Beginning on January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) will impose new privacy obligations on certain businesses that collect personal information of California consumers and are (or are jointly with others) responsible for determining the purposes and means of the processing of such information. This summary will assist U.S. businesses in making an initial determination of whether they might be subject to the CCPA once effective.
Is your business subject to the CCPA?
The CCPA applies to businesses — not nonprofits or governmental entities — that meet the following criteria:
What is a Business for purposes of the CCPA?
Any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is not considered a nonprofit entity under the California Nonprofit Corporation Law.1
What does “doing business” in the State of California mean?
Although the CCPA does not define “doing business”, the typical analysis begins with looking at the California Revenue and Taxation Code (the “R&TC”).2 A business is doing business in California if it actively engages in any transaction for the purpose of financial or pecuniary gain or profit in California or if any of the following conditions are satisfied:
How is annual gross revenues calculated?
There is currently no guidance that explains whether a business must take into consideration worldwide revenue or revenue from California operations. Conservatively, absent further guidance on this issue, a business doing business in California with annual gross revenue exceeding the $25 million threshold should begin preparing for the implementation of the CCPA.
What is “control”?
A business that controls or is controlled by a business covered by the CCPA is also considered to be covered by the CCPA. For purposes of this determination, the CCPA follows typical indicia of control: (i) common ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business; (ii) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or (iii) the power to exercise a controlling influence over the management of a company.
What is “common branding”?
A business that shares common branding with a business covered by the CCPA is also considered to be covered by the CCPA. For purposes of this determination, the CCPA provides that common branding includes a shared name, servicemark, or trademark.
What exemptions might apply?
There are various partial exemptions available for certain types of information collected by entities that are also subject to federal privacy laws. It is important to note that the most important and potentially relevant exemptions apply to certain information processed pursuant to the protections of certain federal regimes. It is important to note that the exemptions do not apply to the businesses covered by these regimes. For example, HIPAA-covered entities (and business associates) are not exempt from the CCPA, but protected health information collected by a covered entity or business associate governed by the privacy, security and breach notification rules promulgated pursuant to HIPAA is exempt.4 Note, however, that not all information collected by HIPAA covered entities and business associates is “governed by” these rules. Therefore, IP addresses, for example, collected by a HIPAA covered entity appear to be subject to the requirements and protections of the CCPA, even though protected health information collected by the same entity would be exempt.
Similarly, nonpublic personal information processed by a financial institution subject to the privacy, security and breach notification rules promulgated pursuant to the Gramm-Leach-Bliley Act would be exempt, but the financial institution would be required to comply with the CCPA with respect to other information (such as information collected when tracking website visitors or providing targeted online advertisements) collected by the financial institution.5 In addition, this exemption does not apply to the consumer’s right of to sue for statutory damages as a result of data breach.6
What if my business is subject to the CCPA?
The CCPA has several onerous requirements that will require significant preparation in advance of the CCPA effective date of January 1, 2020. Therefore, businesses subject to the CCPA will need to plan and start their compliance efforts immediately
Notice Requirement: At or before the time of collecting personal information, the business must provide notice of the categories of personal information to be collected, and the purposes for which they will be used.
Disclosure Requirements: Upon request of a consumer, the business must disclose the following:
Delivery of Personal Information: Upon request of a consumer, up to twice in a 12-month period, the business must deliver to the consumer all of the consumer’s personal information collected.
Right to be Forgotten: Each business must notify consumers of their right to request the business to delete all of the consumer’s personal information. Certain exceptions permit the business to retain personal information for specific purposes.
Non-Discrimination: With limited exceptions, businesses are prohibited from discriminating against a consumer because the consumer exercised any of the consumer’s rights under the Act, including denying goods or services, charging different prices, providing a different level of quality of goods or services, or suggesting that the consumer will receive a different price or level of quality of goods or services.
What should businesses be doing between now and January 1, 2020?
In order to be in a position to satisfy these requirements by the effective date, businesses subject to the CCPA will need to take the following actions, starting now:
Sign up for our newsletter and get the latest to your inbox.