Beginning on January 1, 2020, the California Consumer Privacy Act of 2018 (“CCPA”) will impose new privacy obligations on certain businesses that collect personal information of California consumers and are (or are jointly with others) responsible for determining the purposes and means of the processing of such information. This summary will assist U.S. businesses in making an initial determination of whether they might be subject to the CCPA once effective.
Is your business subject to the CCPA?
(a) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), subject to adjustment;
(b) Handles data of more than 50,000 people or devices; or
(c) Has 50% or more of revenue coming from selling personal information.
Any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is not considered a nonprofit entity under the California Nonprofit Corporation Law.1
What does “doing business” in the State of California mean?
Although the CCPA does not define “doing business”, the typical analysis begins with looking at the California Revenue and Taxation Code (the “R&TC”).2 A business is doing business in California if it actively engages in any transaction for the purpose of financial or pecuniary gain or profit in California or if any of the following conditions are satisfied:
What is “control”?
A business that controls or is controlled by a business covered by the CCPA is also considered to be covered by the CCPA. For purposes of this determination, the CCPA follows typical indicia of control: (i) common ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business; (ii) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or (iii) the power to exercise a controlling influence over the management of a company.
What is “common branding”?
A business that shares common branding with a business covered by the CCPA is also considered to be covered by the CCPA. For purposes of this determination, the CCPA provides that common branding includes a shared name, servicemark, or trademark.
What exemptions might apply?
There are various partial exemptions available for certain types of information collected by entities that are also subject to federal privacy laws. It is important to note that the most important and potentially relevant exemptions apply to certain information processed pursuant to the protections of certain federal regimes. It is important to note that the exemptions do not apply to the businesses covered by these regimes. For example, HIPAA-covered entities (and business associates) are not exempt from the CCPA, but protected health information collected by a covered entity or business associate governed by the privacy, security and breach notification rules promulgated pursuant to HIPAA is exempt.4 Note, however, that not all information collected by HIPAA covered entities and business associates is “governed by” these rules. Therefore, IP addresses, for example, collected by a HIPAA covered entity appear to be subject to the requirements and protections of the CCPA, even though protected health information collected by the same entity would be exempt.
Similarly, nonpublic personal information processed by a financial institution subject to the privacy, security and breach notification rules promulgated pursuant to the Gramm-Leach-Bliley Act would be exempt, but the financial institution would be required to comply with the CCPA with respect to other information (such as information collected when tracking website visitors or providing targeted online advertisements) collected by the financial institution.5 In addition, this exemption does not apply to the consumer’s right of to sue for statutory damages as a result of data breach.6
What if my business is subject to the CCPA?
The CCPA has several onerous requirements that will require significant preparation in advance of the CCPA effective date of January 1, 2020. Therefore, businesses subject to the CCPA will need to plan and start their compliance efforts immediately
Disclosure Requirements: Upon request of a consumer, the business must disclose the following:
Delivery of Personal Information: Upon request of a consumer, up to twice in a 12-month period, the business must deliver to the consumer all of the consumer’s personal information collected.
Right to be Forgotten: Each business must notify consumers of their right to request the business to delete all of the consumer’s personal information. Certain exceptions permit the business to retain personal information for specific purposes.
Non-Discrimination: With limited exceptions, businesses are prohibited from discriminating against a consumer because the consumer exercised any of the consumer’s rights under the Act, including denying goods or services, charging different prices, providing a different level of quality of goods or services, or suggesting that the consumer will receive a different price or level of quality of goods or services.
In order to be in a position to satisfy these requirements by the effective date, businesses subject to the CCPA will need to take the following actions, starting now:
We will be publishing additional Quick Studies on the CCPA to help clients understand the various requirements. For more information or assistance with determining whether your business is subject to the CCPA or otherwise in preparing during 2019 to comply with the CCPA, please contact any member of our team.
1. The California Nonprofit Corporation Law (Division 2 of the Title 1 of the California Corporations Code) provides that nonprofit entities can incorporate as Nonprofit Public Benefit Corporations, Nonprofit Mutual Benefit Corporations, or Nonprofit Religious Corporations. The law further provides that an unincorporated nonprofit association must contain language in its creating document that the association is not allowed to keep the proceeds from business activities and the proceeds must be used for nonprofit purposes.
2. R&TC Section 23101.
3.Revenue and Taxation Code (R&TC) Section 23101.
4. CCPA Section (c)(1)(A).
5. CCPA Section 1798.145(e).
6. CCPA Section 1798.145(f).