Published in Landslide® magazine, Volume 11, Number 2, a publication of the ABA Section of Intellectual Property Law (ABA-IPL), ©2018 by the American Bar Association. Reproduced with permission. All rights reserved.
This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
Consumer privacy controversy has dened 2018 for
tech companies. Facebook has appeared in head-
lines repeatedly for its questionable handling of
user data and lax approach to privacy. Consumers
who download their Google history are shocked at
the breadth of information the search giant gathers. Congress
has asked Apple, Alphabet, and other device makers about the
security and privacy of their smartphones.1
Google, Facebook, Apple, and many more leading tech
companies are headquartered in California. The state is a
hotbed for innovative ideas, but the ongoing inquiries and
criticisms from privacy advocates that these companies face
made legislative action an inevitability.
On June 28, 2018, Governor Jerry Brown signed the California
Consumer Privacy Act (CCPA) into law after it passed unopposed
through both houses of the state legislature. When the law goes
into effect in 2020, it will provide unprecedented consumer pri-
vacy protection, requiring many companies that do business in
California to disclose the data they collect from consumers and
giving consumers the right to prohibit websites from gathering
data and to opt out of having their data sold to third parties.
Businesses that fail to abide by the law will be liable for
$100 to $750 in damages per infraction. The attorney general
of California is also empowered to investigate complaints and
What Is the CCPA?
The California Consumer Privacy Act is the rst law of its kind
in the United States. It is similar to the General Data Protection
Regulation (GDPR) implemented earlier in 2018 by the Euro-
pean Union. Like the GDPR, the CCPA requires businesses to be
transparent about the data they gather for consumers and enables
consumers to limit the amount and type of data gathered. The
wording of the GDPR is extremely broad, creating a panic among
businesses and brands earlier this year as they updated their web-
sites and privacy policies to be compliant with the regulation.
The entities affected by the CCPA are somewhat clearer.
The law will apply to for-prot businesses that do business in
California and “[h]ave $25 million or more in annual revenue;
or [p]ossess the personal data of more than 50,000 ‘consumers,
households, or devices[;]’ or [e]arn more than half of [their]
annual revenue selling consumers’ personal data.”2
The Act denes personal information as “information that
identies, relates to, describes, is capable of being associated
with, or could reasonably be linked, directly or indirectly,
with a particular consumer or household.”3 The law provides
a vast denition of identifying information that encompasses
personal and digital details including real name, user name,
physical address, IP address, driver’s license number, Social
Security number, and more.
Under the CCPA, consumers in California have the right
to “access the categories and specic pieces of personal
information collected by a covered business, including infor-
mation about where the business collected the personal
information from, the business’s purpose for collecting or
selling the personal information, and the categories of third
parties with whom the business has shared or sold the per-
sonal information.”4 Consumers can opt out of data collection
and request that their personal information be deleted, subject
to exceptions based on the nature of the transaction.
The CCPA was drafted as an alternative to a citizens’ bal-
lot measure with even stricter guidelines. In response, both
houses of the California state legislature passed the bill in
less than a week. As a consequence, the law will likely be
amended before its 2020 effective date.
At rst blush, the CCPA will have businesses of any size run-
ning for their in-house counsel or an outside law rm to protect
their interests. An estimated 500,000 companies in the United
States will likely be subject to the law in California, according to
the International Association of Privacy Professionals.5
How IP Attorneys May Be Affected by the CCPA
The challenge for both attorneys in the intellectual property eld
and the businesses they serve will be helping clients walk the
line between protable business operations and compliance with
unprecedented regulation. First and foremost, the CCPA affects
businesses (including law rms) based in or doing businesses in
California. Law rms with no ofce and no business dealings in
California will not be subject to the law’s requirements.
However, businesses operating in California will need to exam-
ine the following to determine their compliance requirements:
• Annual revenue: Businesses with $25 million or more
in annual revenue must comply with the CCPA.
• Consumer data: A business that “buys, receives . . . sells,
or shares . . . the personal information of 50,000 or more
consumers, households, or devices” is subject to the law.
• Percentage of annual revenue: A business subject to the
CCPA “[d]erives 50 percent or more of its annual reve-
nues from selling consumers’ personal information.”6
Given these thresholds, a clearer picture starts to emerge:
“BigLaw” rms will need to take steps toward compliance
by 2020 if they do business in California. However, there are
many more law rms with annual revenues below $25 mil-
lion. Firms in this latter category will likely have to take little
to no action before the CCPA goes into effect.
In addition, law rms that use consumer data for commercial
purposes will not be subject to the CCPA if they collect informa-
tion for fewer than 50,000 “consumers, households, or devices.”
Compliance also does not apply should less than half of the rm’s
annual revenue be derived from the sale of consumer information.
Some of the changes law rms have made on the privacy front
are a result of best-practice pragmatism, rather than legislative
pressure. Many law rms recently have converted their web-
sites to a hypertext transfer protocol secure (HTTPS) format in
order to avoid triggering a “not secure” warning for users on the
Dan Goldstein is a licensed attorney who has practiced law in
Colorado and Washington, D.C. He is the president and owner
of Page 1 Solutions, LLC, a digital marketing agency serving
attorneys throughout North America. He can be reached at dang@
page1solutions.com. Adam Rowan is the content specialist at
Page 1 Solutions. He has contributed content to online and print
publications in the legal industry and other elds for over 10 years.
He can be reached at firstname.lastname@example.org.