The California Consumer Privacy Act (CCPA) currently has limited carve-outs for personal information (PI) collected from a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of a business acting in such capacity (including, without limitation, communications, emergency contact and benefits PI) (HR data). An even broader exception applies to B-to-B communications and related PI (e.g., vendor, supplier and business customer contacts and communications) (B-to-B data). As a result, businesses subject to the CCPA are not currently required to honor CCPA rights requests received from persons concerning HR data and B-to-B data. These carve-outs are set to sunset on January 1, 2023, when the California Privacy Rights Act (CPRA), which substantially amends the CCPA, goes into full effect, at which point HR data and B-to-B data will be fully subject to all of the requirements of the CCPA/CPRA. Many business administrators had hoped that either the California legislature would extend the HR data exceptions (or maybe even make them permanent), or a federal law that limited data subject rights to traditional consumers would pass and preempt CCPA/CPRA. It is now clear that the former is impossible and the latter is highly unlikely. Accordingly, many companies have a lot to do by year-end to prepare to stand up a CCPA/CPRA program for HR data and B-to-B data.

Continue Reading HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail

On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

Continue Reading The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement

As the first year for litigation and enforcement, 2020 was a big year for the California Consumer Privacy Act (“CCPA”).  Read on for ConsumerPrivacyWorld’s highlights of the year’s most significant events, as well as our predictions for what 2021 may bring.

Recap – What is the CCPA?

Following the lead of the European Union’s General Data Privacy Regulation (“GDPR”), the CCPA is the nation’s first definitive set of data privacy laws and went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

So what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Check out our CCPA Power Center for more detailed information.

Key Developments in CCPA Litigation and Enforcement

January 1, 2020 and July 1, 2020 were important dates for the CCPA.  The former date set the act into motion, and saw the commencement of private rights of action.  The latter marked the start of enforcement proceedings.


It didn’t take long for litigants to begin alleging violations of the CCPA. The first such lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Besides being the first lawsuit to expressly allege a specific violation of the CCPA, this putative class action lawsuit also presented a notable standing issue:  whether a Pennsylvania resident that stayed in a California treatment facility for one month could be a “consumer” under the CCPA.

In early motion practice, the defendant seized on this standing issue, asserting that plaintiff’s one-month stay in California did not render him a consumer as required by the statute.  The CCPA defines a “consumer” as “a natural person who is a California resident.”  The applicable regulations in turn define as resident as:  (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.

Unfortunately, the Court did not have an opportunity to weigh in on this dispute before the parties filed a notice of voluntary dismissal of suit.

At least one CCPA class action, G.R. v. TikTok, No. 2:20-cv-04537 (C.D. Cal.), has already been consolidated with a several other lawsuits in an MDL in the U.S. District Court for the Northern District of Illinois.  On May 20, 2020, “G.R.,” a minor, filed a putative class action suit against popular social media platform TikTok and its parent company, ByteDance.  Seeking to represent a class of “[a]ll minor persons who registered for or used the TikTok app from at least May 14, 2017 to the present,” the plaintiff alleged that TikTok violated the CCPA when it allegedly failed to provide notice of the app’s alleged use and collection of its users’ data.  The complaint alleged that this use and collection included scanning every video uploaded to the app with facial recognition technology, extracting geometric data regarding the unique points and contours of each face as they appear in each uploaded video, and then creating and storing a template of each face from that data.

In September, G.R. was consolidated with several other lawsuits against TikTok into an MDL.  The MDL currently features over 30 plaintiffs, many of which are alleged to be minors.  On December 18, 2020 an amended consolidated class action complaint was filed.  Check back here for updates on how this case develops.

On the litigation front, one district court held that the CCPA’s focus on privacy does not restrict the scope of discovery.  In Kaupelis v. Harbor Freight Tools USA, Inc., No. 8:19-cv-01203 (C.D. Cal.), the court granted a motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law”.

Another case, Stasi v. Inmediata Health Grp. Corp., No. 3:19-cv-02353 (S.D. Cal.),  confirmed that the CCPA does not apply to medical information that is governed by the California Confidentiality of Medical Information Act (“CMIA”) but can apply to disclosed non-medical information.

2020 also recently saw a settlement in a putative class action that when filed, was among the first to cite a violation of the CCPA.  High-end children’s clothing retailer Hanna Andersson faced numerous claims in the putative class action that followed a widespread data breach.  The alleged breach affected the personal information of over 200,000 customers who made online purchases on the Hanna Andersson website between September 16 and November 11, 2019.  The personal information included names, shipping and billing addresses, payment card numbers, CVV codes, and expiration dates.  This information was then exfiltrated and used to make fraudulent purchases using the affected customers’ credit cards.  On January 15, 2020, Hanna Andersson notified its customers of the breach.

In a settlement reached last month, Hanna Andersson agreed to create a settlement fund of $400,000 and implement new security measures.  These measures include hiring a director of cyber security, conducting a risk assessment of the its data assets and environment consistent with the NIST Risk Management Framework, and completing PCI Attestation of Compliance (AOC) in conjunction with a PCI-certified Qualified Security Assessor (QSA).  For more information on the significance of this settlement, including how the financial component of the settlement compares to other settlements, be sure to read ConsumerPrivacyWorld’s previous, in-depth coverage.

Legislation and Enforcement

As reported on our sister blog, Security & Privacy Bytes, 2020 was an incredibly active year for CCPA-related legislation and enforcement activity.

State enforcement of the CCPA began on July 1, 2020, when the Attorney General of California started to issue violation notice letters to a swath of online businesses. Although the letters themselves remain confidential, California’s Supervising Deputy Attorney General, Stacey Schesser, has provided some insight into their substance.  The letters targeted multiple industries and business sectors, which dispelled the belief that certain industries would be prioritized over others.  Additionally, the letters focused on businesses that operated online and were missing either key privacy disclosures or a “Do Not Sell” link (where the Attorney General thought one was necessary).  Finally, the targets of the letters were identified, at least in part, based on consumer complaints, including complaints made using social media.

On August 14, 2020, several regulations concerning the CCPA went into effect or were dropped.  The issues addressed by the regulations included the ease with which consumers could submit requests to opt out, whether certain businesses were required to provide offline notices of the right to opt-out, and the wording that businesses must incorporate when the sale of personal information is involved.  For more information, our sister blog, Security & Privacy Bytes, previously provided in-depth coverage.

This year, California also enacted a law to resolve the disconnect between the CCPA and HIPAA.  On September 14, 2020, Governor Gavin Newsom signed AB 713 into law.  AB 713 expands the CCPA exceptions for HIPAA business associates and HIPAA de-identified data, which may be particularly helpful in research.  AB 713 solves a disconnect between the CCPA and HIPAA’s arguably less burdensome de-identification standards.  Without this “fix,” data could have been sufficiently deidentified to be exempt from HIPAA, yet not sufficiently deidentified to be exempt from CCPA, creating a much more complicated legal regime for health companies.  Check out Security & Privacy Bytes’ coverage here.

Additionally, although this year was the first year in which the CCPA was in effect, it was also the year when its successor was determined.  On November 6, 2020, a majority of Californians voted to approve Proposition 24, the “California Privacy Rights Act of 2020” (“CPRA”).  The CRPA will go into effect on January 1, 2023, but will apply to all personal information (PI) collected on or after January 1, 2022.  Security & Privacy Bytes provided more coverage.

Finally, on December 10, 2020, the California Department of Justice released a fourth set of proposed modifications to the regulations regarding the CCPA.  The comment period is set to expire on December 28, 2020.  Stayed tuned to ConsumerPrivacyWorld to know the final outcome.

What Does the Future Hold?

With the CCPA now in effect, all eyes are focused on the significant changes that will be ushered in by the CPRA.  One of the most significant changes will be the creation of a new state agency, the California Privacy Protection Agency (“CalPPA”).  By July 1, 2021, the CalPPA will take over rulemaking and beginning January 1, 2024, the CalPPA will implement and enforce the CPRA.

The CalPPA will be the first enforcement agency in the United States dedicated solely to privacy.  For those familiar with the Consumer Financial Protection Bureau and its significant impact on the industry, the CalPPA is speculated to strengthen the enforcement and compliance with CCPA.  With the creation of the CalPPA – which is set to operate as a key privacy regulator — we know that the CCPA is here to stay.

Additionally, with a new administration and Congress arriving in the new year, the stage may finally be set for enacting comprehensive federal data privacy laws.  ConsumerPrivacyWorld previously reported on the status of federal legislation and glimpsed at the preemption issues that federal legislation would almost surely create.

The CCPA continues to evolve and  remains poised to reshape the data privacy landscape, including in the context of consumer litigation.  How will the CalPPA function?  Will the new administration and Congress make federal regulations?  Will it preempt the CCPA?  We guarantee to keep you informed on everything you need to know.  Stay tuned and do not hesitate to reach out for any questions or advice!


The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020. The California legislature passed a number of amendments on September 13, 2019, that alter the law in important ways. These amendments are now being reviewed by the governor and will be finalized by October 13, 2019. Join our webinar just a few days later, on October 17, when Elliot Golding and Lydia de la Torre will explain requirements under the CCPA and practical steps to comply, including an analysis of how the law is modified by the amendments related to employee data, B2B data, loyalty programs, disclosure methods, parental consent, and other issues.

Our discussion of the final version of the act will include:

  • Scope and applicability (e.g., what companies, data and processes will be impacted)
  • Key requirements (e.g., privacy statement, individual rights, etc.)
  • Suggested steps to build a CCPA compliance program efficiently and effectively
  • Practical tips to manage risk and leverage existing compliance processes where possible

Attendees will have the opportunity to ask questions during the program, with a full Q&A session to follow.

If you would like to attend, or have colleagues who would, please register any interested parties.

We have scheduled a make-up session with CLE for June 4, 2019 at 3p EST.

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, regardless of where the business is based. The Act will impact information regarding not only consumers, but also employees and business contacts. Continue Reading Did You Miss Our Recent CCPA webinar? Understanding and Preparing for the California Consumer Privacy Act

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, regardless of where the business is based. The Act will impact information regarding not only consumers, but also employees and business contacts.

Join us for a webinar on May 7, 2019, when Elliot GoldingPhil Zender and Ivan Rothman will provide an overview of the CCPA and discuss the act’s:

  • Scope and applicability (e.g., what companies, data and processes will be impacted)
  • Key requirements (e.g., privacy statement, individual rights, etc.)
  • Contextual comparisons to existing US law and GDPR
  • Suggested steps to build a CCPA compliance program efficiently and effectively
  • Practical tips to manage risk and leverage existing compliance processes where possible

Attendees will have the opportunity to ask questions during the program, with a full Q&A session to follow.

If you would like to attend, or have colleagues who would, please register any interested parties.

California’s Consumer Privacy Act of 2018 (“CCPA”) which was signed into law in June 2018 will take effect on January 1, 2020.

California Attorney General Xavier Becerra has announced that the California Department of Justice has organized six public forums throughout the State that will provide those impacted by the new law an opportunity to comment on the rulemaking process. Continue Reading California to Hold Public Forums on California Consumer Privacy Act as Part of Rulemaking Process

Amendments to California’s expansive Consumer Privacy Act of 2018 (“the Act”) include new provisions that may significantly impact the timing of enforcement and provide exemptions for large amounts of personal data regulated by other laws.

The Act, signed into law in June, is a sweeping data privacy law that regulates the processing of personal data of California residents. Because the Act was hastily passed in order to prevent a similar ballot initiative proceeding to a vote in the November elections, it was expected that the Act would undergo significant amendments before it enters into effect on January 1, 2020.

Continue Reading Amendments to the California Consumer Privacy Act of 2018: Progress toward Clarity

California’s newly enacted Consumer Privacy Act of 2018 is the strictest of the US’s patchwork of privacy related regulations. The Act will impact any legal entity that (i) does business in California, (ii) is operated for the profit or financial benefit of its owners, (iii) collects consumers’ personal information and determines the purpose and means of processing such information, and (iv) satisfies at least one of the following three conditions:

  • Has an annual gross revenue of over $25 million
  • Alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices, or
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

Continue Reading California’s Consumer Privacy Act of 2018

Washington’s My Health My Data Act (“MHMDA”) and Nevada’s SB 370 (“NV CHD Law”) (collectively, “CHD Laws”) went into effect at the end of last month, on March 31, 2024 (as many know, MHMDA’s geofencing prohibition went into effect last summer). Unlike the Health Insurance Portability and Accountability Act (“HIPAA”), a federal law which governs privacy and security in traditional healthcare settings, CHD Laws regulate “consumer health data” or “CHD”– a very broadly defined term as we discuss below and in a prior post – collected by companies in a broad swath of health and non-health related industries alike. Even ancillary purposes like providing accessibility accommodations and defending personal injury claims are enough to trigger the laws. CHD Laws impose restrictions and obligations on regulated entities far more burdensome than state consumer privacy laws, many of which already regulate some of the same health data, and unlike those general consumer privacy laws are not proposed to be preempted by the potential federal America Privacy Rights Act.

As such, compliance programs that businesses may have developed to comply with state consumer privacy laws, such as the California Privacy Protection Act (“CCPA”), will not be sufficient to address the requirements of the CHD Laws, though they can be leveraged such as for consumer rights request and processor management. There are some material differences beyond the scope of the data regulated. For example, businesses must add another website footer link (and potentially elsewhere, such as in mobile apps) and post a separate privacy policy applicable to the processing of CHD. The facilitation of consumer rights must be CHD-specific, for example providing the right to delete just CHD, rather than all personal information. Moreover, businesses that have CHD use cases not within narrow exceptions (e.g., as necessary to provide a requested product or service), which differ somewhat as between the two laws, will have to grapple with the foreboding consent and authorization requirements which, in some cases, could result in subjecting visitors or customers to a litany of notices and pop-ups in an environment already plagued by what some dub as “consent fatigue.”

Continue Reading Are you Ready for Washington and Nevada’s Consumer Health Data Laws?