On June 28, California Gov. Jerry Brown signed AB 375—otherwise known as the California Consumer Privacy Act of 2018 into law.

The bill was rushed through the California Legislature to head off a more stringent law that was already slated to be on the ballot in November.

What does the CCPA do?

The CCPA is a consumer privacy law, modeled to a certain extent on the European Union's recently passed General Data Protection Regulation. It establishes requirements for certain companies with respect to how they collect, store and manage private user data. It also provides California consumers with specific rights with respect to their private data.

The CCPA provides for a $7,500 penalty per violation, which can be enforced by the California attorney general. It also includes a private right of action for certain violations and data breaches.

What information is considered personal information and subject to the CCPA?

The term “personal information” is defined very broadly. According to Blaine C. Kimrey writing for The National Law Review, the term “personal information” includes:

“[I]nformation that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. This arguably covers information like IP addresses, email addresses, geolocation data and employment information that typically is not “personal information” under American privacy law.

Is your law firm subject to the CCPA?

The CCPA only applies to for-profit companies (including law firms) doing business in California. It is primarily intended to apply to large tech companies such as Google and Facebook Inc. as well as any other large business that meets one of the following three criteria:

1. Annual gross revenue in excess of $25 million.
2. Annually processes the personal information of 50,000 or more California residents, households or devices.
3. Derives at least half of its gross revenue from the sale of personal information of California residents.

The vast majority of law firms will not meet any of these three criteria even if they are doing business in California. If that is your situation, you don't have to worry about the CCPA—at least today.

The starting point for determining whether this applies to your firm is whether you do business in California. If you have a California office, if one of the firm's attorneys is licensed in California or if you have any California clients, you should assume that the CCPA might apply. In that case, you have to determine whether you meet any of the three criteria.

I doubt any law firm would satisfy the third criteria (50 percent of revenue derived from the sale of personal information). Few law firms process personal information on 50,000 people each year, let alone 50,000 California residents, so most likely that won't apply. That leaves the first of the three criteria—annual revenue in excess of $25 million.

If you are doing business in California (see above) and your firm's revenue exceeds $25 million per year, you must comply with the CCPA.

What steps should my law firm take to comply with the CCPA?

Assuming that your law firm is covered by the CCPA, the good news is that you have until Jan. 1, 2020, to comply. More good news is that your law firm website marketing company probably implemented website changes to ensure compliance with the GDPR. A similar technological solution will probably work for the CCPA.

Unfortunately, however, a technological solution isn't enough. Your firm will also need to establish procedures to ensure compliance. For example, under the CCPA, a consumer may request deletion of their personal information as well as prohibit your firm from selling that information to a third party. If you are subject to the CCPA, your firm must establish and implement a process to handle those requests.

The CCPA may be good news for litigators.

The CCPA was rushed through the Legislature in order to prevent a more stringent law from being submitted to California voters in November. Any time you rush legislation, you are likely to overlook significant problems, not to mention drafting errors that probably will crop up and result in legal challenges. We expect that the big tech companies like Google and Facebook will challenge the CCPA and the rushed legislative process may make it ripe for challenge.

Assuming the law holds up as written, litigators may also benefit because it does provide for a private right of action by consumers whose personal information is stolen or disclosed without authorization. Plaintiff attorneys may find this to be a gold mine. And defense attorneys should be happy too because they will be able to defend claims brought by consumers as well as the enforcement actions brought by the California attorney general.

Where is all this headed?

Given the extreme focus on personal data privacy following the Facebook-Cambridge Analytica disclosures as well as all of the reported incidents of data security breaches by hackers attacking large corporations and governmental agencies, it is not hard to imagine that the CCPA is just a precursor to similar consumer protection legislation in other states. In some cases, the laws may be even more restrictive and may cover more businesses (including law firms) than the CCPA.

Dan Goldstein is an attorney. He is the president and owner of Page 1 Solutions. Page 1 Solutions is a full-service digital marketing agency serving attorneys, dentists and doctors in the United States and throughout North America.