California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) will significantly affect the operations of companies that collect personal data about California residents. The law applies to a broader spectrum of data than is currently protected under U.S. regulations, introduces EU-style data subjects access right, and has the potential to create a wave of data breach class action litigation in California.


Ropes & Gray has an experienced team of attorneys focused on assessing CCPA developments for clients worldwide. We stand ready to help organizations understand the CCPA’s key implications, develop a compliance plan, and be ready for data breach litigation. Our diverse teams brings decades of experience with privacy compliance programs across a wide range of sectors including financial services, asset management, technology, retail, consumer products, health care and life sciences, manufacturing, food and beverage, media, and energy.

Download our brochure for more information on how we can partner with you on each step of your CCPA compliance roadmap.

Analysis & Resources

Articles and Publications


Is my organization subject to the CCPA?

The CCPA applies to many organizations whose primary activities take place outside of California, even those with no offices or personnel in the state.

The CCPA applies to any for-profit entity that is “doing business” in California that collects California residents’ personal information, determines how and when that personal information is used, and does not meet one of the exemptions.

What does it mean to “do business” in California?

The CCPA does not define “doing business” in California, however the AG’s office will likely read the term broadly. For example, under Section 23101 of California’s Revenue and Tax Code, “doing business” is defined as “actively engaging in any transaction for the purpose of financial or pecuniary gain or profit.” Many companies that may not think of themselves as California “businesses” may nevertheless be required to comply with the CCPA by virtue of conducting quite limited activities in California. The precise limitations of the CCPA will likely extend become clear only with litigation, although the state may try to apply the statute to the full extent of the state’s long-arm jurisdiction, subject to the limitations of due process and the dormant commerce clause.

What rights does the CCPA give consumers?

The CCPA gives California residents new rights, many inspired by the European Union’s General Data Protection Regulation (GDPR). For a comparison of the CCPA and the GDPR, click here.

The rights granted by the CCPA include:

  • the right to receive information about how a business collects and uses data about an individual;
  • the right to access and receive a portable copy of that data;
  • the right to have the data deleted – subject to material exclusions for internal use of data
  • the right to opt out of the sale of an individual’s data; and
  • the right to not be discriminated against if exercising any of these rights.
  • It is important to note that these are not absolute rights, and many exceptions will apply. For example, if a consumer requests that a business delete his/her data, the business may refuse to do so if it is required to retain the data to comply with a legal obligation.

Should the business validate who the individual requestor is before responding to a rights request?

Yes. Under the CCPA, a business may provide information “only upon receipt of a verifiable consumer request.” Even the fact that an individual is a customer or client could itself constitute personal information, and, therefore, should not be revealed prior to authentication.

The California Attorney General should issue regulations that clarify what exactly is required and allowed.

What does the CCPA say about data breaches?

California already provided plaintiffs with a private right of action related to data breaches. The CCPA creates a new right of action if plaintiffs can prove that unencrypted personal information was accessed or taken without authorization as a result of a business’s failure to implement and maintain reasonable security procedures. Unlike original data breach statutes, the CCPA’s private right of action provides for statutory damages of between $100 and $750 per impacted California resident. Those statutory damages will add up quickly, and class action plaintiffs will have a new—and greater—incentive to file suit. This additional class action litigation exposure re-emphasizes the need for appropriate data security and incident response policies and procedures.

How is personal information defined for purposes of the CCPA’s private right of action?

Personal information under the CCPA’s private right of action is defined using the definition from California’s existing data security law, rather than the much broader definition used for other provisions of the CCPA.  Under the existing data security law (which provides the definition for the CCPA's data breach right of action), personal information includes an individual’s name in combination with one or more of the following unencrypted or unredacted data elements: (1) Social Security number; (2) Driver’s license number or California identification card number; (3) financial account number in combination with an access code or password; (4) medical information or; (5) health insurance information.