September 25, 2022

Volume XII, Number 268


September 23, 2022

Subscribe to Latest Legal News and Analysis

September 22, 2022

Subscribe to Latest Legal News and Analysis

The California Consumer Privacy Act What to Know—and What to Do [Part II]

Part II:

Does the CCPA Affect Me?

For our second installment of our series on the California Consumer Privacy Act (CCPA), we discuss a key question: Does the CCPA affect me?

While the primary focus of this article is on "businesses" (as discussed below) that are responsible for collecting personal information (and who bear the brunt of the CCPA’s obligations), it is important for those entities that are service providers or recipients of data from businesses to understand how the CCPA impacts their customers and counterparties, and why new obligations are being imposed on them.

Does the CCPA Affect Me?

The CCPA applies to any "business"—defined in the act as a for-profit legal entity that:

  • Does business in the State of California;
  • Collects, or has collected on its behalf, personal information of California residents;
  • Determines (alone or jointly with others) the "purposes and means of the processing" of the personal information of California residents; and
  • Meets at least one of the following criteria:
    • Has annual gross revenues of more than $25 million USD;
    • Obtains for commercial purposes, sells or shares the personal information of more than 50,000 households, devices or California residents; or
    • Derives 50 percent or more of its annual revenue from the sale of California residents' personal information.1

This second factor under 4 above is likely to capture almost any company that conducts business (even B2B) online, has an app or even in many cases merely has a commercial website. As noted in Part I, the CCPA's definition of "personal information" is much broader than the standard US definition: in addition to including all information relating to or that could be linked (directly or indirectly) to an individual, the CCPA also considers identifiers such as IP addresses, browsing history and "information regarding a consumer's interaction with an Internet Web site, application, or advertisement" to be "personal information."2 This information is typically collected automatically upon an individual's visit to a website. It also covers information relating to "devices." While "consumers" are California residents, the CCPA doesn't limit "devices" to just those in California.

As a result, a company will be subject to the CCPA if it does any business in California and has an app or site that is accessed by more than 50,000 unique users or visitors annually (approximately 137 per day), whether or not those visitors are California residents.

Are There Any Exceptions?

There are a few limited exceptions to the CCPA. Some apply to an entire organization, while others only exempt certain personal information from the CCPA's reach (and, in some cases, leave intact the class-action-friendly private cause of action we touched on in our last installment).

Organization-Wide Exceptions

As noted above, the CCPA only applies to for-profit entities. Nonprofit organizations are excluded from most of its scope, although in certain instances, they may potentially be subject to "third party" obligations to the extent they receive personal information from a covered business.3

Additionally, as described below, amendments to the CCPA exempted "covered entities" subject to HIPAA and "health care providers" subject to California's Confidentiality of Medical Information Act (CMIA) from the CCPA's scope to the extent that they protect patient data in accordance with HIPAA or CMIA; however, the CCPA is potentially ambiguous as to whether the exemption is intended to cover the entire entity or just patient information.4

Data-Specific Exceptions

For entities that are subject to the CCPA, other exceptions are focused on certain types of data that those entities may process. Thus, while certain information may not be subject to CCPA obligations, the organization as a whole is not exempted, so the CCPA will still apply to any personal information outside the exception (such as personal information received as part of other services or activities, or in some cases, device information collected from visitors to a website).

The CCPA does not apply to:

  • Personal information processed under the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act, although this exception does not apply to the private cause of action5;
  • Protected health information or medical information governed by HIPAA or CMIA, respectively. This exception expressly extends to protected health information collected by a covered entity or business associate (as defined by HIPAA)6;
  • Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects7;
  • The "sale" of personal information to or from a credit reporting agency, if used for a consumer report and use is limited to those permitted by the Fair Credit Reporting Act8; and
  • Personal information processed pursuant to the Driver's Privacy Protection Act, although as with information subject to GLBA, the exemption does not apply with respect to the private cause of action. 9

Coming Up Next: Understand Your Data

Now that you have an idea of whether or not you are a "business" subject to CCPA, the next step is figuring out what you should be doing to prepare. Our next installment covers understanding what data you have, where it is and how it is used.

1 § 1798.140(c).

2 § 1798.140(o)(1)(A).

3 § 1798.140(n), (t)(1), (w).

4 § 1798.145(c)(1)(B).

5 § 1798.145(e).

6 § 1798.145(c)(1)(B).

7 § 1798.145(c)(1)(A)&(B).

8 § 1798.145(d).

9 § 1798.145(f).

©2022 Katten Muchin Rosenman LLPNational Law Review, Volume IX, Number 127

About this Author

Matthew R. Baker, Environmental White Collar Attorney, Katten Muchin Law Firm

Matthew Baker focuses his practice on environmental white collar, internal investigation, complex electronic discovery and information governance issues, and domestic and international data privacy compliance. Matthew represents clients in connection with a variety of environmental and regulatory criminal matters, as well as assists corporate clients with information governance, data privacy and litigation preparedness issues.

Matthew's pro bono work includes assisting nonprofit organizations with data privacy and information governance issues,...

Doron Goldstein, Katten Muchin Law Firm, Intellectual Property Attorney

Doron S. Goldstein's practice primarily deals with intellectual property, information technology and advertising, marketing and branded entertainment transactions and counseling, including privacy and information security, trademark, copyright, software and technology matters, and he is co-head of Katten's Advertising, Marketing and Promotions practice and of the firm's Privacy, Data and Cybersecurity group.

Doron regularly advises on various aspects of integrated marketing campaigns, including talent and production agreements, advertising agency...

Megan Hardiman, Katten Muchin Law Firm, Health Care Legl Specialist

Megan Hardiman draws on her broad regulatory background to advise clients on complex health information privacy issues, tax-exempt organization compliance issues, including maintaining tax-exempt status, IRS Form 990 reporting issues and best practices for executive compensation, state fee-splitting and corporate practice of medicine prohibitions and fraud and abuse compliance.

Megan devotes a significant portion of her practice to helping health care companies and business associates understand and meet the requirements of the Health Insurance Portability...