Articles Posted in California Law

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps
Part 1 of a Series

First Steps First – the Data Map

It is estimated that more than 500,000 companies are subject to the California Consumer Privacy Act (CCPA), many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice  procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting.  So where should a business begin in its efforts to meet the Act’s requirements?

What is the CCPA?

The California Consumer Privacy Act was signed into law on June 28, 2018, and will become effective January 1, 2020 – although the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, or July 1, 2020.  The effective date of the Act gives covered businesses little time to prepare.  Preparing now is particularly important, because many obligations under the Act will require advance work, and companies will need to begin now.

What businesses must comply with the Act?

As has been well publicized, the Act is applicable to many businesses, whether located inside or outside California.  The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California –  a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria:

  • Generate annual gross revenue in excess of $25 million,
  • Receive or share personal information of more than 50,000 California residents annually, or
  • Derive at least 50 percent of its annual revenue by selling the personal information of California residents.

What to do first – Data mapping

The first, and possibly most important, thing a company should do to comply with the Act is to understand what data the company collects, how it uses the data and who has access to it.  Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations.  A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss.  Continue reading

JMBM’s Cybersecurity & Privacy Group is pleased to announce that the Group’s Co-Chair, Michael A. Gold, will be participating as a panelist for the webinar Bristows Legally Speaking! Data protection and information security in EU, India and California – what next?

Sponsored by the London-based law firm Bristows, the webinar is open to C-suite executives, Chief IT officers, in-house counsel, and others whose companies are doing business in California, Britain, the EU, or India.

Date: Tuesday, October 30, 2018
Time: 9:00 AM – 10:00 AM Pacific

No registration fee is required. Register here.

Panelists include:

Robert Bond, Partner and Notary Public at Bristows LLP, London
Salman Waris, Partner at TechLegis Advocates & Solicitors, Delhi
Michael Gold, Partner at Jeffer Mangels Butler & Mitchell LLP, Los Angeles

Topics that will be explored include:

  • Draft data protection law in India
  • California data privacy laws explained
  • Overview of US privacy laws
  • Comparisons with EU laws
  • What else is on the global horizon for data protection?

We invite you to join us for this informative webinar. Register now!

iheartcalifornia-300x138On June 28, 2018, Governor Brown signed the California Consumer Privacy Act of 2018, which goes into effect on January 1, 2020. But – because of certain look-back features in the new law – significant compliance will be required by January 1, 2019.

The Act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

Observers estimate that about 500,000 companies nationwide will need to comply with the California Consumer Privacy Act. The California Attorney General is expected to aggressively enforce the Act – and it will have the budget to do so. Consumer watchdogs and plaintiffs class-action lawyers will also be on the hunt for violators.


This is a serious law and violations will have serious repercussions for your bottom line and your reputation.


The Act provides many of the same consumer privacy protections as the European Union’s General Data Protection Act (GDPR). JMBM’s Cybersecurity & Privacy Group has counseled dozens of companies on GDPR compliance and is now discussing California’s new law with clients; we are eager to help you assess your own compliance and protect your business from expensive liability and litigation.

Some key points:

What does the Act do?

The new act says that California residents, including minors, who give personal data of almost any kind to a for-profit business, have the right to know how the data is being used, have it deleted, know who the data is being sold to, and object to the sale of their data. In short, California consumers now own their personal information and have a significant measure of control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Who is subject to the Act?

The California Consumer Privacy Act applies to any for-profit business that:

  • Does business in the state of California;
  • Collects consumers’ personal information (or is the entity on whose behalf such information is collected) and determines how that information is collected and processed;
  • Meets one or more of the following thresholds: has annual gross revenues in excess of $25 million; buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices; or, derives 50% or more of its annual revenue from selling consumers’ personal information. The Act applies to small and mid-sized businesses, not just large companies.

What happens if a company does not comply?

The act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

In the event of a data breach, California residents will have a private right of action to recover up to $750 per incident, or actual damages. The statute directs courts to consider the nature, seriousness, persistence and willfulness of an incident, the number of violations, the length of time over which the incident occurred, and the violating company’s assets, liabilities and net worth.

Because of the minimum recoverable amount, consumers do not have to prove actual damages, only that there was a violation of the act.

What do you need to do now?  

California businesses will need to take several steps to achieve compliance, including:

  1. Adopt a method for handling consumer requests for personal information.
  2. Develop templates and procedures for responding to consumer requests.
  3. Develop procedures for collecting and processing data.
  4. Identify and document the legal basis for collecting and processing personal information, in order to respond to the consumer’s right to have their information deleted.
  5. Make appropriate changes to public-facing website disclosures, including adding a description of consumers’ rights under the Act, listing the categories of data collected, and including a conspicuous way for consumers to indicate that they do not want their data sold.

 What should you do now?

Contact us to discuss whether this new act applies to you, and how you should prepare for it. This is a serious law and violations will have serious repercussions for your bottom line and your reputation.


Michael Gold
Partner and Co-Chair of the Cybersecurity & Privacy Group
Bob Braun Photo
Robert E. Braun
Partner and Co-Chair of the Cybersecurity & Privacy Group


It didn’t take long.

On June 28, 2018, just more than a month after the EU’s General Data Protection Regulation went into effect, imposing broad obligations and restrictions on any entity collecting personal information of EU citizens and residents, the California legislature has passed AB 375, and the governor has signed, the California Consumer Privacy Act of 2018, providing many of the same protections and sure to upend privacy regulation in the United States.

The Act goes into effect on January 1, 2020, and while it has broad implications that will become more apparent over time, there are some key initial takeaways:

  • The Act applies to all personal information, which is broadly defined, not just information collected electronically or collected directly by a firm. Companies will need to consider all of their data acquisition functions, and conform their practices to the Act.
  • The Act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Significantly, personal information explicitly includes a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.  And, particularly significant in light of this week’s Supreme Court decision, it includes geolocation data.  This is a far-reaching extension of how personal information has been defined in the United States for privacy purposes.
  • The Act would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
  • The Act includes a private right of action, allowing consumers to seek damages for certain categories of unauthorized disclosures.
  • Business will be required to make disclosures about the information and the purposes for which it is used.
  • Consumers will have the right to request deletion of personal information and would require the business to delete upon receipt of a verified request.
  • Consumers will have the right to opt out of the sale of personal information by a business, and businesses will be prohibited from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
  • The Act will protect California citizens, and apply to any company that has annual gross revenues in excess of $25,000,000, alone or in combination, or annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or derives 50 percent or more of its annual revenues from selling consumers’ personal information. You should note that these tests are in the alternative, and that it will include many smaller companies.

These are only a few of the provisions of the Act, but it is clear that it has the potential of impacting companies throughout the nation.  Just as California’s initial breach notification act, adopted in 2002, radically changed the privacy landscape, the California Consumer Privacy Act of 2018 is likely to have as important an impact.

The authors of the Act recognize that it will require additional clarifying regulation to implement, and the Act itself authorizes the Attorney General to issue opinions on the scope of the Act.

While the ink on the Act is still wet, it seems clear that the Act reflects many of the requirements of the EU’s General Data Protection Regulation, and complying with the GDPR will put companies at a competitive advantage against those who wait.

The JMBM Cybersecurity and Privacy Group has worked with dozens of companies to establish procedures and policies to achieve GDPR compliance.  For additional information, contact Bob Braun (, 310.785.5331) or Mike Gold (, 310.201.3529).


Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Digital Padlock on Circuit Background - Web Security Concept

California adopted the first data breach notification law in the nation in 2002, and has consistently worked to ensure that its law remains at the forefront of data security laws in the United States.  California burnished this reputation on September 13, 2016, when Governor Jerry Brown signed AB 2828, sponsored by Legislator Ed Chau.  This law amends California’s data breach notification law, Civil Code Section 1798.82, by making significant changes to the reporting requirements for businesses who hold personal information that has been compromised.

Prior to the adoption of AB 2828, California, like most other states, did not require businesses to disclose breaches where “encrypted” information is breached.  AB 2828 will, effective January 1, 2017, require businesses to disclose breaches when encrypted information has been acquired in an unauthorized breach if the encrypted data is leaked together with the encryption key or security credential that “could render that personal information readable or useable.”

Encryption Safe Harbor

The exception for encrypted personal data has been part of California law since its adoption; however, it had a potentially significant flaw:  even if the key to encrypted data was disclosed, making it readable by hackers and other bad players, the business was not obligated to issue a notice to affected individuals.  In other words, even when encrypted information was, in fact, readable, a business was not required to report a breach.  The result was that some individuals whose personal information was disclosed never received notice and could not take steps to protect their financial information or identity.

The Electronic Frontier Foundation, in support of AB 2828, said that “AB 2828 would fill an important gap in California’s current data breach notification law.  A thief might steal an encrypted laptop, along with a note carelessly taped to the device stating the decryption password.  Or a thief might remotely steal encrypted data, and later use social engineering to acquire the security credentials. In these and many other circumstances, wrongdoers will acquire both encrypted personal information and the power to decrypt that information.  In such circumstances, people should be notified that they are at risk of wrongdoers misusing their personal information.”

When AB 2828 becomes effective, that data that has been converted into code so as to be readable only by those who have the encryption key to decode it will be subject to the broad terms of California’s disclosure law.  While AB 2828 patches a potential flaw in the law – encrypted data is no longer protected if one holds the key – it also creates a challenge for many businesses. Continue reading

California, home of many of the world’s largest technology companies, has long been at the forefront of protecting personal electronic information in the United States. California adopted the nation’s first data breach notification law, led the nation in requiring website privacy statements, and actively enforces online privacy. On October 6, 2015 Governor Jerry Brown signed SB 178, the Electronic Communications Privacy Act (CalECPA), taking another step further by requiring California law enforcement agencies to obtain a warrant and notify the subject(s) of the warrant before acquiring electronic information.
Continue reading

Effective January 1, 2014, amendments to the California Online Privacy Protection Act (“CalOPPA”) require all commercial websites and online services that collect personally identifiable information (“PII”) to include additional disclosures in their privacy statements: how the operator responds to browser “Do Not Track” signals or other similar mechanisms; and whether other parties may collect PII about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s site or service.
Continue reading

On September 26, 2013, the California Secretary of State allowed proponents of a new ballot proposition to collect signatures for the “Personal Privacy Protection Act.” The Act, if approved, would radically change the privacy landscape in California by adding new provisions to the California Constitution. Most importantly, the Act (1) requires all “legal persons” that collect personal information to use “all reasonably available means to protect it from unauthorized disclosure” and (2) creates a presumption that a person is harmed whenever his or her personal information is disclosed without authorization.
Continue reading

A vast array of companies are actively entering the mobile application space as a means of gaining market share and solidifying guest relations. The trend is not limited to online service companies; firms as disparate as shopping centers, airlines, and travel agents rely on mobile applications to enhance their business. However, as mobile applications gain popularity, these companies must consider how privacy and security laws will impact how they can use those applications.
Continue reading

Web analytics concept - Multicolor version

On February 10, 2011, the California Supreme Court held in Pineda v. Williams Sonoma that ZIP codes are considered “personal identification information” under the Song-Beverly Credit Card Act, California Civil Code § 1747 et seq. (the “Act”). As previously discussed in our January and March 2009 client alerts, the Act is intended to protect consumer privacy rights by restricting the type of information retailers can request from consumers in connection with credit card transactions. At the same time, the Act also makes it difficult for retailers to collect information from their customers that could help them offer services and goods on a competitive basis.


The Act provides in part that retailers shall NOT do any of the following:

1. Request or require the cardholder to write any personal identification information on the credit card transaction form as a condition to accepting the credit card as payment in full or in part for goods or services.

2. Request or require the cardholder to provide personal identification information, which company personnel writes or otherwise records on the credit card transaction form as a condition to accepting the credit card as payment.

3. Use a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder in any credit card transaction.

See Cal. Civ. Code § 1747.08(a).

Under the Act, personal identification information is “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Id. at § 1747.08(b).

On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal held that ZIP codes did not fall within the definition of personal identification information.

This ruling allowed retailers to request ZIP code information prior to a credit card transaction provided that such information is not requested in connection with other personal information (i.e., name, phone number, address, etc.), and the customer is not required to give this information in order to consummate the transaction.

The trial court in Pineda applied Party City’s logic, and concluded that a ZIP code, without more, did not constitute personal identification information. The Court of Appeal affirmed the trial court’s decision in all respects, in large part because a ZIP code pertains to a group of individuals, unlike an address or telephone number that is “specific in nature regarding an individual.”

The California Supreme Court, however, rejected this reasoning and relied on the Act’s protective purpose and expansive language by holding that the word “address” should be construed as “encompassing not only a complete address, but also its components.” The court expressed misgivings  about Williams-Sonoma’s “reverse append” practices and the potential for retailers to circumvent the Act by collecting indirectly what they cannot legally collect directly. In reversing Party City, the Supreme Court pointed out that Williams-Sonoma had the following intention by requesting plaintiff’s ZIP code:

“[Williams-Sonoma] subsequently used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff’s name and ZIP code with plaintiff’s previously undisclosed address, giving defendant the information, which [Williams-Sonoma] now maintains in its database. [Williams-Sonoma] uses its database to market products to customers and also sell the information it has compiled to other businesses.”

Although the Supreme Court may have had this particular fact-pattern in mind in overturning Party City, the Court’s language does not appear to be limited to collecting and using ZIP codes to perform such reverse appends. Rather, the decision broadly states that “[i]n light of the statute’s plain language, protective purpose, and legislative history, we conclude that a ZIP code constitutes ‘personal identification information’ as that phrase is used in section 1747.08.”

Penalties for Violation

The penalties for violating the Act can be significant, and can include a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation. The fines can be assessed and collected in a civil action by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred. In addition, more than a dozen national retail chains operating in California have been hit with lawsuits since the Pineda decision, setting off a flurry of litigation with most of the lawsuits being filed in San Francisco or Los Angeles courts.

Future Questions

One potential question that Pineda raises is whether ZIP codes are the end of the line or whether other “non-traditional” forms of personal identification information, such as emails and/or IP addresses could be treated as personal identification information for purposes of the Act. In light of the court’s decision in Pineda, it seems possible that plaintiff and consumer advocacy groups may wish to revisit the Symantec holding (discussed in our March 2009 Client Alert) in order to try to eliminate the “online” vs. “offline” distinction between retailers.

Suggested Actions

JMBM represents many retailers, and we strongly recommend that our clients implement written policies and procedures that comply with the aforementioned requirements of the Act. We would be happy to assist you if you require additional information on these recent developments, the Act or preparing policies and procedures.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.