Ropes & Gray has an experienced team of attorneys focused on assessing CCPA developments for clients worldwide. We stand ready to help organizations understand the CCPA’s key implications, develop a compliance plan, and be ready for data breach litigation. Our diverse teams brings decades of experience with privacy compliance programs across a wide range of sectors including financial services, asset management, technology, retail, consumer products, health care and life sciences, manufacturing, food and beverage, media, and energy.
Download our brochure for more information on how we can partner with you on each step of your CCPA compliance roadmap.
Analysis & Resources
Articles and Publications
- “California Bill Clarifies Privacy Law’s Ambiguities for Medical, Research Communities,” Bloomberg Law (February 13, 2020)
- “CCPA Amendments Are Useful But ‘No Magic Bullet’,” Private Funds CFO (October 17, 2019)
- “CCPA Close-Up: Examining the GLBA Carve-Out and How Financial Institutions Can Evaluate Applicability,” Cybersecurity Law Report (October 9, 2019)
- “Kreutzer’s Take: Bracing for California’s New Data Privacy Law,” WSJ Pro Private Equity (September 23, 2019)
- “PE Firms Brace for New Frontier in U.S. Data Privacy Regulation,” WSJ Pro Private Equity (September 13, 2019)
- “Deep Dive: Prepare to do battle with data privacy,” Private Funds CFO (July 8, 2019)
- “In Their Own Words With Ropes & Gray’s Amanda McGrady Morrison,” WSJ Pro Private Equity (September 13, 2019)
- “CCPA Close-Up: Review of Amendments and How to Prepare for Compliance,” The Cybersecurity Law Report (October 2, 2019)
- “Engaging With the California Consumer Privacy Act: How Hedge Fund Managers Can Evaluate Whether They Are Subject to the New Law (Part One of Two),” The Hedge Fund Law Report (September 26, 2019)
- “Sweeping New Privacy, Conduct Regs Loom for Fund Managers,” FundFire (October 2, 2019)
- “As More Countries Seek Adequacy Decisions With EU, Will US Get Left Behind?,” Bloomberg Law (May 28, 2019)
- “5 UK Privacy And Data Protection Predictions For 2019,” Law360 (February 25, 2019)
- “As More Countries Seek Adequacy Decisions With EU, Will US Get Left Behind?,” Corporate Counsel (February 26, 2019)
Please see below for various CCPA related resources and tools.
- New California Privacy Enforcement Act Ballot Initiative
- California Consumer Privacy Act of 2018 as codified and amended
- Final Text of Regulations
- Final Statement of Reasons
- Appendix A – Responses to comments 45-day
- AB-375 as approved by the Governor on June 28, 2018
- SB-1121 as approved by the Governor on September 23, 2018
- Enacted CCPA Amendments
- IAPP amendment tracker
Is my organization subject to the CCPA?
The CCPA applies to many organizations whose primary activities take place outside of California, even those with no offices or personnel in the state.
The CCPA applies to any for-profit entity that is “doing business” in California that collects California residents’ personal information, determines how and when that personal information is used, and does not meet one of the exemptions.
What does it mean to “do business” in California?
The CCPA does not define “doing business” in California, however the AG’s office will likely read the term broadly. For example, under Section 23101 of California’s Revenue and Tax Code, “doing business” is defined as “actively engaging in any transaction for the purpose of financial or pecuniary gain or profit.” Many companies that may not think of themselves as California “businesses” may nevertheless be required to comply with the CCPA by virtue of conducting quite limited activities in California. The precise limitations of the CCPA will likely extend become clear only with litigation, although the state may try to apply the statute to the full extent of the state’s long-arm jurisdiction, subject to the limitations of due process and the dormant commerce clause.
What rights does the CCPA give consumers?
The CCPA gives California residents new rights, many inspired by the European Union’s General Data Protection Regulation (GDPR). For a comparison of the CCPA and the GDPR, click here.
The rights granted by the CCPA include:
- the right to receive information about how a business collects and uses data about an individual;
- the right to access and receive a portable copy of that data;
- the right to have the data deleted – subject to material exclusions for internal use of data
- the right to opt out of the sale of an individual’s data; and
- the right to not be discriminated against if exercising any of these rights.
- It is important to note that these are not absolute rights, and many exceptions will apply. For example, if a consumer requests that a business delete his/her data, the business may refuse to do so if it is required to retain the data to comply with a legal obligation.
Should the business validate who the individual requestor is before responding to a rights request?
Yes. Under the CCPA, a business may provide information “only upon receipt of a verifiable consumer request.” Even the fact that an individual is a customer or client could itself constitute personal information, and, therefore, should not be revealed prior to authentication.
The California Attorney General should issue regulations that clarify what exactly is required and allowed.
What does the CCPA say about data breaches?
California already provided plaintiffs with a private right of action related to data breaches. The CCPA creates a new right of action if plaintiffs can prove that unencrypted personal information was accessed or taken without authorization as a result of a business’s failure to implement and maintain reasonable security procedures. Unlike original data breach statutes, the CCPA’s private right of action provides for statutory damages of between $100 and $750 per impacted California resident. Those statutory damages will add up quickly, and class action plaintiffs will have a new—and greater—incentive to file suit. This additional class action litigation exposure re-emphasizes the need for appropriate data security and incident response policies and procedures.
How is personal information defined for purposes of the CCPA’s private right of action?
Personal information under the CCPA’s private right of action is defined using the definition from California’s existing data security law, rather than the much broader definition used for other provisions of the CCPA. Under the existing data security law (which provides the definition for the CCPA's data breach right of action), personal information includes an individual’s name in combination with one or more of the following unencrypted or unredacted data elements: (1) Social Security number; (2) Driver’s license number or California identification card number; (3) financial account number in combination with an access code or password; (4) medical information or; (5) health insurance information.