Industry Issues, Part 1: Where Doesn’t the CCPA Apply?
“And now we have this new law—the CPA or CCPA or Ca-C-Pah. I don’t even know; it doesn’t even have a good acronym. My compliance people are telling me to just avoid breathing in the state of California!”
It was October 2018, and the California Consumer Privacy Act (CCPA, not “Ca-C-Pah”) had been signed into law a few months earlier. The atmosphere at the privacy conference was ripe with uncertainty and apprehension about what it would mean to do business in California, particularly if that business relied in any way on the collection of consumer data. Sound familiar?
Even though January 1, 2020 is on the horizon, the California legislature has been slow to provide much needed clarification about the scope and application of the law and to calm the anxiety surrounding its eventual implementation. As of today, even critical compliance issues, such as whether the law will apply to internal employee data collected as part of normal business operations—remain unclear. In the interim, those of us who have been digesting the law obsessively since its passage and monitoring the amendment process are struggling to build CCPA compliant programs because, to paraphrase my favorite show, CCPA winter is coming!
We have written regularly about, among other things, the exemptions under the law, litigation risks, and the copycat legislation springing up around the country. But perhaps it is time to take a step back and look at the basic question: Does CCPA apply to your business at all?
To start, the law addresses for-profit entities “doing business” in the state that either: (1) have over $25 million in revenue annually; (2) collect personal information from over 50,000 consumers, devices, or households annually; or (3) receive more than 50% of revenue annually from the sale of personal information. Cal. Civ. Code § 1798.140(c). These three factors make it clear that a business does not actually have to be in the state to be conducting business in the state, extending the reach of the law. However, while these three factors cast a wide net, they also serve as a threshold, excluding any entity that does not satisfy any of the elements.
This means that there is a possibility that the law will not apply:
- if you are business that may or may not be based in California but to which none of the three factors apply. Examples would be a small local corner store;
- if you are a business that meets any of the three criteria but are based in one of the 49 other states, do not conduct business in California, and also only service and collect the information of customers outside of California (companies based “wholly outside California”). Examples would be regional utility companies or a sports complex/stadium;
- if you are a business that makes over $25 million annually, is based outside of California, and collects information that does not meet the definition of personal information. “Personal information” is defined in the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” § 1798.140(o)(1). Examples here would be large research companies or advertising companies that receive de-identified or pseudonymized data that cannot be linked back in any way to an individual, device or household;
- if you are a non-profit that is neither controlled by, nor share common branding with, a business to which the CCPA does apply. Examples here would be a pro bono services organization that relies on data driven statistics for fundraising or shaping policy;
- or, if you are a California state and local governmental entity.
In addition, the law carves out exceptions to the CCPA so that the law will not apply to a business that might otherwise be covered. These include situations where:
- following the law restricts compliance with federal, state, or local laws; or cooperation with legal proceedings of law enforcement authorities; or
- compliance with the law would restrict the ability to exercise or defend legal claims.
Finally, the law does not apply to specific types of information, including personal information:
- such as medical information or Protected Health Information governed by California law or federal health law such as HIPAA;
- sold to or from consumer reporting agencies as limited by the Fair Credit Reporting Act;
- subject to the Gramm-Leach-Bliley Act; and
- covered by the Driver’s Privacy Protection Act.
In sum, yes, the CCPA is coming, but it may not be coming for your business, so you may have less to worry about in California!