The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed in June 2018 and will take effect in 2020. Dubbed “GDPR Lite,” to denote its similarities to the EU General Data Protection Regulation (GDPR), it is expected to be a game-changer for U.S.-based companies that process sensitive data. With detailed disclosure requirements, a grant of extensive rights to individuals to control how their personal information is used, statutory fines and a private right of action, the law requires companies to rethink their data processing practices.
But does the CCPA apply to you?
CCPA applies to you if you fall within either A or B, below:
A. (1) You are a for-profit business.
(2) You collect California consumers’ personal information (or such information is collected on your behalf) and determine the purposes and means of processing California consumers’ personal information.
(3) You do business in the state of California.
(4) You meet one of the following criteria:
(a) You have at least $25 million in annual gross revenues.
(b) You buy, sell, share and/or receive the personal information of at least 50,000 California consumers, households or devices, per year.
(c) You derive at least 50 percent of your annual revenue from selling California consumers’ personal information.
B. You control or are controlled by an entity that meets the above criteria and share common branding with that entity.
Let’s break that down.
1. You are a “for profit” business
CCPA applies to companies that are “organized or operated for the profit or financial benefit of [their] shareholders or other holders.”
Nonprofits are not required to comply with the CCPA. However, if you are a nonprofit organization that controls or is controlled by a for-profit entity that qualifies as a “business” and share common branding with, or receive personal information from a business via a “sale,” you could be subject to CCPA.
2. You collect and determine the purpose and means of processing personal information of Californians
You meet this prong if:
- You receive, buy, rent or access information (including personal information collected passively, i.e. through cookies); and
- Determine the purpose and means of processing of information that both:
- identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household; and
- pertains to an individual who is (1) in California for other than a temporary purpose, or (2) domiciled in California, but outside the state for a temporary purpose
3. You do business in the state of California – even if you have no physical presence in California
This phrase is not defined in CCPA. It has, under California tax laws, been deemed to apply, in certain cases, to companies doing business online without any physical presence in California.
So, in the absence of guidance from the California Attorney General, it is likely that this will include you if:
- Your headquarters is in California.
- You have employees in California.
- You are an entity incorporated in California or an entity required to register in California as a “foreign entity” under existing California corporate and tax law. Per a recent amendment, starting April 1, 2019, companies not registered in California, with no physical presence in California, are required to register with the California Department of Tax and Fee Administration (CDTFA), collect the California use tax and pay the tax to the CDTFA based on the amount of sales into California if their sales exceed a certain dollar threshold or they have more than 200 separate transactions.
- You have ties to the state including, in some cases, repeated sales into the state and ownership of real property in the state.
4. You meet one of the following thresholds
- You have at least $25 million in annual gross revenues. [Note: It is unclear at this point whether the $25 million threshold will operate at the group level and whether revenue not derived from California will count, but the general thought is that this threshold applies to overall revenues, not just revenues from California.]
- You buy, sell, share, and/or receive (alone or in combination with others) the personal information of at least 50,000 California consumers, households or devices, per year.
[Note: To reach this threshold, 137 unique visits to your website a day suffices.]
[Further note: CCPA does not explicitly require that a household be physically located in California or a device be owned by a California resident. Given that CCPA was enacted to protect the right to privacy spelled out in the California Constitution (see above) and such right is bestowed on California residents, such requirement may in the future be read into the statute.]
- At least 50 percent of your annual revenue comes from selling California consumers’ personal information.
Section B: You control or are controlled by a business
CCPA would also apply to you if you control or are controlled by an entity that meets the above criteria and share common branding with that entity. Therefore, CCPA applies to entities that do business in California and those that are part of the corporate group (parents or subsidiaries) of an entity that does business in California.
B+ You may indirectly be in scope if your B2B clients say so
In order to comply with obligations under CCPA, businesses that are subject to the law will need to ensure that their third party service providers use information in a way that allows the business to be compliant (e.g. delete the information when requested, use the information only as permitted). Therefore, you could be required to comply with CCPA provisions indirectly, through an agreement with your customer.
Finally: Can CCPA apply to me if I am not a consumer facing business (B2C)? Yes.
Despite its “Consumer Privacy Act” title, as currently drafted, CCPA applies to any business that meets the criteria listed in question one above, even if it does not deal directly with consumers. The definition of “consumer” is also very broad and includes any individual who is (1) in California for other than a temporary purpose, or (2) domiciled in California but is outside the state for a temporary purpose.
It is not yet clear whether the CCPA applies to B2B companies with respect to business contacts who meet the criteria listed in question one and/or employees who are California residents. While the current language of the CCPA and definition of “consumer” appear to include employees and business contacts, the California State Assembly recently proposed AB-25, a bill that would exclude employees, contractors and agents from the definition of “consumer.” Specifically, the bill excludes a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of or an agent on behalf of the business, to the extent the person’s personal information is collected and used solely for purposes compatible with the context of that person’s role as a job applicant, employee, contractor or agent of the business. The bill awaits final legislative action.
Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. Odia leverages her experience counseling companies on GDPR compliance issues to assist companies on the road to CCPA compliance. For assistance, contact Odia at firstname.lastname@example.org or 215.444.7313.