+1 202.409.1003info@mclaw.io
Contact

GDPR/CCPA

Home / Services / GDPR/CCPA
All services
Privacy and Data Security

GDPR and CCPA compliance counsel that turns two overlapping privacy regimes into one workable program covering consumer rights, cross-border transfers, opt-outs, and how to answer when a regulator comes knocking.

GDPR and CCPA pull in similar directions but use different words, deadlines, and definitions, and most companies are stuck following both at once. We help you build a privacy program that satisfies European and California rules together, so you are not running two parallel compliance machines or guessing which standard applies to a given user.

GDPR Compliance Work

We pin down your lawful basis for each processing activity, then build the rest on top: data subject access, deletion, and portability workflows that actually run; cross-border transfer mechanisms like standard contractual clauses; data protection impact assessments for higher-risk processing; and support for your DPO. The goal is a program that holds up under scrutiny, not a binder that sits on a shelf until something goes wrong.

CCPA and CPRA

California privacy law keeps expanding, and the CPRA added sensitive data rules, a dedicated agency, and tighter expectations. We translate those requirements into concrete steps: consumer rights intake, do-not-sell and do-not-share opt-out mechanics, clear privacy notices, and service provider contract terms that keep your vendors inside the lines. You get language and processes that map to what the statute actually demands.

One Harmonized Program

When both laws apply, running them separately wastes money and creates contradictions. We find where the two frameworks overlap and design a single set of policies, request workflows, and recordkeeping that meets the stricter standard once instead of twice. Where the laws genuinely diverge, we flag it and build a clean path for each, so your team knows exactly what to do without re-reading the regulations every time.

Regulator and Complaint Response

When a complaint, inquiry, or enforcement action lands, you want someone who can answer fast and accurately. We manage regulator communications, assemble the documentation that supports your position, and steer investigations toward resolution. Because we built the program, we already know where your records live and can show that your compliance work was real rather than improvised after the fact.

Frequently asked questions

It can. GDPR reaches you if you offer goods or services to people in the EU or monitor their behavior, such as tracking EU website visitors, even with no establishment or staff there. Having no EU presence doesn't exempt you. The question is whether you're targeting or tracking people in the EU, not where your company sits.

No. GDPR requires a lawful basis for processing, and consent is only one of six. The others are performance of a contract, a legal obligation, vital interests, a public task, and legitimate interests. For a lot of ordinary business processing, contract necessity or legitimate interests is a better fit than consent, which you then have to be able to prove and let people withdraw.

California consumers can know what personal information you collect and how you use it, request deletion of their data, and opt out of the sale or sharing of it, and you can't discriminate against them for exercising these rights. The CPRA amendments added a right to correct inaccurate information. You need a process to receive and honor each of these.

They're not separate laws; the CPRA amended and expanded the CCPA. It added a correction right, special rules for sensitive personal information, purpose-limitation and data-minimization requirements, and it created the California Privacy Protection Agency as a dedicated enforcer. In short, CPRA is the current, beefed-up version of the CCPA.

Transfers of personal data outside the EU/EEA need a valid mechanism: an adequacy decision for the destination country, Standard Contractual Clauses, Binding Corporate Rules, or another approved route, and often a transfer impact assessment on top. This area keeps shifting as frameworks get challenged and replaced, so a mechanism that worked a couple of years ago may need refreshing. Reassess your transfers periodically.

GDPR fines can reach up to 20 million euros or 4% of worldwide annual revenue, whichever is higher, for the most serious violations. Under the CCPA, civil penalties run up to $7,500 per intentional violation, and consumers have a private right of action for certain data breaches. The revenue-based GDPR cap is what makes large companies pay attention.

Related services

Privacy and Data Security
Privacy Compliance

Privacy compliance programs built for how your business actually handles data, covering GDPR, CCPA, and the growing patchwork of state and sector privacy laws, with policies and assessments that satisfy regulators without grinding operations to a halt.

View service
Privacy and Data Security
Breach Response

Data breach response that moves at incident speed, coordinating the investigation under privilege, meeting state and federal notification deadlines, handling regulators, and defending the litigation that follows a security incident.

View service
Privacy and Data Security
Data Governance

Data governance frameworks that let you treat data as the asset it is, with clear classification, retention schedules, access controls, and vendor terms that keep you compliant without smothering the business.

View service
Privacy and Data Security
Privacy Policies

Privacy policy drafting and review that produces documents users can read and regulators accept, aligning your public CCPA, GDPR, and sector-specific commitments with what your product and data practices actually do.

View service
Our team

Attorneys who can help

CS
Casey Scott McKay
Attorney
Washington, D.C.
Document products

Related document products

Order attorney-drafted documents related to this service.

Browse all products
Copyright

Copyright Security Agreement (Short Form)

A short-form agreement providing a security interest in copyrighted works as collateral for a loan or other financial arrangement.

$349Order
Internet

Website Privacy Policy

A Website Privacy Policy for businesses with an online presence that addresses all concerns. This document is intended for use in the United States.

$199Order
Data

Database distribution agreement

An agreement for the distribution of database products or services.

$229Order
Data

Database site license

A license agreement for using a database at a specific site or location.

$199Order
Data

Information service subscription

An agreement for subscribing to an information service or database.

$169Order
Trademark Registration

Trademark Registration — Economy Package

A comprehensive clearance search plus preparation and filing of one federal trademark application.

$850Order
Trademark Registration

Trademark Registration — Business Package

Clearance, preparation, and filing, plus responses to routine (non-substantive) Office Actions.

$1,250Order
Trademark Registration

Trademark Registration — Professional Package

Full-service prosecution from filing through registration, including substantive Office Action responses.

$2,445Order
Copyright

Direct Hire Termination Agreement

An agreement used to formalize the termination of a direct hire employee, including provisions for confidentiality, intellectual property, and severance.

$299Order
Copyright

DMCA Complaint (Takedown Notice)

A notice sent to a service provider under the Digital Millennium Copyright Act (DMCA), requesting the removal of infringing content hosted on their platform.

$199Order

Let's talk about your gdpr/ccpa needs.

Get in touch