As discussed in Part 1, the California Consumer Privacy Act of 2018 (CalCoPA) is a game-changing privacy act that sets a new bar for consumer privacy rights in the U.S. The primary reason it differs from existing legislation is that it goes beyond merely having to provide assurances or notices and requires organizations to be prepared to respond to individual requests with disclosures regarding consumers’ data collection and use.
The Act was Amended last week to add some explicit preemptions and to extent the timetable for the California Attorney General to promulgate rules and procedures governing opt-out to the sale of personal information and for making and responding to the requests for disclosures discussed below, among other things. It is likely that CalCoPA will be amended again, but nevertheless organizations should not delay in considering its impact. Although the act references January 1, 2020, affected organizations should start considering its implications as soon as possible. January 1, 2020, is the date that consumers can “request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.” An important point is that those disclosures must cover the preceding 12 months. In other words, as of January 1, 2019, affected organizations must have made what could be significant changes to the way they process and track data to insure they can comply with the disclosure requirements.
At a high level the disclosures will have to cover essentially all the details as to what information is collected from and about a consumer for the preceding 12 months, as well as essentially all the details as to what information about a consumer was sold to other entities in the preceding 12 months. We will not get into the specifics on those disclosures here, because we first need to address the critical threshold question that you should be asking—will my organization be subject to CalCoPA?
Figure 1 shows a quick reference flow chart to tell if your organization is subject to CalCoPA. Although the decision points are fairly straightforward, some elaboration is necessary.
The first point of note is that CalCoPA only applies to entities operated for “profit or financial benefit” of owners or shareholders. If your organization fits that description you have to consider whether you collect personal information about California residents and do business in California. Although the act uses the term “consumer” throughout, it defines consumer to mean California resident. However, the location of the consumer during the collection is not limited so if you collect personal information from a California resident in any context it could be applicable.
While the precise delineation of “doing business in California” is not provided, there are other California regulations that have provided a definition. One that may be a good reference point is from the California Corporations Code that defines “doing business” as “transact[ing] intrastate business,” which is further specified as “entering into repeated and successive transactions of its business in [California].” Given that CalCoPA is a privacy law, one might expect the protection to be broadly construed such that this doing business requirement may not provide much limitation. California could construe this act’s “doing business” to mean not much more than entering into transactions where a California consumer’s personal information is obtained and where the transaction involves either the consumer, the organization, or possibly some other aspect of the transaction physically located in California. An example of a situation that is likely safely excluded is if the organization only interacts with California consumers in a physical location outside of California, such as a brick and mortar store in another state. However, such a store that then ships store purchases to residents back in California may be in a gray area until further guidance is available.
If your organization does (or may) collect California residents’ personal information and does business in California, CalCoPA will only apply if one or more of three thresholds are met: your organization (1.) has reasonably large annual revenue (>$25,000,000), (2.) processes (receives, buys, sells, shares) personal information for over 50,000 consumers annually, or (3.) derives over half of its revenue from selling consumers’ personal information. Keep in mind that “consumer” here is still limited to California residents. So the first category relates to the size of the company only, while the other two relate to how much California consumer information the company handles on a gross and relative scale, respectively.
One important twist involves the second threshold, which in full states: “(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” Unpacking the definitions of personal information, which includes a large number of categories including identifiers such as Internet Protocol (IP) addresses, and the defintion of “device,” which is “any physical device capable of connecting to the Internet,” suggests this threshold should be studied carefully as it may be the lowest bar for many companies. The full list of categories of personal information are listed below, but consider that merely collecting the IP address of separate devices could make this threshold fairly easy to meet.
Organizations should quickly get a handle on whether CalCoPA will apply to them, or if it may in the future in view of evolving business developments. If so, they should begin to make the changes necessary to insure the ability to comply with the requests for records starting on January 1, 2019.
(1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.