Award Mouse thought multimedia interface book medal screen monitor

    California Consumer Privacy Act

    Effective January 1, 2020, the California Consumer Privacy Act (CCPA) imposes burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, including employees.

    The CCPA impacts any company that handles personal information about customers, B2B contacts or employees in California, and operates for profit and meets one or more of the following triggers:

    • Annual gross revenues exceeding US$25 million
    • Annually handles personal information regarding 50,000 consumers, households or devices
    • Derives 50% or more of its revenue from selling personal information
    • Is a service provider that handles personal information

    Most CCPA obligations apply directly to the “business” (i.e., an entity that determines the purposes and means of processing personal information), but service providers and other third parties that handle personal information are also impacted.

    How We Can Help

    We can:

    • Determine the applicability of the CCPA to your company
    • Conduct a gap assessment of your company’s current practices against the CCPA
    • Prepare and execute work plans to achieve compliance in a cost-effective, efficient manner, leveraging existing GDPR compliance efforts where applicable
    • Interpret nuances in the CCPA provisions, such as identifying business partners as service providers, third parties or something else under the law
    • Assist with individual compliance tasks, such as:
      • Conducting data inventories
      • Designing processes to respond to individual right requests
      • Drafting privacy notices
      • Preparing contracts, including updating GDPR DPAs to cover the CCPA
    • Train employees regarding the CCPA’s requirements
    • Educate C-suite/board regarding compliance obligations

    Why Choose Us

    • Our lawyers have spent more than 20 years helping companies comply with similar requirements in other laws (e.g., HIPAA, GLBA, state laws, etc.). Our team includes the former CIO of the US government, lawyers with significant business and in-house experience (including through multiple secondments), and multiple regulatory agency lawyers.
    • Our US and European lawyers worked hand-in-hand to assist hundreds of enterprises with the compliance challenges stemming from the GDPR. Many of the same skills, processes and materials, as well as nuanced interpretations and decision-making, developed for GDPR compliance can be used for CCPA compliance. The global composition of our Data Privacy, Cybersecurity & Digital Assets team provides us with unique experience that we can and will leverage to our clients’ benefit in dealing with CCPA compliance.
    • The work that you will get from us will not be academic lists of the CCPA’s requirements with examples as to how to comply. We pride ourselves on being responsive, commercial and practical in our advice by understanding and balancing our clients’ business goals and risk tolerance with legal requirements, best practices and potential exposure.

    {{}} {{insights.source}} {{insights.type}}
    {{blog.title}} {{blog.source}}

    • Multinational technology company – Advised on designing several new innovative offers, including analyzing whether ostensibly B2B offers make the client a “business” (equivalent of GDPR controller), revising customer agreements, preparing privacy statements, addressing secondary uses, designing user-friendly mobile app consent mechanisms, honoring individual rights, and advising on nuanced comparisons to GDPR and integrating with GDPR compliance efforts.
    • Global engineering and manufacturing company – Developed a work plan leveraging simultaneous GDPR and CCPA compliance efforts with parallel work streams for customer and employee data.
    • Global digital advertising and analytics company – Advised on how the CCPA applies to data lacking direct identifiers, then developed and implemented CCPA requirements, including preparing a data collection questionnaire, drafting a separate US privacy statement, expanding individual rights processes to cover California residents, and updating vendor and customer agreements.
    • Worldwide management consulting company – Advised this consulting company (serving purely as a service provider) regarding CCPA applicability and consequences of engaging in secondary data uses.
    • Specialty pharmacy/distributer – Helped one of the nation’s leading suppliers of critical-care biopharmaceuticals, plasma products and vaccines to interpret and plan CCPA implementation (largely for its employees, given that other consumer information is subject to HIPAA and, therefore, exempt from CCPA).
    • Global auto manufacturer – Advised on the CCPA’s applicability generally and how to structure new and innovative smart car technologies involving secondary uses of data for purposes such as usage-based insurance, value-add applications and services, and first and third party marketing.