Foundry Law Group Blog

CCPA Compliance: One Year Later

CCPA compliance

It was only one year ago that the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA is a landmark privacy law providing California residents various protections with regard to personal information. Even though the CCPA is in effect, it is still undergoing rulemaking with the 4th Set of Modifications to the Proposed Modifications released December 10, 2020. The deadline to submit comments to this round of modifications was December 28, 2020. This blog revisits the CCPA and provides some information about CCPA compliance.


What is CCPA?


The CCPA is a privacy and data protection law passed by the California State Legislature and signed into law by Governor Jerry Brown on June 28, 2018. The law with its initial amendments went into effect on January 1, 2020. The CCPA applies to any business doing business in California that collects “personal data” and meets one of the following thresholds:

  • Annual gross revenues in excess of $25 million;
  • Buys, receives, or sells the personal data of 50,000 or more consumers or households; or
  • Earns more than half of its annual revenue from selling consumers’ personal data.

Under the CCPA, personal data is generally understood as information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular California consumer or household. Where CCPA applies, businesses must then implement and maintain reasonable security procedures and practices to protect that personal data. Such procedures and practices include:

  • Parental or guardian consent for minors.
  • A “Do Not Sell My Personal Information” link on the home page of the business’ website. The link should enable users to opt-out of the sale of personal data.
  • A method for submitting data requests.
  • A CCPA compliant privacy policy.
  • To Refrain for one year from requesting a user opt-in to certain privacy practices after a user has opted out.

Interestingly, CCPA allows third parties to be authorized to exercise opt-out rights on behalf of users.


CCPA Enforcement


Generally, CCPA provides statutory damages. Businesses might be liable up to $750 per California resident or incident, in addition to actual damages, whichever is greater for data breaches. As well as a fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation of CCPA requirements. To date, some estimates show there have been around fifty lawsuits invoking CCPA since going into effect, with nearly all of them being class action lawsuits.


The California Privacy Rights Act


A new privacy law in California for 2023. California residents voted to approve the California Privacy Rights Act (CPRA) on November 3, 2020. The act will be subject to a subsequent blog post where we dive deeper into what the CPRA means for businesses. In summary, CPRA is an expansion of the CCPA that goes into effect on January 1, 2023, with a retroactive effect back one year earlier. The act includes various amendments to CCPA, further defines “consent,” and imposes new requirements for privacy policy compliance. Most significantly, the CPRA establishes a California privacy regulator and expands the CCPA’s private cause of action. 


CCPA Compliance for Your Business


CCPA compliance can be a daunting task. An assessment of your business’ data collection practices, its website, privacy policy, and agreements with service providers is essential to CCPA compliance. We provide efficient and forward-thinking legal services, mindful of cost without compromising quality. Contact Foundry Law Group to ensure your business is compliant today. 

Leave a Reply