When the California Consumer Privacy Act (CCPA) takes effect in January 2020, it will grant California residents new rights regarding their personal information and will impose new and significant obligations on businesses that collect this information. The CCPA applies to all types of for-profit business entities — from sole proprietorships to corporations — that meet one of three criteria: (1) the business has gross revenues in excess of $25 million; (2) the business annually buys, receives, sells, or shares the personal information of 50,000 or more California residents; or (3) the business derives 50% or more of its annual revenues from selling California residents' personal information. Cal. Civ. Code § 1798.140(c).
At first blush, it might appear that the CCPA will not apply to many businesses, especially small businesses outside California that are not involved in brokering data. But a deeper dive into the CCPA demonstrates that the 50,000-consumer threshold is rather easy to overcome and could apply to many U.S. and foreign businesses.
First, even if a business is not based in California and does not have a physical location in California, the CCPA still applies if the business annually collects the data of 50,000 or more California residents. Moreover, the CCPA broadly defines personal information to encompass "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Cal. Civ. Code § 1798.140(o)(1). This includes not only the usual personal information categories such as names, addresses, Social Security numbers, and driver's license numbers, but also additional categories such as IP addresses, purchasing or consuming histories, browsing history, and information regarding a consumer's interaction with a website. Cal. Civ. Code § 1798.140(o)(1)A–J.
Consequently, if a business's website collects IP addresses, like most do, amassing the personal information of 50,000 California consumers could happen quickly. In fact, this threshold would be met if the website were visited by an average of just 137 California residents per day over the course of the year. This could also be a concern for bloggers and other individuals realizing profits from social media, whose websites may collect personal information from more than 50,000 Californians every year.
Businesses should also be aware that they could be subject to the CCPA if their parent or subsidiary company annually collects the personal information of 50,000 or more California residents. Under section 1798.140(c)(2), "business" is defined to include any entity that controls or is controlled by a business and that shares "common branding," meaning a shared name, service mark, or trademark.
In this digital age in which sales are conducted online and internet advertising is ubiquitous, the CCPA has the potential to affect many more businesses than it would seem at first glance. In order to avoid potential fines and penalties, businesses should carefully assess if the CCPA applies and, if so, ensure that they are in compliance.