For our second installment of our series on the California Consumer Privacy Act (CCPA), we discuss a key question: Does the CCPA affect me?
While the primary focus of this article is on "businesses" (as discussed below) that are responsible for collecting personal information (and who bear the brunt of the CCPA's obligations), it is important for those entities that are service providers or recipients of data from businesses to understand how the CCPA impacts their customers and counterparties, and why new obligations are being imposed on them.
Does the CCPA Affect Me?
The CCPA applies to any "business"--defined in the act as a for-profit legal entity that:
1. Does business in the State of California;
2. Collects, or has collected on its behalf, personal information of California residents;
3. Determines (alone or jointly with others) the "purposes and means of the processing" of the personal information of California residents; and
4. Meets at least one of the following criteria:
a. Has annual gross revenues of more than $25 million USD;
b. Obtains for commercial purposes, sells or shares the personal information of more than 50,000 households, devices or California residents; or
c. Derives 50 percent or more of its annual revenue from the sale of California residents' personal information.
This second factor under 4 above is likely to capture almost any company that conducts business (even B2B) online, has an app or even in many cases merely has a commercial website. As noted in Part I, the CCPA's definition of "personal information" is much broader than the standard US definition: in addition to including all information relating to or that could be linked (directly or indirectly) to an individual, the CCPA also considers identifiers such as IP addresses, browsing history and "information regarding a consumer's interaction with an Internet Web site, application, or advertisement" to be "personal information." This information is typically collected automatically upon an individual's visit to a website. It also covers information relating to "devices." While "consumers" are California residents, the CCPA doesn't limit "devices" to just those in California.
As a result, a company will be subject to the CCPA if it does any business in California and has an app or site that is accessed by more than 50,000 unique users or visitors annually (approximately 137 per day), whether or not those visitors are California residents.
Are There Any Exceptions?
There are a few limited exceptions to the CCPA. Some apply to an entire organization, while others only exempt certain personal information from the CCPA's reach (and, in some cases, leave intact the class-action-friendly private cause of action we touched on in our last installment).
As noted above, the CCPA only applies to for-profit entities. Nonprofit organizations are excluded from most of its scope, although in certain instances, they may potentially be subject to "third party" obligations to the extent they receive personal information from a covered business.3
Additionally, as described below, amendments to the CCPA exempted "covered entities" subject to HIPAA and "health care providers" subject to California's Confidentiality of Medical Information Act (CMIA) from the CCPA's scope to the extent that they protect patient data in accordance with HIPAA or CMIA; however, the CCPA is potentially ambiguous as to whether the exemption is intended to cover the entire entity or just patient information.4
For entities that are subject to the CCPA, other exceptions are focused on certain types of data that those entities may process. Thus, while certain information may not be subject to CCPA obligations, the organization as a whole is not exempted, so the CCPA will still apply to any personal information outside the exception (such as personal information received as part of other services or activities, or in some cases, device information collected from visitors to a website).
The CCPA does not apply to:
- Personal information processed under the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act, although this exception does not apply to the private cause of action;
- Protected health information or medical information governed by HIPAA or CMIA, respectively. This exception expressly extends to protected health information collected by a covered entity or business associate (as defined by HIPAA);
- Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects;
- The "sale" of personal information to or from a credit reporting agency, if used for a consumer report and use is limited to those permitted by the Fair Credit Reporting Act; and
- Personal information processed pursuant to the Driver's Privacy Protection Act, although as with information subject to GLBA, the exemption does not apply with respect to the private cause of action.
Coming Up Next: Understand Your Data
Now that you have an idea of whether or not you are a "business" subject to CCPA, the next step is figuring out what you should be doing to prepare. Our next installment covers understanding what data you have, where it is and how it is used.