February 13, 2019

California and European Privacy FAQs: If a company is based in California, will the CCPA apply to all data processed by the company?

BCLP

+ Follow Contact

Send

Embed

The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. If a company is based in California, will the CCPA apply to all data processed by the company?

Not necessarily.

Assuming that the CCPA applies to a company (i.e., it does business in California, and either has gross revenue in excess of $25 million, transacts personal information involving 50,000 or more consumers, or derives 50% of its revenue from selling personal information), the Act will only impact data that the company holds about “consumers.” “Consumer” is defined by the Act only to include a “natural person who is a California resident.”¹ As a result, if a California-based company processes personal information about a resident of another state – or a resident of another country – that information should not be subject to the CCPA.

In comparison, European privacy laws have a larger scope. Specifically the GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.”² As a result, if a company either processes data in Europe or makes decisions about the processing of data in Europe, the act of utilizing its European establishments arguably subjects the processed data to the scope of the GDPR regardless of whether the information relates to Europeans or non-Europeans (e.g., Americans).

The net result is that if Company A (with revenue over $25 million) is based in Palo Alto and collects data about both Europeans and Americans in order to offer a new mobile application, the CCPA should only apply to the information collected about Californians and should not apply to the information collected from residents in other states or in Europe. If Company A were instead based in France, a supervisory authority would likely argue that all of the data (European and American) collected by Company A is governed by the GDPR.³

1. CCPA, Section 1798.140(g).

2. GDPR, Article 3(1) (emphasis added).

3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 8.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.