Data Privacy & Compliance (CCPA, GDPR)

Data Privacy & Compliance (CCPA, GDPR)

“Privacy compliance isn’t a box you check once. It’s an ongoing discipline that touches every part of a technology company — product design, vendor management, customer contracts, and incident response. I help companies build that discipline into their operations, not just their legal filings.”
— John Montague, Esq.

Data privacy has become one of the most significant areas of legal risk and compliance obligation for technology companies operating in the United States and globally. John Montague, Esq. advises technology companies, SaaS providers, and data-driven businesses on compliance with the patchwork of federal, state, and international privacy regulations that govern the collection, use, storage, and sharing of personal data. With over 15 years of technology transactions experience and an accounting degree from Stetson University that sharpens his analytical approach to compliance frameworks, John provides practical, business-oriented privacy counsel from his offices in Fernandina Beach and Coral Gables (Miami), Florida.

Unlike law firms that treat privacy as a standalone compliance exercise, John Montague, Esq. integrates privacy counsel into the broader technology transactions practice. Privacy provisions are embedded in every SaaS agreement, licensing deal, M&A transaction, and vendor contract he handles — because that’s where privacy obligations live in practice. As a Visiting Professor of Entrepreneurial Law at the University of Florida College of Business, he also educates the next generation of founders on building privacy-compliant businesses from the ground up.

What I Handle

CCPA/CPRA Compliance Programs. I help technology companies build and maintain compliance programs under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA). This includes drafting and updating privacy policies, implementing consumer rights request workflows (access, deletion, correction, opt-out), establishing data inventory and mapping processes, negotiating service provider and contractor agreements with required contractual provisions, and advising on the CPRA’s expanded obligations around sensitive personal information, automated decision-making, and data minimization.

GDPR Compliance and Cross-Border Data Transfers. For companies processing personal data of EU residents — including many US-based SaaS companies with international customers — I advise on GDPR compliance obligations, including lawful basis for processing, data protection impact assessments (DPIAs), data processing agreements under Article 28, and cross-border data transfer mechanisms. Following the invalidation of the Privacy Shield in Schrems II and the subsequent EU-US Data Privacy Framework, I help companies evaluate and implement compliant transfer mechanisms including Standard Contractual Clauses (SCCs) with required supplementary measures.

State Privacy Law Compliance. Beyond California, a growing number of states have enacted comprehensive privacy legislation — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, and others. I help companies develop scalable compliance strategies that address the varying requirements across state privacy laws, including differences in consumer rights, opt-out mechanisms, data protection assessments, and enforcement provisions.

Privacy by Design in Product Development. The most cost-effective privacy compliance happens at the product design stage. I work with product and engineering teams to implement privacy by design principles — data minimization, purpose limitation, consent management, and technical safeguards — into product architecture and user flows. This reduces compliance costs, minimizes legal risk, and creates competitive advantages with privacy-conscious customers.

Data Breach Response and Notification. When a data breach occurs, legal obligations are triggered immediately. I advise companies on breach response — from initial assessment and containment through notification obligations under applicable state breach notification laws (all 50 states have them), HIPAA breach notification rules where applicable, GDPR’s 72-hour notification requirement, and contractual notification obligations to customers and business partners. I also help companies develop incident response plans before breaches occur.

The Privacy Regulatory Landscape

The US privacy regulatory framework continues to expand. At the federal level, the FTC exercises enforcement authority over unfair or deceptive data practices under Section 5 of the FTC Act, and has brought enforcement actions against companies for privacy policy misrepresentations, inadequate data security, and violations of the Children’s Online Privacy Protection Act (COPPA). Sector-specific federal laws — HIPAA for health information, GLBA for financial data, FERPA for educational records — impose additional obligations on companies handling regulated categories of personal data.

The CCPA/CPRA represents the most comprehensive state privacy regime, granting California residents rights to know what personal information is collected, to delete personal information, to opt out of the sale or sharing of personal information, to correct inaccurate information, and to limit the use of sensitive personal information. The CPRA also established the California Privacy Protection Agency (CPPA) as the first dedicated state privacy enforcement agency. Violations carry statutory penalties of up to $2,500 per violation (or $7,500 for intentional violations), and the private right of action for data breaches under Civil Code Section 1798.150 creates additional exposure.

Internationally, the GDPR remains the gold standard for comprehensive privacy regulation, with maximum fines of 4% of annual global turnover or €20 million, whichever is greater. The regulation’s extraterritorial reach means US companies that offer goods or services to EU residents or monitor their behavior are subject to compliance obligations regardless of whether they have a physical presence in the EU. John Montague, Esq. helps companies assess their GDPR obligations and implement proportionate compliance measures.

John’s Tip

Frequently Asked Questions

Does my company need to comply with GDPR if we’re based in the US?
If your company offers goods or services to individuals in the EU (even for free) or monitors their behavior (such as through website analytics or ad targeting), you are likely subject to GDPR obligations. Many US SaaS companies with international customer bases are subject to GDPR without realizing it. John Montague, Esq. helps companies assess their GDPR exposure and implement proportionate compliance measures.

What is the difference between a “service provider” and a “third party” under the CCPA?
Under the CCPA/CPRA, a service provider processes personal information on behalf of a business pursuant to a written contract that restricts the service provider’s use of the data. A third party is anyone who receives personal information for their own commercial purposes. The distinction matters enormously — sharing data with a third party triggers opt-out rights, while providing data to a service provider under a compliant contract generally does not. Getting this classification right in your vendor agreements is critical.

How do I handle data subject access requests efficiently?
Efficiency requires three things: (1) a verified identity process to confirm the requestor’s identity before disclosing personal information, (2) a reliable data inventory so you can locate all personal information associated with the requestor across your systems, and (3) a documented workflow with assigned responsibilities and timelines that ensure you meet the statutory response deadlines (typically 45 days under CCPA, 30 days under GDPR). Automated tools can help at scale, but the legal framework and processes need to be in place first.