We are 100 days away from the California Consumer Privacy Act (“CCPA”). Are you ready? The CCPA, the first comprehensive United States privacy law takes effect on January 1, 2020, with an enforcement date of July 1, 2020.

Does CCPA Apply to My Business?

In short, the CCPA will apply to businesses that receive personal data from California residents. However, the CCPA will not apply to every business that engages in commerce in California.  Rather, it will apply if a business, or businesses’ parent company meets one of the following three thresholds then the CPPA will apply: (1) has annual gross revenues > $25 million; (2) obtains personal information of 50,000 or more California residents, households or devices annually or; (3) 50% or more of the company’s annual revenue is from selling California residents’ personal information.  While 50,000 California residents sounds like a high number, to meet this threshold, a business would only need 137 visits to its website per day to reach that number.

What Is Personal Information Under the CCPA?

Under the CCPA, the definition of personal information is very broad. Specifically, personal information is any information that identifies, relates to, describes, is reasonably capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.

What Other Rights Does the CCPA Provide?

The CCPA provides the following rights to individuals, which will require businesses to put measures in place in order to comply:

Notice Requirement: At or before the point of collection of personal information, your business will need to provide notice of categories of information to be collected, and the purposes for which they will be used.

Disclosure Requirement.  If a covered consumer requests, your business will need to disclose the following:

  • categories and specific pieces of the consumer’s personal information that your business has collected;
  • categories of sources from which personal information is collected;
  • business or commercial purpose for collecting or selling personal information (if applicable); and
  • categories of third parties with whom your business shares personal information.

Delivery of Personal Information.  A consumer may request his or her personal info, up to twice in a 12-month period from your businesses.  Upon such request, your business must deliver the consumer all of his or her personal information that your business has collected and retained.

Right to be Forgotten. Your business must notify consumers of their right to request that your business delete all of the consumer’s personal information.  (Certain exceptions apply).

What Steps Should My Business Take?

We recommend that businesses subject to the CCPA take the following actions.

Data Mapping. In order to implement CCPA compliance, a business must understand all of the data and personal information it collects and maintains, how it processes such information, where it stores such information, and to whom it transmits the information.

Policy Drafting. Examine and revise current privacy policies to determine whether any additional notices and disclosures need to be implemented.

Handling Consumer Requests.  Build a process to handle and respond to consumer requests, including a reliable procedure for personal information deletion.  Completing a data map is key to building out these procedures.

Employee Training.  Devise a training program to ensure that all of your businesses employees who handle consumer information are trained on CCPA compliance.

If you have any questions regarding CCPA compliance, contact Matthew Curtin at mcurtin@murthalaw.com or 860.240.6065 or Dan Kagan at dkagan@murthalaw.com or 203.772.7726.

Photo of Matthew K. Curtin Matthew K. Curtin

Matthew Curtin is a Partner in the Litigation Department, the Chair of the Privacy and Cybersecurity Practice Group and a member of the Labor and Employment Practice Group.

In Matthew’s cybersecurity practice, he advises clients on compliance with state, federal and international privacy laws including the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). Matthew is particularly interested in advising his clients concerning employment privacy matters. Matthew is a member of the International Association of Privacy Professionals.

In Matthew’s labor and employment practice, he has successfully represented employers of all sizes concerning a wide variety of claims before state and federal courts, the National Labor Relations Board, the Connecticut State Board of Mediation and Arbitration, the Connecticut State Board of Labor Relations, the Connecticut Commission on Human Rights and Opportunities, and other various administrative agencies.

Matthew has substantial experience with collective bargaining negotiations, labor arbitrations, and labor relations. He regularly counsels senior management and human resources professionals concerning employment contracts, employment policies, hiring and termination procedures, workplace investigations, and harassment and discrimination avoidance.

Matthew has significant experience representing businesses in litigation concerning trade secret theft, unfair competition, and breach of non-competition and non-solicitation agreements.



Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.