May 6, 2021

Volume XI, Number 126


May 06, 2021

Subscribe to Latest Legal News and Analysis

May 05, 2021

Subscribe to Latest Legal News and Analysis

May 04, 2021

Subscribe to Latest Legal News and Analysis

CCPA: The 1st Major American Foray into Comprehensive Data Privacy Regulation

Data protection in the United States is about to undergo a major change, and everyone needs to be ready.

The California Consumer Privacy Act (CCPA), signed into law June 28, 2018, enters into effect Jan. 1, 2020. It creates several new obligations for many United States-based businesses with regard to the collection, treatment, and sale of personal information.

CCPA’s Scope

CCPA applies to for-profit entities doing business in California that satisfy at least one of the following thresholds:

  • has annual gross revenues in excess of $25 million;

  • annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or

  • derives 50 percent or more of its annual revenues from selling consumers' personal information.

The CCPA text makes clear the regulation is geared toward providing regulators and consumers with greater control over the personal information that enters the stream of commerce. CCPA generally provides restrictions and limitation on the “sale” of personal information, but the regulation defines “sale” broadly enough that it includes many “free-to-download” products and services common in today’s marketplace, as well as the transfer of information to third parties.

What CCPA Means for Your Business

CCPA is an attempt at sweeping and comprehensive data privacy regulation in the United States. Many are under the misapprehension that simply updating a privacy policy is enough to avoid liability under the new law. However, it is important to note CCPA also grants California consumers certain rights, including the right to have businesses provide a comprehensive and individualized report of the information businesses have collected and sold related to the requesting consumer. CCPA also provides specific timeframes for businesses to respond to these requests. Failure to comply with CCPA could result in the following penalties:

  • $2,500 for every unintentional violation;

  • $7,500 for every intentional violation; and

  • Private right of action. Consumers may recover statutory damages for data breaches of their personal information.

Although CCPA shares some similarities with the General Data Protection Regulation (GDPR), the laws impose different obligations and regulate different data. Companies shouldn’t assume CCPA will have an insignificant impact on their business if GDPR compliance has already been assessed. In light of the aforementioned penalties and the limited window for responding to consumer requests, coupled with the impending Jan. 1, 2020 effective date, organizations should begin evaluating their data privacy and general information practices. Specifically, companies in the IT, marketing, and SaaS spaces should consider in advance whether they might be subject to the new law. While it may not be possible to get everything in order by Jan. 1 for companies just getting started, it is advisable to not delay compliance efforts.

© 2021 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume IX, Number 353



About this Author

Kurt R. Hunt, Dinsmore Shohl, Regulatory Compliance Attorney, Corporate Transactions Lawyer, Ohio,

Kurt focuses his practice on telecommunications and public utilities law, advising clients on general corporate and administrative issues, regulatory compliance, transactions, privacy obligations, and intellectual property matters. He is also an experienced litigator, and routinely represents clients in state and federal courts, as well as before administrative agencies and public utility commissions.

Knowing that public utilities operate inside a highly-regulated and specialized environment, Kurt is adept at tailoring his approach to fit each...

(513) 977-8101
Leanthony Edwards, Dinsmore Law Firm, Intellectual Property Attorney

Leanthony is a member of our Intellectual Property Department, where he focuses on trademarks, technology transactions/licensing and privacy. His experience includes assisting clients with social media, trademarks and contract matters dealing with technology.

He has knowledge and experience in the area of privacy law and obtained Certified Information Privacy Professional U.S. certification through the International Association of Privacy Professionals.

Leanthony earned his J.D. from the University of Cincinnati College...