The CCPA applies to businesses – not nonprofits or governmental entities -- that meet the following criteria:
Any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is not considered a nonprofit entity under the California Nonprofit Corporation Law.1
There is currently no guidance that explains whether a business must take into consideration worldwide revenue or revenue from California operations. Conservatively, absent further guidance on this issue, a business doing business in California with annual gross revenue exceeding the $25 million threshold should begin preparing for the implementation of the CCPA.
What is “control”?
A business that controls or is controlled by a business covered by the CCPA is also considered to be covered by the CCPA. For purposes of this determination, the CCPA follows typical indicia of control: (i) common ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business; (ii) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or (iii) the power to exercise a controlling influence over the management of a company.
What is “common branding”?
A business that shares common branding with a business covered by the CCPA is also considered to be covered by the CCPA. For purposes of this determination, the CCPA provides that common branding includes a shared name, servicemark, or trademark.
What exemptions might apply?
There are various partial exemptions available for certain types of information collected by entities that are also subject to federal privacy laws. It is important to note that the most important and potentially relevant exemptions apply to certain information processed pursuant to the protections of certain federal regimes. It is important to note that the exemptions do not apply to the businesses covered by these regimes. For example, HIPAA-covered entities (and business associates) are not exempt from the CCPA, but protected health information collected by a covered entity or business associate governed by the privacy, security and breach notification rules promulgated pursuant to HIPAA is exempt.4 Note, however, that not all information collected by HIPAA covered entities and business associates is “governed by” these rules. Therefore, IP addresses, for example, collected by a HIPAA covered entity appear to be subject to the requirements and protections of the CCPA, even though protected health information collected by the same entity would be exempt.
Similarly, nonpublic personal information processed by a financial institution subject to the privacy, security and breach notification rules promulgated pursuant to the Gramm-Leach-Bliley Act would be exempt, but the financial institution would be required to comply with the CCPA with respect to other information (such as information collected when tracking website visitors or providing targeted online advertisements) collected by the financial institution.5 In addition, this exemption does not apply to the consumer’s right of to sue for statutory damages as a result of data breach.6
What if my business is subject to the CCPA?
The CCPA has several onerous requirements that will require significant preparation in advance of the CCPA effective date of January 1, 2020. Therefore, businesses subject to the CCPA will need to plan and start their compliance efforts immediately
Notice Requirement: At or before the time of collecting personal information, the business must provide notice of the categories of personal information to be collected, and the purposes for which they will be used.
Disclosure Requirements: Upon request of a consumer, the business must disclose the following:
- categories and specific pieces of the consumer’s personal information the business has collected;
- categories of sources from which personal information is collected;
- business or commercial purpose for collecting or selling personal information; and
- categories of third parties with whom the business shares personal information.
Delivery of Personal Information
: Upon request of a consumer, up to twice in a 12-month period, the business must deliver to the consumer all of the consumer’s personal information collected.
Right to be Forgotten: Each business must notify consumers of their right to request the business to delete all of the consumer’s personal information. Certain exceptions permit the business to retain personal information for specific purposes.
Non-Discrimination: With limited exceptions, businesses are prohibited from discriminating against a consumer because the consumer exercised any of the consumer’s rights under the Act, including denying goods or services, charging different prices, providing a different level of quality of goods or services, or suggesting that the consumer will receive a different price or level of quality of goods or services.
What should Businesses be doing between now and January 1, 2020?
In order to be in a position to satisfy these requirements by the effective date, businesses subject to the CCPA will need to take the following actions, starting now:
- Understand the data. What personal information does the business collect?
- Understand how personal information is processed, including to whom it is transmitted or made accessible, and where it is stored.
- Draft the required notices and disclosures.
- Build a process for responding to consumer demands, including protocols for deleting data.
- Review and, as necessary, amend contracts with third party service providers to ensure the business can compel its vendors to comply with CCPA requirements.
We will be publishing additional Quick Studies on the CCPA to help clients understand the various requirements. For more information or assistance with determining whether your business is subject to the CCPA or otherwise in preparing during 2019 to comply with the CCPA, please contact any member of our team.
1. The California Nonprofit Corporation Law (Division 2 of the Title 1 of the California Corporations Code) provides that nonprofit entities can incorporate as Nonprofit Public Benefit Corporations, Nonprofit Mutual Benefit Corporations, or Nonprofit Religious Corporations. The law further provides that an unincorporated nonprofit association must contain language in its creating document that the association is not allowed to keep the proceeds from business activities and the proceeds must be used for nonprofit purposes.
2. R&TC Section 23101.
3.Revenue and Taxation Code (R&TC) Section 23101.
4. CCPA Section (c)(1)(A).
5. CCPA Section 1798.145(e).
6. CCPA Section 1798.145(f).