Background. Earlier this year, California enacted the California Consumer Privacy Act of 2018 (CCPA). The CCPA grants California residents new rights relating to the personal information collected by businesses about them. Although the law takes effect on January 1, 2020, the California Attorney General will delay enforcement until the earlier of: (1) July 1, 2020; or (2) the date that the California Attorney General issues final regulations regarding the CCPA.
The purpose of this Law Alert is to help you decide if your company must comply with the provisions of this new law, and, if so, to provide some basic steps that you will need to take to comply.
Must my company comply? You likely need not comply with the CCPA if your company does business solely on a “business-to-business” (B2B) basis and does not otherwise collect personal information of California residents. However, to the extent your company does business on a “business-to-consumer” basis and collects personal information from California residents, you will need to determine if your company meets the jurisdictional requirements of the law. Importantly, even if your company has no physical presence in California, it must comply if it sells products or services to California residents over the internet or otherwise, or if it otherwise engages California residents in other online activities where personal information is collected. This applies to B2B companies too.
What are the jurisdictional requirements? The jurisdictional questions you need to answer on behalf of your company are as follows:
- Is your company a for-profit business that collects and determines the use of California residents’ personal information?
- Does your company meet one or more of the following three thresholds:
- Annual gross revenues in excess of $25,000,000;
- Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or
- Derives 50% or more of its annual revenues from selling California residents’ personal information?
If your company meets the jurisdictional requirements, it is subject to the provisions of the CCPA. There are exemptions in the law for certain entities and certain classes of personal information.
Are there any exemptions? While not an exhaustive list, the following are exempt:
- protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act;
- information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects or pursuant to human subject protection requirements of the United States Food and Drug Administration;
- personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act; and
- personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, or medical staff member of, and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business, including emergency contact information and information that is necessary for the business to retain to administer benefits.
What is “personal information?” Personal information is defined broadly under the CCPA as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA identifies common identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Personal information also includes:
- internet or other electronic network activity information, including, but not limited to, browsing history, and search history;
- information regarding a consumer’s interaction with an internet website, application, or advertisement; and
- inferences drawn from such information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
This list is not exhaustive, but is intended to provide an idea of the scope and breadth of the personal information covered by the CCPA.