California Online Privacy Protection Act of 2003 (“CalOPPA”)
California Consumer Privacy Act (“CCPA”)
- Has annual gross revenues of $25,000,000 or more;
- Buys, receives, sells or shares the PII of at least 50,000 California consumers, households or devices; or
- Derives at least 50% of its annual revenue from selling the PII of California consumers.
Does the CCPA apply to child companies if the parent company is required to comply with this law?
The CCPA does apply to any entity that controls or is controlled by a business that meets the requirements above and shares common branding so yes, it could apply to subsidiaries or child companies. In this case, “control” is defined as:
- Ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business;
- Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or
- The power to exercise a controlling influence over the management of a company.
Common branding means a shared name, service mark or trademark. If your business meets these conditions, then you would be required to comply with the law if your parent company is required to comply as well.
Does the CCPA apply to not for profits?
The CCPA defines “business” as a sole proprietorship, partnership, limited liability company, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners. Therefore, it appears that the CCPA does not apply to not for profit organizations.
Who is exempt from the CCPA?
The following types of businesses and transactions are exempt from the requirements of the CCPA:
- Employee information used solely in the context of the employee-employer relationship;
- Vehicle or vehicle ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer;
- Protected Health Information collected by covered entities and business associates subject to HIPAA;
- Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects;
- Financial information subject to the Gramm-Leach-Bliley Act;
- Consumer reporting information covered by the Fair Credit Reporting Act;
- Driver information covered by the Driver’s Privacy Protection Act of 1994.
Can smaller companies be required to comply with the CCPA by their clients or vendors?
Vendor management is a large part of CCPA compliance. If the law does not apply to you by statute, make sure that you check your contracts to see whether your clients or vendors require you to comply with the CCPA via contract.
Nevada Revised Statutes Chapter 603A
- Owns and operates a website for commercial purposes;
- Collects and maintains the personal information of consumers who reside in Nevada and use or visit the Internet website; and
- Purposefully directs its activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution.
Delaware Online Privacy and Protection Act (“DOPPA”)
Virginia Consumer Data Protection Act (“VCDPA”)
- During a calendar year, control or process the personal data of at least 100,000 residents of Virginia; or
- Control or process the personal data of at least 25,000 consumers, and derive 50% of gross revenue from the sale of personal data.
Colorado Privacy Act
The Colorado Privacy Act is a privacy law that goes into effect on July 1, 2023 and that protects the privacy of residents of Colorado. As with other privacy laws, the Colorado Privacy Act has a broad reach and applies to controllers of personal data that: conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one of the following thresholds:
- Control or process the personal data of 100,000 or more Colorado consumers during the calendar year; or
- Derive revenue or receive a discount from the sale of personal data and collect or process the personal data of 25,000 ore more Colorado consumers.
General Data Protection Regulation (“GDPR”)
GDPR is a privacy law that protects the privacy rights of residents of the European Union. GDPR has a reach far outside of the EU and applies to you if you:
- Are located in the European Union;
- Offer goods or services to European Union residents, regardless of your location;
- Monitor the behavior of European Union residents, regardless of your location.
Personal Information Protection and Electronic Documents Act (“PIPEDA”)
Australia Privacy Act of 1988
- Private sector healthcare providers;
- Businesses that sell or purchase personal information;
- Credit reporting bodies;
- Contracted service providers for Australian government contracts;
- Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009;
- Businesses that have opted in to comply with the law;
- Businesses that are related to a business covered by the law; and
- Businesses prescribed by the Privacy Regulation 2013.
In addition, organizations formed outside of Australia may need to comply with this law, regardless of revenue, if they have an Australian link. Your organization has an Australian link if it carries on business in Australia and collects and holds personal information in Australia. In assessing whether an entity carries on business in Australia, the following factors need to be considered:
- The entity has a place of business in Australia;
- People who undertake business acts for the entity are located in Australia;
- The entity has a website that offers goods or services to Australian consumers;
- Australia is one of the countries on the drop-down menu appearing on the entity’s website;
- Web content that forms part of carrying on the business was uploaded by or on behalf of the entity, in Australia;
- Business or purchase orders are assessed or acted upon in Australia; or
- The entity is the registered proprietor of trademarks in Australia.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.