It is widely known that the California Consumer Privacy Act (CCPA) will become effective on January 1, 2020—just six weeks from now. However, there remains a great deal of confusion regarding the CCPA’s applicability to businesses outside of California. Many mistakenly believe that if their company has no employees in California, or has no physical presence in the state, the CCPA does not apply to them. In fact, being a “covered business” under the CCPA has nothing to do with that company’s physical presence—through employees, operations, or otherwise—in California.
Given the potentially large fines for non-compliance with the law, we are advising our clients to step back and reconsider whether they are subject to the CCPA so they can be ready by the deadline Under the CCPA, a “covered business” means every for-profit company that:
- Does any business in California;
- Collects any consumer personal information; and
- Satisfies any, not all, of the following:
- Has gross annual revenues of $25 million (note these are gross revenues derived from any jurisdiction, not merely California);
- Alone or in combination buys, receives for the company’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
- Derives at least half of its annual revenues from selling consumers’ personal information.
One of the most common misconceptions is that the CCPA applies only to companies that transact in personal information, but as the above explanation makes clear, this is not the case. It is also important to keep in mind that the “personal information” of consumers is defined very broadly under the CCPA to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition goes beyond the more traditional definition of “personally identifiable information”, in most data breach notification statutes that many businesses have become accustomed to.
For example, it is widely believed that IP addresses, even when collected without the name of the person associated with the address, will constitute “personal information” for purposes of the CCPA. Thus, any business that collects the IP addresses of California residents who visit its website, and that sells products or services in California, will be subject to the CCPA (so long as its gross annual revenues exceed $25 million). Given the breadth of the definition, it is very likely that most companies with any business in California, even if only on the Internet, are collecting “personal information” from California residents.