Data privacy: CCPA, GDPR, DIFC.

Data privacy regulation now spans multiple jurisdictions — California's CCPA/CPRA, the EU's GDPR, and Dubai's DIFC Data Protection Law each impose distinct obligations on businesses handling personal information. We help companies of all sizes map their compliance obligations across these regimes, implement workable programs, and stay ahead of enforcement. We guide you through data mapping, privacy-policy updates, consumer-rights request processes, vendor management, and cross-border data-transfer mechanisms.

Beyond mere compliance, we help build privacy programs that create competitive advantage and customer trust: privacy-by-design principles, data-governance frameworks, team training, and preparation for regulatory inquiries or enforcement actions. Whether you're a startup handling data for the first time, an established company expanding into California or EU markets, or a business operating in the DIFC, we provide practical privacy counsel tailored to your business model and risk profile.

Understanding your CCPA obligations starts with determining if the law applies to your business. CCPA applies to for-profit entities doing business in California that meet specific thresholds: annual gross revenues exceeding $25M, buying/selling personal information of 100,000+ consumers or households, or deriving 50%+ of annual revenue from selling personal information.

Essential Compliance Checklist

• Privacy-policy updates: clear disclosures about data collection practices, categories of personal information collected, sources, business purposes, and third-party sharing.
• Consumer-rights infrastructure: processes to handle requests to know, delete, and opt out of data sales (and now sharing under CPRA).
• Vendor contracts: update service-provider agreements to include CCPA-compliant data-processing terms and restrictions.
• Employee training: staff who handle consumer requests must understand CCPA requirements and response procedures.
• Data mapping: document data flows, retention periods, and security measures to respond accurately to consumer requests.
• Website notices: required notices at collection points and "Do Not Sell My Personal Information" links where applicable.

CPRA, in effect since January 2023, expanded these requirements significantly: sensitive-personal-information protections, data-minimization requirements, establishment of the California Privacy Protection Agency with enforcement authority, and enhanced penalties for violations involving minors' data.