Ropes & Gray has an experienced team of attorneys focused on assessing CCPA developments for clients worldwide. We stand ready to help organizations understand the CCPA’s key implications, develop a compliance plan, and be ready for data breach litigation. Our diverse teams brings decades of experience with privacy compliance programs across a wide range of sectors including financial services, asset management, technology, retail, consumer products, health care and life sciences, manufacturing, food and beverage, media, and energy.
Download our brochure for more information on how we can partner with you on each step of your CCPA compliance roadmap.
Read a summary of pending CCPA amendments.
- New York Updates Privacy Laws (August 26, 2019)
- Ninth Circuit Affirms Ruling that Plaintiffs Have Article III Standing in Illinois Biometric Privacy Class Action (August 19, 2019)
- California Passes Consumer Privacy Act (June 29, 2018)
Please see below for various CCPA related resources and tools.
The CCPA applies to many organizations whose primary activities take place outside of California, even those with no offices or personnel in the state.
The CCPA applies to any for-profit entity that is “doing business” in California that collects California residents’ personal information, determines how and when that personal information is used, and does not meet one of the exemptions.
The CCPA does not define “doing business” in California, however the AG’s office will likely read the term broadly. For example, under Section 23101 of California’s Revenue and Tax Code, “doing business” is defined as “actively engaging in any transaction for the purpose of financial or pecuniary gain or profit.” Many companies that may not think of themselves as California “businesses” may nevertheless be required to comply with the CCPA by virtue of conducting quite limited activities in California. The precise limitations of the CCPA will likely extend become clear only with litigation, although the state may try to apply the statute to the full extent of the state’s long-arm jurisdiction, subject to the limitations of due process and the dormant commerce clause.
A key difference between the CCPA and most U.S. privacy laws is the scope of its definition of “personal information.” Under the CCPA, personal information includes any information that “identifies, relates to, describes, is capable of being associated with” or that could “reasonably be linked, directly or indirectly, with a particular consumer or household.” The statute makes explicit that such information could include, for example, online identifiers, IP addresses, email addresses, browsing history, commercial information, such as records of personal property, products or services purchased, other purchasing or consuming histories or tendencies, as well as consumer profiles based on inferences from various pieces of data.
The broad definition of “personal information” makes complying with the CCPA’s requirements particularly challenging. Business must understand what data they collect, how it is used and whether it is disclosed to third parties. Organizations often have challenge enough tracking sensitive information like social security numbers and health information. Creating a map or inventory of all personal information, as defined in the CCPA, is a considerable challenge requiring organization-wide engagement.
The term “consumer” is broader than common usage would suggest – it means any California resident, not just customers or clients, but also employees and other natural persons – even if the only interaction is in a business-to-business exchange.
Yes, but understanding how they apply is more complicated than it may at first appear. The CCPA states that its obligations shall not restrict a business’s ability to:
- comply with federal, state or local law, regulatory inquiries or subpoenas,
- exercise or defend legal claims,
- collect or sell data if the commercial conduct takes place wholly outside of California and the individual whose data is collected is not located in California.
- process de-identified or aggregate data, noting that the narrow definition of “de-identified” data creates challenges.
Small businesses: Your business is exempt if falls below all three of these thresholds:
- has annual revenue of more than $25 million – noting that the CCPA does not specify whether that is $25 million from California or $25 million overall;
- buys, sells, or receives for the business’s commercial purposes commercial information about 50,000 or more California residents, households or devices; or
- derives more than 50 percent of its annual revenue from selling California residents’ personal information.
Financial services: Data collected “pursuant to” the Gramm-Leach-Bliley Act (the “GLBA”) and its implementing regulations is exempt. That exemption covers most investor information collected by a financial institution, but it does not exemption information about employees and some information about prospective investors (prior to the point where they become a “consumer” of the firm’s as defined by GLBA), among others.
Healthcare: For health care organizations, protected health information (“PHI”) covered by HIPAA that is collected by a covered entity or business associate is exempt (as is medical information governed by California’s Confidential Medical Information Act (the “CMIA”)). The CCPA also does not apply to the patient data of covered entities more broadly, to the extent the covered entity maintains the patient information in the same manner it treats PHI. A provider of health care governed by the CMIA also satisfies this exemption if it treats patient information in the same manner as medical information, as defined in that act. Certain clinical trial information may also fit within an applicable exemption.
It’s complicated. January 1, 2020 is the data by which a covered business should be compliant, although enforcement of much of the statute will not be possible before July 1, 2020.
Here is the complicated part:
- Certain provisions of the CCPA are operational now, such as terms requiring the California Attorney General to issue regulations and conduct public consultation.
- The most significant provisions of the CCPA, including data subject rights and transparency requirements, become operational on January 1, 2020. However, the Act cannot be enforced by the California Attorney General until the earlier of July 1, 2020 or six months after the publication of final regulations issued pursuant to the CCPA. At the present pace, it would be surprising if the AG was able to enforce the CCPA before July 1, 2020.
- Plaintiffs may begin filing lawsuits under the CCPA’s data breach private right of action on January 1, 2020.
The CCPA requires covered businesses to give California consumers information about what data the business collects and grants new rights to California consumers respecting their personal information, such as the right to opt out of the “sale” of personal information and to have it erased upon request, subject to important exceptions.
Business that “sell” information will be required to place a prominent link on their website stating, “Do Not Sell My Personal Information,” and enables a California resident to exercise that opt-out right.
Each organization will need to address compliance in a way that takes into account its particular circumstances. However, for a high-level checklist of compliance steps, click here.
The CCPA gives California residents new rights, many inspired by the European Union’s General Data Protection Regulation (GDPR). For a comparison of the CCPA and the GDPR, click here.
The rights granted by the CCPA include
- the right to receive information about how a business collects and uses data about an individual;
- the right to access and receive a portable copy of that data;
- the right to have the data deleted – subject to material exclusions for internal use of data
- the right to opt out of the sale of an individual’s data; and
- the right to not be discriminated against if exercising any of these rights.
It is important to note that these are not absolute rights, and many exceptions will apply. For example, if a consumer requests that a business delete his/her data, the business may refuse to do so if it is required to retain the data to comply with a legal obligation.
Yes. Under the CCPA, a business may provide information “only upon receipt of a verifiable consumer request.” Even the fact that an individual is a customer or client could itself constitute personal information, and, therefore, should not be revealed prior to authentication.
The California Attorney General should issue regulations that clarify what exactly is required and allowed.
Consumers may request access to their personal data and certain disclosures only twice over a 12-month period.
The 12-month limitation does not apply to other rights requests, like the right to erasure, but for requests that are “manifestly unfounded or excessive, in particular because of their repetitive character,” a business may either charge the consumer a reasonable fee or refuse to act on the request, provided they notify the consumer of their reason for doing so.
No. Consumers are entitled to know only the categories of third parties, but not the specific third parties themselves.
Yes. If a business receives a request to delete information, it is required to direct any service providers to delete the consumer’s personal information from their records.
The right to erasure under 1798.105 is limited to information collected “from the consumer.” The other rights apply regardless of whether the information was collected directly or indirectly from the consumer.
California already provided plaintiffs with a private right of action related to data breaches. The CCPA creates a new right of action if plaintiffs can prove that unencrypted personal information was accessed or taken without authorization as a result of a business’s failure to implement and maintain reasonable security procedures. Unlike original data breach statutes, the CCPA’s private right of action provides for statutory damages of between $100 and $750 per impacted California resident. Those statutory damages will add up quickly, and class action plaintiffs will have a new—and greater—incentive to file suit. This additional class action litigation exposure re-emphasizes the need for appropriate data security and incident response policies and procedures.
Personal information under the CCPA’s private right of action is defined using the definition from California’s existing data security law, rather than the much broader definition used for other provisions of the CCPA. Under the existing data security law (which provides the definition for the CCPA's data breach right of action), personal information includes an individual’s name in combination with one or more of the following unencrypted or unredacted data elements: (1) Social Security number; (2) Driver’s license number or California identification card number; (3) financial account number in combination with an access code or password; (4) medical information or; (5) health insurance information.
Yes, unless the plaintiff is pursuing a claim only for actual (as opposed to statutory) damages. In order to pursue statutory damages under the CCPA’s private right of action, plaintiffs must provide the business with a written notice identifying the specific provisions that the plaintiff claims were violated and 30-day opportunity to cure. The plaintiff may not bring an action if the business cures the noticed violation and provides the plaintiff with an “express written statement that the violations have been cured and that no future violations shall occur” within 30 days. If the business fails to cure the breach or violates the express written statement, the plaintiff may initiate an action. The CCPA does not impose a notice obligation on plaintiffs initiating an action solely for actual, pecuniary damages.
The CCPA does not define or offer guidelines for what actions might be sufficient to cure on an individual or class basis. The Attorney General may provide guidance on this topic in its forthcoming regulations.
Possible approaches to effectuating a cure may include a combination of (1) identifying and remediating the security breach; (2) making credit monitoring available or compensating individuals for third-party monitoring of the breached data; (3) paying the individual the maximum statutory damages; and/or (4) reimbursing the individual for any costs incurred as a result of the breach.
No. The CCPA only creates a private right of action for an unauthorized access or disclosure of personal information as a result of a business’s failure to have reasonable security procedures. The rest of the act is enforced directly only by the California Attorney General.
No, the CCPA states expressly that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law,” and so the plain text of the CCPA itself reflects that it was not intended to serve as a basis for unfair competition law (“UCL”) actions premised on the other provisions of the statute that do not have a private right of action. See Cal. Bus. & Prof. Code § 17200 et seq. The UCL prohibits businesses from engaging in business practices that are “unlawful, unfair or fraudulent,” and makes available injunctive relief or restitution.
The California Attorney General can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation of the CCPA if a business fails to cure the alleged violation within 30 days. Regulatory enforcement will be delayed until six months after the publication of the Attorney General’s implementation guidelines, or July 1, 2020, whichever is sooner.
Plaintiffs alleging violations of the CCPA’s data breach provision may obtain statutory damages between $100 and $750 “per consumer per incident or actual damages, whichever is greater.”
The CCPA applies only to information about California residents, so any putative class actions may only be brought on behalf of those California residents.
No. The CCPA allows businesses to refuse consumer deletion requests if the personal information subject to the request is necessary for any of nine enumerated purposes, including, in relevant part, to comply with a legal obligation and otherwise to use the information internally in a lawful manner compatible with the context in which the consumer provided it. As such, a business may deny a deletion request for data subject to a legal hold because it has a legal obligation to preserve and not delete, destroy, or materially alter the information while the hold is in effect, and may keep the information for internal use only. The CCPA does not require that the deletion request be reconsidered after the legal obligation concludes.