April 8, 2019


The CCPA is a consumer protection regulation that gives all California residents strong privacy rights that companies are required to honor.


A company is obligated to comply with the CCPA, if it (i) collects personal information (“PI”) from a California resident; (ii) conducts business in California; and (iii) meets any of these annual thresholds:

  • Gross revenue of $25 million;
  • Gathers information from more than 50k California households, users or devices; and/or
  • Derives 50% or more of revenue from selling PI.


CCPA compliance is multi-faceted.  Three major compliance requirements are: (1) the CCPA requires covered companies to limit the “sale” of PI to third-parties (the sale of PI is defined very broadly and means any transfer of PI capturing common tools such as Google Analytics); (2) covered companies must place a “Do Not Sell My Information” link on all pages collecting PI; and (3) covered companies must be able to delete PI upon request (under certain circumstances).


The focus of the CCPA is on the traditional U.S. concept of PI (e.g., name with account number, social security number, etc.). Liability arises from “unauthorized access and . . . disclosure [resulting from a business’s unreasonable] security procedures and practices . . . .” This includes concepts typically described as “leaks” rather than “breaches” and does not require allegations of harm.


Civil fines of up to $7500 per CCPA violation and $750 per each record compromised in a data breach.

Important Note: California AG Becerra introduced an amendment in February that would permit private right of actions by individual plaintiffs, which has yet to become law.


The CCPA takes effect on January 1, 2020 and is set to be enforced by the California Attorney General in July 1, 2020.

Important Note: The law requires covered companies to describe their privacy practices for the prior twelve months in notices and disclosures, potentially creating an effective “look-back” period to January 1, 2019.

You may view the CCPA as amended at this link.

Sherman Helenese is Of Counsel in Buchalter’s Privacy and Data Security, Intellectual Property, E-Commerce and Corporate Practice Groups. He can be reached at shelenese@buchalter.com and 206-319-7035.

Karl Gerner is an Associate in Buchalter’s Privacy and Data Security, Intellectual Property, and Cybersecurity Practice Groups. He can be reached at kgerner@buchalter.com and 206-319-7048.

Jane E. Brown is Special Counsel in Buchalter’s Privacy and Data Security, Intellectual Property, and Corporate Practice Groups.She can be reached at jebrown@buchalter.com and 206-319-7033.

This alert is published as a service to our clients and friends. The material contained here is provided for informational purposes only and is not intended to constitute advertising, solicitation or legal advice. The views expressed herein are solely those of the authors and do not necessarily reflect the views of Buchalter or its clients. For more information, visit www.buchalter.com.