At first blush, entities subject to the Gramm-Leach-Bliley Act – particularly those without offices in the state of California – may be tempted to assume that the CCPA does not apply to them. The broad reaches of the CCPA, however, may, in fact, apply to their businesses, requiring them to comply with affirmative notice obligations, and subjecting them to potential private litigation for failing to implement and maintain reasonable security practices and procedures. In a recent interview with the Cybersecurity Law Report, Ropes & Gray partner Melissa Bender and counsel Catherine Skulan discussed how financial institutions subject to the GLBA, such as private fund managers that are registered as investment advisers with the SEC, can determine if they are also subject to the CCPA. They also detailed how the GLBA carve-out will provide some, but likely not complete, relief from compliance with the Act. A previous article
stemming from this discussion provided their thoughts on how companies can complete a data-mapping exercise to help with CCPA compliance and outlined recent amendments and anticipated enforcement steps. See our two-part series on preparing for the CCPA: “Securing Buy-In and Setting the Scope
” (Feb. 27, 2019); and “Best Practices and Understanding Enforcement
” (Mar. 6, 2019).