Beginning on January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) will impose new privacy obligations on certain businesses that collect personal information of California consumers and are (or are jointly with others) responsible for determining the purposes and means of the processing of such information. This summary will assist U.S. businesses in making an initial determination of whether they might be subject to the CCPA once effective.
Is your business subject to the CCPA?
The CCPA applies to businesses — not nonprofits or governmental entities — that meet the following criteria:
- For-profit entity doing business in the State of California; and
(a) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), subject to adjustment;
(b) Handles data of more than 50,000 people or devices; or
(c) Has 50% or more of revenue coming from selling personal information.
- Businesses that “control” or are “controlled by” or have “common branding” with a business that satisfies the above.
What is a Business for purposes of the CCPA?
Any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is not considered a nonprofit entity under the California Nonprofit Corporation Law.1
What does “doing business” in the State of California mean?
Although the CCPA does not define “doing business”, the typical analysis begins with looking at the California Revenue and Taxation Code (the “R&TC”).2 A business is doing business in California if it actively engages in any transaction for the purpose of financial or pecuniary gain or profit in California or if any of the following conditions are satisfied:
- The business is organized or commercially domiciled in California.
- Sales, as defined in subdivision (e) or (f) of R&TC section 25120, of the business in California, including sales by the agents and independent contractors of the business, exceed the lesser of $500,000 or 25% of the business’s total sales. For purposes of R&TC Section 23101, sales in California are determined using the rules for assigning sales under R&TC 25135, R&TC 25136(b) and the regulations thereunder, as modified by regulations under Section 25137.
- Real and tangible personal property of the business in California exceed the lesser of $50,000 or 25% of the business’s total real and tangible personal property.
- The amount paid in California by the business for compensation, as defined in subdivision (c) of R&TC 25120, exceeds the lesser of $50,000 or 25% of the total compensation paid by the business.
- For the conditions above, the sales, property, and payroll of the taxpayer include the business’s pro rata or distributive share of pass-through entities. “Pass-through entities” means partnerships, LLCs treated as partnerships, or S corporations.3
How is annual gross revenues calculated?
There is currently no guidance that explains whether a business must take into consideration worldwide revenue or revenue from California operations. Conservatively, absent further guidance on this issue, a business doing business in California with annual gross revenue exceeding the $25 million threshold should begin preparing for the implementation of the CCPA.
What is “control”?
A business that controls or is controlled by a business covered by the CCPA is also considered to be covered by the CCPA. For purposes of this determination, the CCPA follows typical indicia of control: (i) common ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business; (ii) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or (iii) the power to exercise a controlling influence over the management of a company.
What is “common branding”?
A business that shares common branding with a business covered by the CCPA is also considered to be covered by the CCPA. For purposes of this determination, the CCPA provides that common branding includes a shared name, servicemark, or trademark.
What exemptions might apply?
There are various partial exemptions available for certain types of information collected by entities that are also subject to federal privacy laws. It is important to note that the most important and potentially relevant exemptions apply to certain information processed pursuant to the protections of certain federal regimes. It is important to note that the exemptions do not apply to the businesses covered by these regimes. For example, HIPAA-covered entities (and business associates) are not exempt from the CCPA, but protected health information collected by a covered entity or business associate governed by the privacy, security and breach notification rules promulgated pursuant to HIPAA is exempt.4 Note, however, that not all information collected by HIPAA covered entities and business associates is “governed by” these rules. Therefore, IP addresses, for example, collected by a HIPAA covered entity appear to be subject to the requirements and protections of the CCPA, even though protected health information collected by the same entity would be exempt.
Similarly, nonpublic personal information processed by a financial institution subject to the privacy, security and breach notification rules promulgated pursuant to the Gramm-Leach-Bliley Act would be exempt, but the financial institution would be required to comply with the CCPA with respect to other information (such as information collected when tracking website visitors or providing targeted online advertisements) collected by the financial institution.5 In addition, this exemption does not apply to the consumer’s right of to sue for statutory damages as a result of data breach.6
What if my business is subject to the CCPA?
The CCPA has several onerous requirements that will require significant preparation in advance of the CCPA effective date of January 1, 2020. Therefore, businesses subject to the CCPA will need to plan and start their compliance efforts immediately
Notice Requirement: At or before the time of collecting personal information, the business must provide notice of the categories of personal information to be collected, and the purposes for which they will be used.
Disclosure Requirements: Upon request of a consumer, the business must disclose the following:
- categories and specific pieces of the consumer’s personal information the business has collected;
- categories of sources from which personal information is collected;
- business or commercial purpose for collecting or selling personal information; and
- categories of third parties with whom the business shares personal information.
Delivery of Personal Information: Upon request of a consumer, up to twice in a 12-month period, the business must deliver to the consumer all of the consumer’s personal information collected.
Right to be Forgotten: Each business must notify consumers of their right to request the business to delete all of the consumer’s personal information. Certain exceptions permit the business to retain personal information for specific purposes.
Non-Discrimination: With limited exceptions, businesses are prohibited from discriminating against a consumer because the consumer exercised any of the consumer’s rights under the Act, including denying goods or services, charging different prices, providing a different level of quality of goods or services, or suggesting that the consumer will receive a different price or level of quality of goods or services.
What should businesses be doing between now and January 1, 2020?
In order to be in a position to satisfy these requirements by the effective date, businesses subject to the CCPA will need to take the following actions, starting now:
- Understand the data. What personal information does the business collect?
- Understand how personal information is processed, including to whom it is transmitted or made accessible, and where it is stored.
- Draft the required notices and disclosures.
- Build a process for responding to consumer demands, including protocols for deleting data.
- Review and, as necessary, amend contracts with third party service providers to ensure the business can compel its vendors to comply with CCPA requirements.
- The California Nonprofit Corporation Law (Division 2 of the Title 1 of the California Corporations Code) provides that non-profit entities can incorporate as Nonprofit Public Benefit Corporations, Nonprofit Mutual Benefit Corporations, or Non-profit Religious Corporations. The law further provides that an unincorporated nonprofit association must contain language in its creating document that the association is not allowed to keep the proceeds from business activities and the proceeds must be used for nonprofit purposes.
- R&TC Section 23101.
- Revenue and Taxation Code (R&TC) Section 23101.
- CCPA Section (c)(1)(A).
- CCPA Section 1798.145(e).
- CCPA Section 1798.145(f).