Thought Leadership

Privacy New Year's Resolutions: Is your Privacy Statement CCPA Compliant?

Client Updates

The long-awaited California Consumer Privacy Act (“CCPA”), California's newest and most comprehensive privacy law, went into effect on January 1, 2020. The CCPA changes the privacy framework in California by granting California consumers opt-out, deletion, and other rights that limit businesses subject to the law from gathering, selling, or storing personal information. Stepping away from traditional definitions of personal information, the CCPA also dramatically enlarges what information is considered "personal information" by including information that identifies both consumers and households, along with the inferences drawn from such information.

Businesses, regardless of headquarters or geographic location, fall under the scope of the CCPA if one of the following is met: (1) the business has annual gross revenues in excess of twenty-five million dollars ($25,000,000); (2) the business alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (3) the business derives 50 percent or more of its annual revenues from selling consumers' personal information. In order to be compliant with the CCPA, businesses must give notice to consumers of their updated privacy rights. This notice is normally given through a business' privacy statement, which must be updated to reflect consumers' expanded rights by January 1. Have you reviewed yours lately?

Non-compliant businesses risk both private and government enforcement. Under the CCPA, consumers have a private right of action if there is a data breach and, as a result, their privacy rights are violated, by statute. The private right of action awards statutory damages of $100 to $750 per consumer, per incident or actual damages, whichever is greater. In addition to the private right of action, the California Attorney General can bring a civil action against non-compliant businesses (including against businesses for noncompliant privacy policies). If violations are not cured within 30 days, the business will be required to pay fines of up to $7,500 per violation.

If you are subject to the CCPA and have not updated your privacy policy to give consumers notice of their rights, you should be prepared to get a notice of noncompliance as of January 1.

If you would like to speak with either Cynthia J. Cole or Matthew Baker for further insights about how the CCPA impacts your business, please contact either of them directly or reach out to Alliccia Hernandez.

Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit

Related Professionals