California Consumer Privacy Act FAQs For Covered Businesses | Jackson Lewis P.C.October 11, 2019
Set to take effect January 1, 2020, the California Consumer Privacy Act (CCPA), considered one of the most expansive U.S. privacy laws to date, places limitations on the collection and sale of a consumer’s personal information and provides consumers certain rights with respect to their personal information.
Organizations should be doing their best to determine if they have CCPA obligations directly as a business, because they control or are controlled by a business, or because they have contractual obligations flowing from a business.
These FAQs should help businesses determine whether they are indeed subject to the CCPA, and, if so, learn more about the CCPA’s obligations and how to implement policies and procedures to ensure compliance.
1. Which businesses does the CCPA apply to?
In general, the CCPA applies to a “business” that:
A. Does business in the State of California;
B. Collects personal information (or on behalf of which such information is collected);
C. Alone or jointly with others determines the purposes or means of processing of that data; and
D. Satisfies at least one of the following:
- Annual gross revenue in excess of $25 million;
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households, or devices; or
- Derives at least 50 percent of its annual revenues from selling consumers’ personal information.
“Annual Gross Revenue” and “50,000 or more consumers.” Some of the thresholds for determining whether a business is covered by the CCPA remain unclear. For example, it is still unclear whether annual gross revenue is to be measured globally or only from California sources. In the case of the threshold for collecting personal information of at least 50,000 consumers each year, many businesses may not realize how easily this number could be reached. One reason is these businesses are not yet familiar with how broadly “personal information” is defined (see below). Attorney General regulations may help to clarify these and other remaining questions about the application of some of the law’s key provisions.
Related entities and not-for-profits. Under the CCPA, a “business” can be a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” Thus, for example, a business under this definition generally would not include a not-for-profit or governmental entity. It also would not include a corporation that meets the first three criteria above, but not the fourth.
However, a “business” under CCPA also includes any entity that controls or is controlled by a business that meets the requirements above and that shares common branding with such a business. “Control,” for this…