Mackall, Crounse & Moore, PLC has joined Dewitt Ross & Stevens S.C.

The newly formed DeWitt Mackall Crounse & Moore S.C. will provide clients with enhanced legal services
and efficiencies as well as access to more than 100 attorneys practicing in nearly 30 areas of
law in Wisconsin and Minnesota.

Dismiss this message


News & Education

Back to Business Law Articles

Filter by:

Consumer Data Protection And You – Understanding The Requirements Of The California Consumer Privacy Act

The General Data Protection Regulation (GDPR) law passed in 2018 by the European Union aimed to help protect consumer data. The law requires that all companies that collect data on citizens of the European Union must comply with a new set of rules that levy strict standards for the collection of consumer data. The effects of this law reach well beyond Europe as many businesses and organizations here in the US attract web traffic from European Union citizens. Many companies have had to adjust their privacy policies, terms & conditions, and data collection practices to accommodate the new law.

In fact, the far-reaching effects of GDPR have led to additional data protection laws right here in the United States. Recently, California passed the California Consumer Privacy Act.

What Is The California Consumer Privacy Act (CCPA)?

As you may be aware, the California Attorney General will begin enforcing the California Consumer Privacy Act of 2018 (“CCPA”) on July 1, 2020.  Proposed Regulations for enforcing the CCPA were recently published by Attorney General Beccera.  The CCPA applies to the personal information of California residents.  Following is a high-level summary of the CCPA and the rights and obligations it creates.

What Is Personal Information?

Personal Information is very broadly defined in the CCPA to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”  Note that this broad definition covers information that does not actually include the name of an individual, but that can still be used to identify a person or household.  Items included in the definition are pieces of data like online identifiers, internet protocol (“IP”) addresses, email addresses, social security numbers, browsing history from a computer, and geolocation data.  The “personal information” covered by the CCPA is likely much broader than most people expect.  For the remainder of this article, we’ll use “PI” for “personal information” of a California resident. 

Does The CCPA Apply To My Business?

At the outset, your organization should assess whether the CCPA is applicable.  The CCPA applies to any business collecting PI that (a) has gross revenues in excess of $25 million; (b) annually (i.e., during a twelve (12) month span) buys, sells, or collects PI of 50,000 or more consumers, households, or devices; or (c) derives fifty percent (50%) of its annual revenue from sharing PI.  Parent companies and subsidiaries using the same branding are also covered by the CCPA even if these parents or subsidiaries standing alone do not exceed these thresholds.  Sub-part (b) can sneak up on businesses because this threshold can be met if a business’s website averages more than 137 visits per day by California residents within a year.

The CCPA does not apply to businesses that do not collect PI, but businesses should be aware of the very broad definition of PI in the CCPA summary above.

The CCPA also does not apply to certain entities such as (1) non-profit businesses that do not operate for “profit or financial benefit;” (2) financial institutions subject to regulation under the Gramm-Leach-Blilely Act; (3) consumer reporting agencies subject to the Fair Credit Reporting Act; and (3) health care providers subject to the Health Insurance Portability and Accountability Act (“HIPPA”).  Entities should be very careful when making the determination of whether the CCPA applies to its operations.

What Does The CCPA Require? 

The CCPA imposes new obligations upon businesses that meet the thresholds discussed above.  Following is brief overview of these new obligations:

Privacy Notice.  A business must publish a privacy policy that (1) explains how the business uses and processes the collected PI; (2) notifies individuals about a right to access information held about the individual; (3) notifies individuals about a right to have their information deleted; (4) includes a “do not sell my personal information” on websites and privacy notices; (5) describes the information shared with service providers; and (6) describes the types of entities with whom information is shared. 

Right To Know.  A business must provide any California resident that submits a “verifiable request” with access to the PI collected about that individual, including disclosures about how the business has used and disclosed that PI during the preceding year.

Right Of Deletion.  A business must fulfill the request of California residents that submit “verifiable requests” to have the resident’s PI deleted (subject to some exceptions);

Opt-Out Of Sale.  A business must allow California residents to opt-out of the sale to third parties of the resident’s PI and honor this request for at least one year.

Recordkeeping, Timing, & Training.  A business must comply with various recordkeeping and training requirements.  In addition, consumer requests must be processed within certain timelines and privacy policies must be published in multiple languages and made accessible to people with disabilities.

Service Provider Requirements.  Businesses must ensure they have certain contractual controls in place with their service providers regarding the handling of PI.

Nondiscrimination.  Businesses are prohibited from discriminating against individuals that exercise their CCPA rights.  In addition, businesses must make certain disclosures in connection with loyalty or other incentive programs that involve financial incentives

Data Security.  Businesses are also required to implement “reasonable security procedures and practices” to protect PI from being breached.  The CCPA permits individuals to file lawsuits if a data breach occurs because the business failed to implement reasonable security.  These individuals can recover liquidated statutory damages of between $100 and $750 per consumer per incident. 


The California Attorney General has authority to enforce the CCPA and assess penalties of up to $7,500 per violation.  There is a thirty (30) day cure period after an entity receives notices of a violation.

What Should Service Providers Do?

In order to qualify as a “Service Provider” under the CCPA, an entity must process PI “on behalf of a business.”  Additionally, the entity (i.e., vendor) must be bound by a written contract with its customer that prohibits the vendor from:

  • Retaining the PI “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title;”
  • Using the PI “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title;” or
  • Disclosing the PI “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”

How Do I Make My Website Compliant?

If the CCPA applies to your business, there are a few key things you will want to implement to ensure your website is compliant.

  • Document Personal Information Collection You will need to create complete documentation of all personal information collected through your website. This should include details regarding what personal information is collected, how it is collected (forms, cookies, etc.) and where is it stored (database, third party, email, etc.). You should also document who has access to this information (e.g., third parties).
  • Create a Cookie Policy & Cookie Notice You should identify all site cookies being generated, as these cookies very likely collect or disclose personal information.  A cookie policy disclosure is already required per the California Online Protection Action (CALOPA).
  • Create a Privacy Policy & Privacy Notice A user notice is required at each point of data collection. The notice must provide a link to the full Privacy Policy for users to reference.
  • Create a Do Not Sell My Personal Information Opt-Out If PI is sold to third parties, a “do not sell my personal information” link (preferably a banner) should be prominently displayed on the homepage.If you are not selling personal information, this opt-out link is not necessary.

Hire Experts To Ensure Compliancy

Do not risk tackling this complex subject matter on your own. Instead, work with an attorney that has expertise in online privacy and with a marketing agency experienced in web development.

As always, we are happy to assist and answer any of your CCPA compliancy questions.

About The Authors

Joe Miotke is a licensed patent attorney and Partner at DeWitt LLP, one of Wisconsin’s largest law firms.  His intellectual property practice includes counseling clients on data security and online privacy matters.  He is a frequent speaker and instructor on intellectual property matters throughout the United States and Canada.  He earned his B.S. in Civil Engineering from Marquette University and graduated Magna Cum Laude from Marquette University Law School.  You can reach Joe at

Matt Koeppel
is an experienced web developer and owner at Ocreative, an integrated marketing agency located just west of Milwaukee, WI. With over 17 years of experience, Matt has been involved in the development and launch of hundreds of websites for clients spanning several industries and serving both local and international customers. He earned his B.S. in Multimedia Design from UW Stout with a minor in Business Administration. You can reach Matt at


A great feature of this article (and others available on our website) is that it is timely; you get up-to-date information on the law as it exists at the time.  The downside is that the law changes, but our older articles do not.  This means we cannot guarantee you are getting the most current law when reading through past entries.

Please use this article for informational purposes only. Before taking action, please contact Ocreative or DeWitt LLP for specific and pointed advice for your particular situation.  Note that contacting us does not create an attorney-client relationship unless you are accepted as a client of the firm.


Our Locations

We are currently limiting the amount of outside visitors to the firm.  

Please work directly with your attorney who will coordinate any onsite visits to ensure the safety of our clients and colleagues.


2 East Mifflin Street, Suite 600
Madison, WI 53703
(608) 255-8891
Get Directions

Greater Milwaukee

13845 Bishop’s Drive, Suite 300
Brookfield, WI 53005
(262) 754-2840
Get Directions


2100 AT&T Tower,
901 Marquette Avenue
Minneapolis, MN 55402
(612) 305-1400
Get Directions

Get to know us

DeWitt LLP is one of the ten largest law firms based in Wisconsin, with an additional presence in Minnesota. It has nearly 140 attorneys practicing in Madison, Metropolitan Milwaukee and Minneapolis in over 30 legal practice areas, and has the experience to service clients of all scopes and sizes.

Our People
Our Law Firm
Areas of Expertise
News & Education
Contact Us


We are an active and proud member of Lexwork International, an association of mid-sized independent law firms in major cities located throughout the Americas, Europe and Asia and an active member of SCG Legal, an association of more than 140 independent law firms serving businesses in all 50 state capitals and major commercial centers around the world.


Super Lawyers 2020
Best Lawyers 2013 – 2020
Compass Award 2012
Top 100 Lawyers: National Trial Lawyers Association Best in 2020


While we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you (an “engagement letter”). You will not be a client of the firm until you receive such an engagement letter.

The best way for you to initiate a possible representation is to call DeWitt LLP at 608-255-8891. We will make every effort to put you in touch with a lawyer suited to handle your matter. When you receive an engagement letter from one of our lawyers, you will be our client and we may exchange information freely.

Please click the “OK” button if you understand and accept the foregoing statement and wish to proceed.