The reach of the California Consumer Privacy Act (CCPA)

How CCPA is changing the U.S. privacy landscape


The regulatory landscape for privacy in the United States continues to evolve.  California’s new law may well have inspired legislators in other states to introduce bills to protect consumer data, although not necessarily in identical fashion.

Several states as of the time of publishing have recently introduced legislation similar to the CCPA where consumers are allowed access to the data business holds for them.  The alert is intended to provide a high-level overview of several emerging regulations.  If the legislation is enacted, it may contain different or additional provisions from those contained in its present form. Here are some highlights from recently introduced legislation in Massachusetts and New York.


S 120

  • Requires notification to consumers of information collected, purpose for use, third party disclosure (including purpose for disclosure)
  • Includes Right of Access, Right of Deletion, and Right to Opt out of Third-Party Disclosure.
  • Customer Access Request Timeline 45 days.
  • A consumer can receive damages in an amount not greater than $750 per consumer per incident or actual damages, whichever is greater. There is also a civil penalty not exceeding $2,500 for each violation or not exceeding $7,500 for each intentional violation.

New York

S 00224

  • Requires notification via the privacy party of consumer’s rights if the business retains customer’s personal information or discloses personal information to a third party; also allows notice before or immediately following disclosure of personal information to third parties.
  • Right of Access, cited as the “Right to Know”.
  • Customer Access Request Timeline is 30 days.
  • This act is stated to take effect immediately. There is no information provided about private right of action or civil penalty; however, it amends the general business law.