Login to MyACC
ACC Members

Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC

Should I Care About CCPA?

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. This will likely impact your business. So, if your business has a website accessible to California residents, you need to pay attention to the CCPA.

Your business is subject to the CCPA if it annually buys, receives or sells the personal information of 50,000 or more consumers, households or devices in California; derives 50% or more annual revenue from selling consumers’ personal information; or has gross annual revenues of more than $25 million.

Non-compliance with the CCPA may cost your business revenue and hamper your legal department with suits. The CCPA imposes a potentially more severe penalty than the General Data Protection Regulation (GDPR) for non-compliance. Under the CCPA, a business will be liable for a civil penalty of up to $2,500 USD for each violation or $7,500 USD for each intentional violation if it fails to cure any alleged violation of the CCPA within 30 days. 

In case of a data breach due to a business's failure to implement reasonable and appropriate security practices, class action lawyers are expected to take advantage of the CCPA to bring a civil action against the business. In that case, the CCPA allows recovery of up to $750 USD per consumer, per incident, or actual damages, whichever is greater.  Furthermore, a data breach incident could ruin your business's reputation, discourage investors, drive away customers, overwhelm your legal department, and invite regulatory scrutiny. 

How to Comply with CCPA?

Here are the key issues you and your legal department should consider in order for your business to comply with the CCPA. 

a.     Is your company collecting any personal data under the CCPA?
The answer is most likely to be “yes” because the CCPA defines “Personal Information” very broadly.  It essentially covers any information that relates to a California resident or household.  Under the CCPA, “Personal Information” includes, but is not limited to, the following: name, postal address, Internet Protocol (IP) address, email address, account name, race, gender, national origin, disability, purchase history, browsing history, geolocation, professional or employment information, and consumer profile.

b.     Have you updated your online privacy policy to comply with the CCPA?
As in-house counsel for your company, you need to include the following items in your organization’s online privacy policy or on its website: 
     (1)    Consumer's rights under the CCPA, including right to access, right to erasure, right to portability, right to knowledge, right to opt out, and right to equal services and prices, and designated methods for submitting requests;
     (2) The categories of consumers’ personal information that were actually collected by your company in the preceding 12 months and sold or disclosed for business purposes in the preceding 12 months, or the fact that the business has not sold or disclosed consumers’ personal information for business purposes in the preceding 12 months; and 
     (3) The categories of personal information to be collected about the consumer and the purposes for which the information will be used.

c.      Are you going to sell or rent any personal data to a third party?
If you and your department decide that the answer is “yes”, you need to make available a clear and conspicuous link in your organization’s homepage (or a homepage designed specifically for California consumers), titled “Do Not Sell My Personal Information”, to a web page that enables a consumer to opt out of the sale of the consumer’s personal information. The business must wait at least 12 months before requesting to sell the personal information of any consumer who has opted out.

d.      Have you taken steps to protect customers' rights under the CCPA?
Purely mentioning customers' rights in your online privacy policy is not sufficient.  As in-house counsel, you will need to take the following steps to protect those rights to comply with the CCPA:

  • Develop internal procedures for responding to consumer rights requests, including setting up procedures for verifying the identity of a requester.  
  • Develop internal data privacy policies setting forth your data privacy practice, including how to avoid “discriminating” against consumers based on the exercise of their rights.
  • Implement appropriate security controls to prevent potential data breaches.
  • Revise your vendor contract template to impose CCPA obligations on your vendors.

The above is not an exhaustive list of steps you need to take to comply with the CCPA.

Author: Lena Kempe is Assistant General Counsel at Pitney Bowes, Inc. 
You can contact her through Linkedin:

Region: United States
The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.

This site uses cookies to store information on your computer. Some are essential to make our site work properly; others help us improve the user experience.

By using the site, you consent to the placement of these cookies. For more information, read our cookies policy and our privacy policy.