Award Mouse thought multimedia interface book medal screen monitor

Privacy: US

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) imposes burdensome European (GDPR) inspired transparency and individual data subject rights requirements on almost every company that handles “personal information” regarding California residents.

Effective January 1, 2023, employees and business contacts will be in full scope of the California law, and further data subject rights and business obligations will apply, including publishing retention schedules and ensuring collection purpose limitation. Also in 2023, CCPA/GDPR-inspired consumer privacy laws will become effective in Colorado and Virginia.

Click here for a summary and comparison of these laws and short-form workstreams to help you prepare for and comply with them. Multiple other states have less comprehensive consumer privacy laws and three states now regulate data brokers. A patchwork of federal and state privacy laws continue to apply, although the new state laws exclude rather than overlap some, but not all, of what is covered by existing laws.

How We Can Help

We can:

  • Determine the applicability of consumer privacy laws to your company and its data
  • Conduct a gap assessment of your company’s current data practices against privacy and security and other consumer protection laws
  • Prepare and execute work plans to achieve compliance in a cost-effective, efficient manner, leveraging existing compliance efforts where applicable
  • Interpret nuances in statutory and regulatory provisions, such as identifying business partners as service providers, contractors, processors, co-controllers, third parties or something else under the laws
  • Assist with individual compliance tasks, such as:
    • Conducting and assessing data inventories
    • Designing processes and templates to respond to individual right requests
    • Drafting privacy notices, including regarding pre-collection, category purpose, sale and sharing, rights request processes, financial incentives and retention
    • Making data broker registrations
    • Assessing data security and incident preparedness
    • Preparing contracts, including updating DPAs to cover the new contracting requirements these laws mandate
    • Advising on digital advertising, data transfers, processing of sensitive data and use of automated decision-making and profiling, and how to apply new opt-in and opt-out rights to these activities
  • Help design and implement privacy-by-design and impact assessment procedures
  • Train employees regarding the new legal requirements
  • Educate C-suite/board and data stakeholders regarding compliance obligations
  • Defend companies in enforcement actions

Why Choose Us

We can:

  • Our lawyers have spent decades helping companies comply with requirements in other US data privacy and protection laws (e.g., HIPAA, GLBA, FCRA, COPPA, VPPA, Cable Act, Privacy Act, California OPPA, California Shine the Light, state data security and incident notification laws, etc.). Our team includes the former CIO of the US government, lawyers with significant business and in-house experience, and multiple regulatory agency lawyers.
  • Our US and European lawyers worked hand-in-hand to assist hundreds of enterprises with the compliance challenges stemming from the GDPR. Many of the same skills, processes and materials, as well as nuanced interpretations and decision-making, developed for GDPR compliance are used by us for US compliance.
  • The global composition of our Data Privacy, Cybersecurity & Digital Assets team provides us with unique experience that we leverage to our clients’ benefit when creating global data governance programs that address the Americas, Asia Pacific and EMEA.
  • The work that you will get from us will not be merely academic lists of the statutory requirements with examples as to how to comply. We pride ourselves on being responsive, commercial and practical in our advice by understanding and balancing our clients’ business goals and risk tolerance with legal requirements, best practices and potential exposure.

{{}} {{insights.type}} {{insights.contentTypeTag}}
{{blog.title}} {{blog.source}}

  • Multinational technology company – Advised on designing several new innovative offers, including analyzing whether ostensibly B2B offers make the client a “business” (equivalent of GDPR controller), revising customer agreements, preparing privacy statements, addressing secondary uses, designing user-friendly mobile app consent mechanisms, honoring individual rights, and advising on nuanced comparisons to GDPR and integrating with GDPR compliance efforts.
  • Global engineering and manufacturing company – Developed a work plan leveraging simultaneous GDPR and CCPA compliance efforts with parallel work streams for customer and employee data.
  • Global digital advertising and analytics company – Advised on how the CCPA applies to data lacking direct identifiers, then developed and implemented CCPA requirements, including preparing a data collection questionnaire, drafting a separate US privacy statement, expanding individual rights processes to cover California residents, and updating vendor and customer agreements.
  • Worldwide management consulting company – Advised this consulting company (serving purely as a service provider) regarding CCPA applicability and consequences of engaging in secondary data uses.
  • Specialty pharmacy/distributer – Helped one of the nation’s leading suppliers of critical-care biopharmaceuticals, plasma products and vaccines to interpret and plan CCPA implementation (largely for its employees, given that other consumer information is subject to HIPAA and, therefore, exempt from CCPA).
  • Global auto manufacturer – Advised on the CCPA’s applicability generally and how to structure new and innovative smart car technologies involving secondary uses of data for purposes such as usage-based insurance, value-add applications and services, and first and third party marketing.