March 4, 2021

Volume XI, Number 63


March 04, 2021

Subscribe to Latest Legal News and Analysis

March 03, 2021

Subscribe to Latest Legal News and Analysis

March 02, 2021

Subscribe to Latest Legal News and Analysis

California Continues its Role as a Privacy Vanguard: California Privacy Act of 2018

On June 28, 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (“CCPA”).[2] CCPA grants new privacy rights to Californian residents and applies a notice and consent framework to most businesses operating in California that collect personal information from those residents.

Effective January 1, 2020, Californian residents ─ referred to in the CCPA (and below) as “consumers,” although CCPA also covers employees, vendors and others ─ will have new rights over their personal information:

  • the right to know what personal information is collected, whether the personal information is sold or otherwise disclosed for a business purpose. and to whom the personal information was sold or disclosed; [3]
  • the right to access the personal information that a covered business has about them; [4]
  • the right to deletion of their personal information; [5]
  • the right to opt out of the sale of their personal information or, for minors under age 16, the right to opt in; [6] and
  • the right to equal service and price, which means that consumers who exercise rights under CCPA must receive the same goods or services as those who do not (although certain financial incentives are permitted). [7]

To give effect to these new consumer rights, CCPA requires a covered business to provide a description of the rights, including specifically:

  • describing, concurrently with or prior to collecting personal information, the personal information the business collects and the reason for its collection; [8] and
  • listing the categories of personal information (i) collected by the business in the preceding 12 months and (ii) “sold” or otherwise disclosed for a “business purpose” in the preceding 12 months. [9]

A covered business also must respond to a verifiable consumer request:

  • for a list of the specific personal information about the consumer that was collected, sold or disclosed during the preceding 12 months;
  • for a copy (in paper or electronic form) of personal information collected about the consumer at no charge to him or her;
  • to delete the personal information that the business collected, subject to the business’s legal obligations and other exceptions; and
  • to opt out of the sale of his or her personal information. [10]

CCPA also authorizes a private right of action for unauthorized access to or disclosure of personal information if the access or disclosure results from a business’ failure to implement “reasonable” security procedures and practices that are “appropriate” to the nature of the personal information. [11]

CCPA has been compared to the General Data Protection Regulation (“GDPR”), the EU’s broad and strict privacy and data protection law that went into force on May 25, 2018. [12]  Although CCPA offers some data privacy rights for Californians that are similar to GDPR, CCPA lacks many of GDPR’s privacy compliance infrastructure requirements. [13] As a result, businesses subject to CCPA that already have undertaken GDPR compliance will find CCPA’s additional requirements more process than substance.

Today, CCPA is challenging because some of its compliance requirements are unclear. The California Attorney General is tasked with adopting regulations, rules and procedures that should help to clarify how to comply in the future. Until then, an affected business can take the time to understand CCPA’s purpose and scope and to inventory the personal information about Californians that the business collects, uses and discloses, but it cannot necessarily undertake any specific compliance steps until the California Attorney General or legislature provides further guidance.

Please refer to our FAQs for answers to common questions our clients have asked since CCPA was enacted. The FAQs will be updated over the coming months.


[1] With invaluable help from Brian Philips (Counsel, Raleigh) and Jenny Sneed (Associate, Raleigh).
[2] CAL. CIV. CODE § 1798.100 et seq.
[3 ]CAL. CIV. CODE § 1798. 100(b), 110, 115.
[4] CAL. CIV. CODE §§ 1798.100(d).
[5] CAL. CIV. CODE § 1798.105.
[6] CAL. CIV. CODE § 1798.120.
[7] CAL. CIV. CODE § 1798.125.
[8] CAL. CIV. CODE § 1798.100(b).
[9 ]CAL. CIV. CODE § 1789.130(a)(4)(B).
[10] CAL. CIV. CODE § 1798.135(a)(4).
[11] CAL. CIV. CODE § 1798.150.
[12] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. GDPR applies to personal data collected from individuals in the European Union (“EU”) by any organization operating within the EU or operating outside of the EU but offering goods or services in the EU.
[13] See, e.g., Data protection by design and default. GDPR Article 25.

Copyright 2020 K & L GatesNational Law Review, Volume VIII, Number 215



About this Author

Julia Jacobson, KL Gates Law Firm, Transaction Privact Attorney

Julia Jacobson is a partner in the Boston office of K&L Gates LLP. Ms. Jacobson’s practice focuses on privacy and data protection and marketing, advertising and promotions. She has significant experience counseling clients in the consumer products goods, ecommerce and technology industries.

Ms. Jacobson regularly counsels clients on an array of data privacy, security, transfer and acquisition matters. She regularly assists clients with the design and development of privacy-sensitive policies for collection and use of personal data, incident...

Jeffrey King, KLGates, litigation lawyer

Mr. King’s practice has concentrated in complex commercial litigation and arbitration in a variety of areas, including business disputes, admiralty, transportation, product liability, toxic tort, and environmental matters. His clients include financial institutions, transportation companies, and manufacturers. He represents commercial interests in various disputes, including deal, shareholder, loan, privacy, and contract litigation. His maritime and transportation experience has involved representing clients in personal injury and death defense, cargo damage, equipment...

Alidad Vakili, financial lawyer, KLGates

Mr. Vakili is a lawyer in the San Francisco office of K&L Gates LLP, a global law firm, where he represents emerging companies, investors, and individual entrepreneurs. Mr. Vakili’s practice includes business transactional and counseling matters, for companies in a wide range of industries, including companies in the cleantech and high-tech sectors. He regularly advises clients in the areas of business formation, corporate governance obligations, equity and debt financings, mergers and acquisitions, joint ventures, and other commercial transactions. Mr. Vakili has...