The CCPA: California Consumer Privacy Act requires certain businesses to make a number of rights available for consumers, including providing consumers with the ability to opt-out of the sale of their personally identifiable information (PII), request the deletion of their collected PII, and request disclosures regarding what PII has been collected and what third parties have accessed the PII.
The CCPA specifies what qualifies as a “covered entity” under the CCPA, in other words, the businesses that must comply with the legislation. As is the case with other privacy laws, such as the General Data Protection Regulation (GDPR), the CCPA does not just apply to businesses located within California. Under certain circumstances, the CCPA applies to businesses located outside the state as well.
This article will discuss the following topics:
- The CCPA’s definition of covered entities
- Entities not covered by the CCPA
- The CCPA’s reach beyond California
The CCPA’s definition of covered entities:
Any entity that meets the definition of a “business” under the CCPA must comply with the law. A “business” is defined by the CCPA as “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California . . . .”
In addition to qualifying under the above definition, the business must meet one of the following three criteria:
- Have an annual gross revenue in excess of twenty-five million dollars ($25,000,000);
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
With respect to the business’s “annual gross revenue,” the CCPA does not distinguish between revenue derived from California-based entities and revenue collected outside of California. The definition of “business” simply refers to an entity qualifying as a sole proprietorship, limited liability company, corporation, association, or another legal entity. This could imply that the drafters of the law never intended to exclude between revenue streams located inside and outside of the state, so long as the revenue in its entirety amounted to an excess of $25,000,000. The pending CCPA regulations may soon clarify the parameters governing the calculation of annual gross revenue.
Entities that “control” or are “controlled by” businesses as defined by the CCPA and share common branding (defined as sharing a name, servicemark, or trademark) are also obligated to comply with the law. “Control” or “controlled by” is defined as one of the following:
- Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business;
- Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or
- The power to exercise a controlling influence over the management of a company.
Entities not covered by the CCPA:
Recall that the definition of a covered business under the CCPA includes entities that are “for the profit or financial benefit of its shareholders or other owners . . . .” As such, both not-for-profit businesses as well as government entities are not covered entities under the CCPA and are not required to comply with the law.
Additionally, covered entities under federal law may be exempted from the requirements of the CCPA. In the healthcare context, covered entities under the Health Insurance Portability and Accountability Act (HIPAA) must comply with prescribed privacy and security rules pursuant to safeguarding protected health information (PHI). In the financial services context, covered entities under the Gramm-Leach-Bliley Act (GLBA) must take specific measures to protect the financial data of customers.
Because a number of federal privacy laws have already been implemented and enforced in various sectors, the CCPA has expressly exempted covered entities under those federal laws. The following covered entities under federal law are exempted under the CCPA:
- Covered entities under both the Confidentiality of Medical Information Act and HIPAA who collect PHI
- Consumer Reporting Agencies under the Fair Credit Reporting Act involved in the sale of information to be reported in, or used to generate, a consumer report
- Covered entities under the GLBA who collect, process, sell, or disclose protected information, if such activity is in conflict with the CCPA
- Covered entities under the Driver’s Privacy Protection Act who collect, process, sell, or disclose personal information under the law, if such activity is in conflict with the CCPA
With respect to these exemptions, it is important to note that once the information governed by federal law no longer qualifies for protection, the CCPA and all of its requirements may apply to that information. For example, PHI under HIPAA may, under certain circumstances, “convert” to protected information under the CCPA. This may occur whenever the PHI under HIPAA is “de-identified” (and is no longer governed by HIPAA) but nevertheless qualifies as “identifiable” under the CCPA. Thus, the business responsible for the information would potentially become a covered entity under the CCPA.
The CCPA’s reach beyond California:
The CCPA’s definition of a covered entity requires that it do business “in the State of California.” Neither the legislation nor the enforcement regulations address what constitutes doing business in the state. However, California tax law may offer some clarity on what qualifies as such. With respect to California tax law, entities are deemed “businesses” subject to state taxes if they meet any of the following three conditions:
- The entity is engaged in any transaction pursuant to financial gain in California;
- The entity is organized or commercially domiciled in California; or
- The entity’s property, payroll, or sales taxes exceeds $601,967 (as of 2019) or 25% of total property and payroll
Additionally, entities may be considered “businesses” under the CCPA if they “purposefully avail themselves” to jurisdiction by a California court. Generally, entities have purposefully availed themselves when they have “minimum contacts” within the state, the claim asserted against the entity is related to those contacts, and the court’s exercise of jurisdiction over the claim is reasonable.
Regardless of the precise definition, the implication is that businesses need not be located with California’s jurisdiction to be subject to the CCPA’s requirements. Provided that an entity is otherwise defined as a “business” (and meets one of the three criteria specified above), entities with online customers located in California or those that manufacture and/or sell products in California may be subject to the CCPA regardless of where the entity is officially located. As the enforcement period for the CCPA begins in July, the California Attorney General may release additional guidance on this point.
Tyler is a third year law student attending Seton Hall University School of Law. He is a Certified Information Privacy Professional (CIPP/U.S.) as well as the Founder and President of the Cybersecurity and Privacy Society of his law school, a student organization dedicated to exploring major legal issues in all things technology, from data privacy to Artificial Intelligence. The organization is also dedicated to helping law students find career opportunities in the growing fields of cybersecurity and privacy.