The California Consumer Privacy Act of 2018 (CCPA) significantly expands the privacy rights of California residents. Hundreds of thousands of businesses across the country will be required to take action to avoid private litigation and attorney general enforcement actions.


The CCPA requires entities doing business in California to make a range of disclosures about the information collected about California residents. It also gives California residents a variety of options for how their information may be used. The legislation defines "personal information" to include almost any type of information that can be associated with an individual or household.

Penalties are steep for noncompliance. The California Attorney General's office is charged with enforcing the CCPA and is authorized to seek statutory damages of up to $2,500 per violation. The legislation also establishes a private right of action for data breaches with statutory damages of up to $750 per consumer per incident.

Members of Ballard Spahr's Privacy and Data Security Group provide holistic solutions to comply with the CCPA. Our experience includes:

  • Counseling on CCPA inclusion parameters
  • Drafting and revising online privacy notices to meet CCPA requirements
  • Responding to consumer requests made pursuant to the CCPA, including requests to disclose personal information and "right to be forgotten" requests
  • Counseling on compliance with the CCPA's opt-out provision
  • Navigating clients through the implementation of reasonable security procedures and practices
  • Mapping data flows, both internally and externally
  • Drafting and reviewing "service provider" contracts
  • Analyzing new products and services for CCPA compliance
  • Guiding clients on the differences and similarities of the CCPA and General Data Protection Regulation (GDPR)

The CCPA is scheduled to go into effect January 1, 2020. However, because the legislation requires businesses to be able to provide consumers with information for a 12-month lookback period, many have already begun their compliance efforts.

To stay informed about the CCPA and other developments in privacy and data security law, subscribe to our blog, CyberAdviser, and sign up to receive our legal alerts.