As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction. These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees. The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies. For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”). Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program to employers that includes a formal gap assessment as well as policies, procedures, and protocols to close identified gaps. If you or your organization would like information on this compliance program or any other issue, please contact us or one of your other trusted BCLP attorneys.

Question #6: Does an employer need to generate revenue in California in order for CCPA to apply?

No.

The CCPA applies to “businesses,” a term that is defined, in part, as an entity that meets one of the following three thresholds:

  1. Annual gross revenue in excess of $25 million.
  2. Purchases, receives for commercial purposes, sells, or shares for commercial purposes, personal information of 50,000 or more consumers, or
  3. Derives 50% of annual revenue from selling consumer personal information.[1]

While these have yet to be interpreted by a court or in connection with the California Attorney General’s rule-making process, the first revenue-oriented threshold that the statute does not specify whether the $25 million must be generated within the state of California.

Any business that meets one of these three thresholds and has California-based employees will be required to comply with the CCPA, as currently drafted.