CCPA: My Business Isn’t Based In California – Should I Be Taking Action?
Data privacy is fast becoming one of the most widely regulated areas, with the last two years the most influential of all. The introduction of the General Data Protection Regulation (the “GDPR”) changed the privacy landscape globally. In part, this was due to its extra-territorial application, meaning certain businesses outside the EU fall within its scope and must comply with its provisions. Organisations worldwide were suddenly faced with having to take varying degrees of action to comply with the GDPR, and now certain of these organisations, plus many more, are looking towards compliance with the next significant privacy legislation—the California Consumer Privacy Act (the “CCPA”), Cal Civ. Code § 1798.100 et seq.
On 1st January 2020, the CCPA will take effect (although the Attorney General will not begin enforcing the law until six months after the final implementing regulations are published, or July 1, 2020, whichever comes first). The California Attorney General recently released draft implementing regulations for the CCPA, which are open to initial public comment until December 6, and should be finalised in the spring of 2020.
The CCPA gives California residents important new rights in relation to their personal data. Like the GDPR, the CCPA also appears to have extra-territorial effect (see below for further discussion), and organisations should therefore conduct an analysis to confirm whether they will fall within remit of the CCPA and if so, what steps, if any, they need to take towards compliance.
The CCPA provides protections and rights in relation to the “personal information” of California residents. A California resident is defined as: (i) an individual who is in the State for other than a temporary or transitory purpose; or (ii) an individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. In the simplest terms, a resident is an individual who lives in California and the rights provided under the CCPA do not cease to exist when the individual leaves California for a provisional period, such as a holiday. However, the CCPA caveats this slightly by clarifying that it does not apply to the collection or sale of personal information “if every aspect of that commercial conduct takes place wholly outside of California”.
The definition of “resident” is different to that of the “data subject” under the GDPR. Unlike the CCPA, the GDPR does not, by default, link applicability of its provisions to the geographical location of the data subject—if an organisation is based in the EU and processes personal data of data subjects based outside the EU, such organisation would have to comply with the GDPR.
The CCPA requires that an organisation “do [ ] business in the State of California” for it to apply. The phrase “doing business in the State of California” is not defined in the CCPA, though the best interpretation of the CCPA’s reach is that it can apply to businesses without a physical presence in California so long as they collect the personal information of California residents, as defined above. The CCPA could therefore apply, for example (subject to satisfying the additional criteria identified below), to an online retailer based in the UK that markets and sells its goods globally, including to California residents.
The definition of “personal information” under the CCPA, whilst worded differently, is consistent with the definition of “personal data” under the GDPR. “Personal information” is defined in the CCPA as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Who must comply?
In order to fall within the scope of the CCPA, an organisation must:
collect the personal information of California residents (either directly or through a third party);
be “for-profit”, therefore excluding, for example, not-for-profit charities or public authorities;
“do [ ] business in the State of California”;
determine the purposes and means of processing, like a controller under the GDPR; and
meet one of the following conditions:
the business must generate annual gross revenue in excess of $25 million;
the business must receive or share personal information of more than 50,000 California residents annually; or
the business must derive at least 50 percent of its annual revenue by selling the personal information of California residents,
or any entity that controls or is controlled by a business that meets the requirements above, and that shares common branding with such a business.