Does the California Consumer Privacy Act (CCPA) apply to your business?

This article was based on the “Understanding the California Consumer Privacy Act (CCPA)” Practice Note, one of more than 68,000 resources available in Practical Law. This article is accurate as of the date of its publication.

The State of California is often ahead of other U.S. states in creating laws around individuals’ privacy protections. So unsurprisingly, the state became the first to enact a comprehensive consumer privacy law in June 2018, creating the California Consumer Privacy Act of 2018 (CCPA).

Amended in October 2019, the CCPA will go into effect on January 1, 2020 (with some exceptions), although enforcement for most provisions may not begin until July 31, 2020. The law will grant residents of California new rights regarding their personal information and impose strict data protection responsibilities on those companies, firms, or organizations that conduct business in California.

Businesses subject to the CCPA will need to review and adjust their practices as they prepare for the new requirements for handling personal information of California residents, including:

• Updating or creating privacy notices
• Deciding on consumer choice requirements for selling personal data
• Restricting data monetization business models
• Accommodating a consumer’s right to access their personal information
• Honoring the right to deletion
• Producing requested data in a portable format

Given the CCPA's expansive reach, businesses both inside California and around the world that collect and process the personal data of California residents may need to comply with its requirements.

How to determine if your business needs to comply

With such high stakes, how do you determine if your company, firm, or business is subject to the rules and regulations within the CCPA?

First, is your business a for-profit entity, sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity, that directly, or by engaging others to act on its behalf, collects a California consumer’s personal information? And do you (either alone or jointly with others) determine the purpose and method of processing that personal information?

While this broad definition itself is rife with questions about the meaning and interpretation of words, it’s important to remember that courts are likely to view this definition in the broadest sense. Basically, if your business is any type of legally formed, for-profit venture that collects the personal data of California residents and meets the required thresholds, it may fall under the law's scope.

Of course, there are still important factors to consider. For example, what does the CCPA mean by the word “collect” in terms of collecting personal data? Again, the law defines the term in the broadest possible way, citing the term “collects” to mean buying, renting, gathering, receiving, accessing, or otherwise directly or indirectly obtaining personal information, through any means, including by observing the consumer’s behavior.

Next, the CCPA lays out several jurisdictional thresholds that these entities must meet before it covers them.

These include:

• Annual gross revenue of more than $25 million (adjusted for inflation)
• Buying, receiving, sharing, or selling the personal information of more than 50,000 consumers, households, or devices for commercial purposes
• Deriving 50 percent or more of its annual revenue from selling consumers’ personal information

If your business meets one of these jurisdictional thresholds, or it's controlled by and shares common branding with a covered business, the CCPA may apply.

While the CCPA does provide exceptions for certain business sectors with pre-existing privacy laws, such as healthcare providers and financial institutions, they are narrow and may not apply to all aspects of a covered business's operations. Therefore, all businesses meeting the CCPA's jurisdictional thresholds should take a close look at its requirements. 

What do you do if your business is subject to the CCPA?

As stated, the CCPA grants many new and additional rights to California consumers, and those rights carry with them numerous new obligations on the companies that are subject to the law.

Even before you make a final determination on whether the law applies to your business, smart organizations should take this opportunity to review their process and practices around data storage, data collection, and data sharing. Proactive reviews will give you a clearer roadmap to determine which sections of the CCPA do not apply to your business, and which sections will require compliance, especially if the business sells the personal information of California consumers.

It’s important to remember that the text of the CCPA contains many definitions, exemptions, special requirements, and qualifications. For example, amendments passed in October 2019 provide a temporary one-year exemption from most of the CCPA's requirements for employee-related personal information and certain business-to-business communications reflecting personal information. Seek qualified legal help to understand the CCPA better and determine how it may impact your business or organization.