Skip to Main Content

Legal Alert

California Consumer Privacy Act: GDPR Regulations Reach the United States

September 19, 2018

Shortly after the European Union's much-anticipated privacy law (known as the General Data Protection Regulation, or 'GDPR') went to effect, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (CCPA). The law takes effect on January 1, 2020, and is expected to create one of the most significant and strict regulations around data collection and privacy practices in the United States.

The CCPA shares many similar features to the GDPR and has broad application. It will affect your organization if any of the following are true, even if your organization is not located in California:

  1. You have over $25 million in annual revenues;
  2. You buy, hold, sell, or share personal information of 50,000 or more California consumers, households, or devices; or
  3. You derive at least 50% of your revenue from selling residents' personal information.
  4. Under the CCPA, your organization's data collection practices will need to be carefully reviewed and your capability to respond to consumer data requests will need to be robust. Specifically, you will need to properly disclose what data you collect and sell and be able to properly delete it upon request (under certain conditions). It is likely that CCPA compliance will also need to be certified to your contractual partners if your company has contractual arrangements with larger companies, most typically in the form of supply agreements.

Penalties for non-compliance can be severe. For example, consumers may, under certain circumstances, have a private right of action against companies that violate the CCPA's data security requirements. The law also allows recovery of damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater.

Next Steps
If your organization meets any one of the criteria mentioned above, we recommend that you launch a comprehensive data security and privacy assessment. The assessment would include, for example, a review of your privacy policy, information security policy, incident response plan, and insurance policy—all with an eye towards identifying potential gaps.

We Can Help
Whether through advising on an assessment process or refreshing your policies and procedures, our attorneys can help ensure your company takes the necessary steps to comply with the CCPA ahead of implementation on January 1, 2020.


Thank you for your interest in contacting us by email.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send us an email containing a general inquiry subject to these terms.

If you accept the terms of this notice and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."