California Online Privacy Protection Act of 2003 (“CalOPPA”)
California Consumer Privacy Act (“CCPA”)
- Has annual gross revenues of $25,000,000 or more;
- Buys, receives, sells or shares the PII of at least 50,000 California consumers, households or devices; or
- Derives at least 50% of its annual revenue from selling the PII of California consumers.
Does the CCPA apply to child companies if the parent company is required to comply with this law?
The CCPA does apply to any entity that controls or is controlled by a business that meets the requirements above and shares common branding so yes, it could apply to subsidiaries or child companies. In this case, “control” is defined as:
- Ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business;
- Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or
- The power to exercise a controlling influence over the management of a company.
Common branding means a shared name, service mark or trademark. If your business meets these conditions, then you would be required to comply with the law if your parent company is required to comply as well.
Does the CCPA apply to not for profits?
The CCPA defines “business” as a sole proprietorship, partnership, limited liability company, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners. Therefore, it appears that the CCPA does not apply to not for profit organizations.
Who is exempt from the CCPA?
The following types of businesses and transactions are exempt from the requirements of the CCPA:
- Employee information used solely in the context of the employee-employer relationship;
- Vehicle or vehicle ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer;
- Protected Health Information collected by covered entities and business associates subject to HIPAA;
- Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects;
- Financial information subject to the Gramm-Leach-Bliley Act;
- Consumer reporting information covered by the Fair Credit Reporting Act;
- Driver information covered by the Driver’s Privacy Protection Act of 1994.
Can smaller companies be required to comply with the CCPA by their clients or vendors?
Vendor management is a large part of CCPA compliance. If the law does not apply to you by statute, make sure that you check your contracts to see whether your clients or vendors require you to comply with the CCPA via contract.
Nevada Revised Statutes Chapter 603A
- Owns and operates a website for commercial purposes;
- Collects and maintains the personal information of consumers who reside in Nevada and use or visit the Internet website; and
- Purposefully directs its activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution.
Delaware Online Privacy and Protection Act (“DOPPA”)
General Data Protection Regulation (“GDPR”)
GDPR is a privacy law that protects the privacy rights of residents of the European Union. GDPR has a reach far outside of the EU and applies to you if you:
- Are located in the European Union;
- Offer goods or services to European Union residents, regardless of your location;
- Monitor the behavior of European Union residents, regardless of your location.
Personal Information Protection and Electronic Documents Act (“PIPEDA”)
Australia Privacy Act of 1988
- Private sector healthcare providers;
- Businesses that sell or purchase personal information;
- Credit reporting bodies;
- Contracted service providers for Australian government contracts;
- Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009;
- Businesses that have opted in to comply with the law;
- Businesses that are related to a business covered by the law; and
- Businesses prescribed by the Privacy Regulation 2013.