determine how much personal data they need to keep and whether they want to stay involved in these practices.

Our team tracks all evolving developments related to the CCPA and keeps our clients up to date. We work with companies to update their privacy policies and procedures in preparation for the effective date of the CCPA and can assist with other privacy concerns pre- and post-litigation.

Who we work with:

  • Businesses, organizations and government entities that collect, transmit or store sensitive or personally identifiable information
  • All industries including technology, health care, finance, infrastructure, defense, energy, big data, social media, data storage and professional services
  • Companies using mobile apps, websites and social media
  • Health care providers, insurance companies, pharmacies, clearinghouses, business associates and others impacted by the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Rule
  • Those who market goods or services to children under the age of 13 and others impacted by the Children’s Online Privacy Protection Act (COPPA)
  • All companies that receive and store the personal financial information of their clients and customers, and others impacted by the Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) and state data security laws
  • Law firms, accounting firms, and other professional advisors working with sensitive client information
  • Law enforcement agencies

Additional Consumer Privacy Law Experience

We have experience with complex consumer privacy, data protection and security laws impacting businesses nationwide, including, among others:

  • Telephone Consumer Protection Act (TCPA)
  • Illinois Biometric Privacy Act (BIPA)
  • California Consumer Privacy Act (CCPA)
  • EU General Data Protection Regulation (GDPR)
  • Computer Fraud and Abuse Act (CFAA)
  • Federal Trade Commission Act (FTC Act)
  • Fair Credit Reporting Act (FCRA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Fair Debt Collection Practices Act (FDCPA)
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
  • Children’s Online Privacy Protection Rule (COPPA)
  • Video Privacy Protection Act (VPPA)
  • Credit Card Accountability Responsibility and Disclosure Act (Credit CARD Act)
  • Driver's Privacy Protection Act (DPPA)
  • Freedom of Information Act (FOIA)
  • Federal Trade Commission (FTC) and Federal Communications Commission (FCC) regulations
  • State consumer protection laws

California data security law to have widespread impact

Rochester Business Journal | November 29, 2019

Rochester Corporate associate Jenny Holmes talks to the Rochester Business Journal for their special report on the impact of the California Consumer Privacy Act, which goes into effect January 1. Jenny anticipates that companies will have to comply with the strictest state law on the books if Congress does not pass a federal law.

Keep up with laws developing to protect our consumer data

Rochester Business Journal | November 15, 2019

In the latest installment of his monthly column, Rochester Corporate partner Jeremy Wolk analyzes state-level legislation aimed at enhancing consumer privacy rights and protections, similar to the European Union’s General Data Protection Regulation. Rochester Corporate associate Jenny Holmes contributed to the column.

Problems with the California Consumer Privacy Act

Los Angeles/San Francisco Daily Journal | January 23, 2019

Los Angeles Government Investigations and White Collar Defense partner Jason Gonzalez and associate Karina Puttieva co-wrote this contributed article identifying issues with the “remarkably unclear” California Consumer Privacy Act, a measure passed last year that regulates large businesses businesses who buy, sell or share consumers’ personal information.


Karl D. Belgum


Phone: 415-984-8409

Jason P. Gonzalez

Practice Group Leader, Data Privacy & Cybersecurity

Phone: 213-629-6019

Christopher M. Mason

Deputy Leader, Class Actions and Aggregate Litigation
Leader, Arbitration Team
Member, Firm Policy Committee
Member, Firm Pro Bono Committee

Phone: 212-940-3017

Dan Deane

Leader, Class Actions and Aggregate Litigation;
Co-Leader, TCPA & Consumer Privacy Team

Phone: 603-628-4047

Back to top