California Consumer Privacy Act: ApplicabilityJune 13, 2019
This is our Data Privacy & Cybersecurity Practice Group’s first client alert in a series that will break down the major elements of the California Consumer Privacy Act (CCPA). This alert focuses on the CCPA’s applicability.
California’s new privacy law, the CCPA, goes into effect on January 1, 2020. It is the most expansive state privacy law in US history, imposing GDPR-like transparency and individual rights requirements on companies. The law will impact nearly every entity that handles “personal information” regarding California residents, including (at least for now) employees. An overview of the CCPA’s applicability is set forth below.
Who Will the CCPA Impact?
Most of the CCPA’s obligations apply directly to a “business,” which is an entity that:
1. Handles personal information about California residents
2. Determines the purposes and means of processing that personal information
3. Does business in California and meets one of the following threshold requirements:
a. Has annual gross revenues in excess of US$25 million
b. Annually handles personal information regarding at least
50,000 consumers, households, or devices
c. Derives 50% or more of its annual revenue from selling personal information
However, “service providers” that handle personal information on behalf of a business and other third parties that receive personal information will also be impacted. As currently written, however, the CCPA does not apply to nonprofit organizations.
The CCPA’s three threshold requirements seem relatively straightforward, yet upon examination raise additional questions that will need to be clarified down the road. For example:
• Does the 50,000 devices threshold cover devices of California residents only, or apply more broadly?
• Is the US$25 million annual revenue trigger applicable only to revenue derived from California or globally?
• What timeframe do businesses that suddenly find themselves within the CCPA’s ambit have to bring themselves into compliance with its provisions?
What is Personal Information as Defined in the CCPA?
The CCPA defines personal information broadly in terms of (a) types of individuals and (b) types of data elements. First, the term “consumer” refers to, and the CCPA applies to data about, any California resident, which ostensibly includes website visitors, business-to-business (B2B) contacts and (at least for now) employees. It is not limited
to business-to-consumer customers that actually purchase goods or services. Second, the data elements that constitute personal
information include nonsensitive items that historically have been less regulated in the US, such as internet browsing histories, IP addresses, product preferences, purchasing histories, and inferences drawn from any other types of personal information described in the statute, including:
• Identifiers, such as name, address, phone number, email…