The California Consumer Privacy Act (CCPA), considered the most expansive U.S. privacy laws to date, is set to take effect January 1, 2020. In short, the CCPA places limitations on the collection and sale of a consumer’s personal information and provides consumers certain rights with respect to their personal information. Wondering whether they will have to comply, many organizations are asking if the law will apply to them, hoping that being too small, being located outside of California, or “only having employee information,” among other things, might cause them not to have to gear up for CCPA.
So, we thought we would dig in a little deeper into the question of when the CCPA might apply to a business. However, note that the law is still developing as amendments work their way through the legislature and we await regulations from the California Attorney General intended to further clarify the statute. Organizations will need to continue to monitor these developments to determine if the CCPA will apply to them.
Basic Rule. In general, the CCPA applies to a “business” that:
A. does business in the State of California,
B. collects personal information (or on behalf of which such information is collected),
C. alone or jointly with others determines the purposes or means of processing of that data, and
D. satisfies one or more of the following
(i) annual gross revenue in excess of $25 million,
(ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or
(iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Related entities and non-for-profits. Under the CCPA, a “business” can be a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” Thus, for example, a business under this definition generally would not include a not-for-profit or governmental entity. It also would not include a corporation that meets all of the prongs above, other than those listed under D.
However, a “business” under CCPA also includes any entity that controls or is controlled by a business that meets the requirements above and that shares common branding with such a business. “Control,” for this purpose, means either (i) ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; (ii) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or (iii) the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark. Accordingly, organizations that would not themselves be a “business” under the CCPA could become subject to the law because of the entities that control them or that they control, and with which they share common branding.
Businesses that do not collect “consumer” personal information. It does not appear to be necessary under the CCPA for a business to actually be the one to collect personal information from consumers in order for the law to apply. So long as personal information is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied.
Some businesses also may believe that because they do not engage in transactions directly with individual consumers and collect their personal information, they are not subject to the law. The businesses might be thinking this is because their “consumers” are other businesses and not individuals. However, a consumer under the CCPA generally means a natural person who is a California resident. Accordingly, when conducting business with other businesses, a business likely collects personal information from contacts at those other businesses. Similarly, virtually all businesses collect information about their employees. Recent legislative activity indicates that obligations under the CCPA may continue to extend to employee personal information.
Businesses located outside of California. It also does not appear that a business will need to be located in California in order to be subject to the CCPA. While the CCPA is not clear on this point, a business may be considered to be “doing business” in California if it conducts online transactions with persons who reside in California, has employees working in California, or has certain other connections to the state, and is without a physical location in the state. As noted, regulations may help to clarify what “doing business in California” means for purposes of the CCPA.
Businesses that process information on behalf of other businesses. The definition of a business under the CCPA requires that the business must alone or jointly with others “determine the purposes or means of processing” of that data. The CCPA does not expand on this language. However, since nearly identical language in the General Data Protection Regulation (GDPR) is used to define a controller, guidance from the UK’s Information Commissioner may provide some insight – here are some questions you might ask to see if your organization is a controller:
The business decides to collect or process the personal data.
The business decides what the purpose or outcome of the processing is to be.
The business decides what personal data should be collected.
The business decides which individuals to collect personal data about.
The business obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller.
The business decides processes the personal data as a result of a contract between the business and the data subject.
The business exercises professional judgement in the processing of the personal data.
The business has a direct relationship with the data subjects.
An organization that merely processes personal information for businesses covered by the CCPA might take the position that it is not subject to the CCPA. That organization may be correct, however, its business partners that are subject to the CCPA may be required to push certain CCPA obligations down to the organization by contract.
Consequences of Non-compliance. Organizations on the fence about the application of the CCPA should consider what happens if they fail to comply but are determined later to be subject to the law. A business that violates the CCPA can face injunctions and penalties of not more than $2,500 for each violation, and not more than $7,500 for each intentional violation, in an action brought by the California Attorney General. That said, a business is provided 30 days after receiving written notice of noncompliance to cure the violation, before facing liability. In addition, the CCPA provides consumers a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. That private action includes statutory damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
A recently survey by ESET found that over 44% of the 625 business owners and company executives polled had never heard of CCPA, and only 11.8% knew if the law applied to their business. Organizations should be doing their best to determine if they have CCPA obligations either directly as a business, because they control or are controlled by a business, or because they have contractual obligations flowing from a business. Efforts toward compliance need to begin now as the CCPA becomes effective January 1, 2020.