The CCPA: California’s Follow-up to the GDPR

Following the enactment of the European Union’s GDPR, California has passed the California Consumer Privacy Act of 2018 (CCPA) that will go into effect January 1, 2020. The CCPA is intended to protect California residents’ personal information, which is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes identifiers such as name or email address, commercial information, personal property records or purchase history, biometric information, search history, professional information and educational information. However, the CCPA does not apply to information already regulated under HIPAA, the Graham-Leach Bliley Act, the FCRA, or the Drivers’ Privacy Protection Act.

The CCPA applies to companies that:

  • Conduct business in California
  • Collect the personal information of California residents
  • Satisfy at least one of the following:
    • Produce annual gross revenues in excess of $25,000,000
    • Buy, receive, sell, share, or a combination thereof, the personal information of 50,000 or more consumers, households, or devices for commercial purposes
    • Obtain 50% or more of their annual revenue from selling, releasing, or renting consumer personal information to a third party for monetary consideration

Under the CCPA, California residents will know what information companies are collecting about them, why the data is being collected, and with whom they are sharing the data.  California residents will have the power to demand that their data is deleted and not stored, and that their data cannot be sold or shared with any third parties.  Further, California residents can opt out a company’s terms of service without losing access to its offerings.  The CCPA also restricts companies from selling the data of anyone under the age of 16 without explicit consent.

Farrow-Gillespie Heath Witter

Illustration by legal assistant Charles Jackson

To hold companies accountable for consumer data, California residents will be able to sue companies subject to the CCPA for up to $750 for each data breach violation. In addition, the California attorney general can sue for $7,500 for each intentional violation of privacy.

The CCPA also requires the expansion of privacy disclosures that companies provide when collecting or using consumers’ personal information.  The disclosures must include a description of the rights California residents have about their personal information, how they can exercise such rights, as well as information on how the companies will collect, use, and share their data.  In addition, the company must provide a link to a “Do Not Sell My Personal Information” page that allow consumers to opt-out and is accessible on all relevant platforms.

For companies that are subject to CCPA, more requirements may be coming, as the law gives the California Attorney General the authority to implement new regulations.  If you believe you are subject to the CCPA, consult an attorney familiar with data privacy to ensure compliance.

For full documentation of the CCPA, please visit the website of the California legislature.


Tahlia Grassie | Farrow-Gillespie & Heath LLP | Dallas, TXTahlia Clement is a clerk at FGHW. Ms. Clement is a 2019 candidate for a Juris Doctor at SMU Dedman School of Law, where she is the Editor-in-Chief for SMU’s Science and Technology Law Review. She holds a B.A. in journalism and mass communications from Arizona State University.

How the EU’s New Privacy Law Affects You

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the European Union’s (EU) new privacy law set to go into effect on May 25, 2018. For the EU’s single market countries, the GDPR establishes protection for the privacy and security of an individuals’ personal data. However, because of extraterritorial jurisdiction, United States (US) organizations accessing and using EU citizen information could be subjected to the GDPR.

Controller vs. Processor

The GDPR has direct extraterritorial reach of a “controller” or “processor” organization located outside the European Union if the organization offers goods or services, even for free, to individuals in the EU. As defined by the GDPR, a “controller” is an organization that determines the purpose and means of processing information. A “processor” organization processes personal data on behalf of the controller under the controller’s instruction. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced by the bank.

GDPR Website Regulations

An organization using a website to offer goods and services to EU individuals also falls under GDPR regulations. These websites can be identified by their use of language, the ability to order goods and services in the currency of one or more EU member states, and the acknowledgment of consumers who live in the EU. Therefore, an English-language website marketed to US consumers or US business-to-business transactions in terms of American dollars only would not be subjected to the GDPR.

A website can circumvent the GDPR by avoiding the collection of “identifiable” personal information of EU citizens. Identifiable information is information that can be used to identify any individual, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or two one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Therefore, a website needs to have access to more than an individual’s email address. Websites often collect identifiable information through the use of cookies and/or sign-up forms. If an organization’s website uses cookies to collect information from an EU citizen, even if the organization is not doing anything with the information, the organization will be subject to the GDPR.

There are still many questions on how the EU will enforce actions against US organizations that do not follow the GDPR requirements, but it is important that you review by May 25th all aspects of your organization’s physical and digital data processing if you are accessing EU citizen information.

Scott Chase | Farrow-Gillespie & Heath LLP | Health LawAuthor Scott Chase is a health law and corporate attorney at Farrow-Gillespie & Heath.  Scott has been named to the lists of Best Lawyers in America, Texas Super Lawyers, and Best Lawyers in Dallas in every year for more than a decade.


Tahlia Grassie | Farrow-Gillespie & Heath LLP | Dallas, TXCo-author Tahlia Clement is an intern at Farrow-Gillespie & Heath LLP.  A second-year law student, she currently serves as Editor in Chief of the SMU Dedman School of Law’s Science and Technology Law Review.

A big phish is in the Water – BEC

That flowery email from a Nigerian Prince who can’t spell has been supplanted by a far more dangerous phish — the Business Email Compromise (“BEC”). According to the FBI, in the past two years over 8,000 businesses, small and large, have been victimized by BEC attacks for combined losses of over $1.2 billion.

What is BEC? BEC is a sophisticated hack in which a scammer (usually impersonating the boss) instructs an employee to send money or sensitive data to what appears to be a vendor or other plausible business recipient. In some cases, the hacker infiltrates the company’s email system and sends the email from a recognized address. In others, the email address has only a minor difference. BEC hackers also research social media and company websites to mimic communication styles and to reference actual company matters.

The best defense against BEC is solid HR training: require in-person confirmation of payment requests; educate personnel in cyber-security; and train employees never to deviate from normal checks and controls.

Farrow-Gillespie & Heath LLP provides employment law training and HR counseling for cyber-related issues, along with insurance policy review for coverage related to cyber attacks.