This is Squire Patton Boggs’s Data Privacy and Cybersecurity Group’s first blog post in a monthly series that will break down the major elements of the CCPA. This blog post focuses on the CCPA’s applicability. Stay tuned for additional blog posts and information about the CCPA.
California’s new privacy law, the California Consumer Privacy Act (the “CCPA”), goes into effect on January 1, 2020. It is the most expansive
state privacy law in U.S. history, imposing GDPR-like transparency and individual rights requirements on companies. The law will impact nearly every entity that handles “personal information” regarding California residents, including (at least for now) employees. An overview of the CCPA’s applicability is set forth below.
Who will the CCPA impact?
Most of the CCPA’s obligations apply directly to a “business,” which is an entity that:
- Handles “personal information” about California residents;
- Determines the purposes and means of processing that “personal information”; and
- Does business in California, and meets one of the following threshold requirements:
(a) Has annual gross revenues in excess of $25 million;
(b) Annually handles “personal information” regarding at least 50,000 consumers, households, or devices; or
(c) Derives 50% or more of its annual revenue from selling “personal information.”
However, “service providers” that handle “personal information” on behalf of a business and other third parties that receive “personal information” will also be impacted. As currently written, however, the CCPA does not apply to non-profit organizations.
The CCPA’s three threshold requirements seem relatively straightforward, yet upon examination raise additional questions that will need to be clarified down the road. For example:
- Does the 50,000 devices threshold cover devices of California residents only, or apply more broadly?
- Is the $25 million annual revenue trigger applicable only to revenue derived from California or globally?
- What timeframe do businesses who suddenly find themselves within the CCPA’s ambit have to bring themselves into compliance with its provisions?
What is “personal information” as defined in the CCPA?
The CCPA defines “personal information” broadly in terms of (a) types of individuals and (b) types of data elements. First, the term “consumer” refers to, and the CCPA applies to data about, any California resident, which ostensibly includes website visitors, B2B contacts and (at least for now) employees. It is not limited to B2C customers that actually purchase goods or services. Second, the data elements that constitute “personal information” term include non-sensitive items that historically have been less regulated in the U.S., such as Internet browsing histories, IP addresses, product preferences, purchasing histories, and inferences drawn from any other types of personal information described in the statute, including:
- Identifiers such as name, address, phone number, email address;
- Characteristics of protected classifications under California and federal law;
- Commercial information such as property records, products purchased, and other consuming history;
- Biometric information;
- Internet or other electronic network activity;
- Geolocation data;
- Olfactory, audio, and visual information; and
- Professional or educational information.
Does the CCPA have any exemptions?
The CCPA will apply to a broad number of businesses, covering nearly all commercial entities that do business in California, regardless of whether the business has a physical location or employees in the State. However, there are some nuanced exemptions.
As a general matter, the exemptions are based on the types of information that a business collects, and not on the industry of the business collecting the information. These include information that is collected and used wholly outside of California, subject to other state and federal laws, or sold to or from consumer reporting agencies. Specifically, the excluded categories of “personal information” include:
- Activity “wholly outside” California
The CCPA does not apply to conduct that takes place “wholly outside” of California, although it is unclear how such an exemption will apply in practice. The statute provides that this exemption applies if:
- The business collects information while the consumer is outside of California;
- No part of the sale of the consumer’s “personal information” occurs in California; and
- No “personal information” collected while the consumer is in California is sold.
Determining when a consumer is outside of California when his or her “personal information” is collected will be challenging for businesses. For example, given that an IP address is expressly included as “personal information” under the law, is a business supposed to do a reverse-lookup to determine whether an individual’s IP address originates in California?
2. Data subject to other U.S. laws
While the CCPA exempts certain types of information subject to other laws, importantly it does not exempt entities subject to those laws altogether. Entities subject to these laws are also not exempt from the CCPA’s statutory damages (i.e., no injury necessary) provisions relating to data breaches. Likewise, some types of information (clarified below) are not exempt from the data breach liability provision. At a glance, these exemptions appear helpful; however, they may end up making operationalizing the law even more difficult for certain entities. For example:
- Protected Health Information (“PHI”) and “Medical Information.” The CCPA exempts all PHI collected by “covered entities” and “business associates” subject to HIPAA and “medical information” subject to California’s analogous law, the Confidentiality of Medical Information Act (“CMIA”). It also exempts any patient information to the extent a “covered entity” or “provider of health care,” respectively, maintains the patient information in the same manner as PHI or “medical information.” However, many of these entities and their “business associates” collect information beyond what is considered PHI, such as employment records, technical data about website visitors, B2B information, and types of research data. This data may not be eligible for the CCPA exemption.
- Clinical Trial Information. The CCPA exempts information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.
- Financial Information. Information processed pursuant to the Gramm-Leach-Bliley Act (“GLBA”) or the California Financial Information Privacy Act (“CalFIPA”) is exempt from the CCPA. Much like the health-related exemption, this rule does not exempt entities subject to these laws altogether from its requirements to the extent an entity is processing information not expressly subject to GLBA/CalFIPA. This particular exemption does not apply to the data breach liability provision.
- Consumer Reporting Information. The CCPA exempts information sold to and from consumer reporting agencies if that information is reported in, or used to generate, a consumer report and use of that information is limited by the Fair Credit Reporting Act.
- Driver Information. The CCPA also exempts information processed pursuant to the Driver’s Privacy Protection Act of 1994 (“DPPA”). Importantly, entities subject to this law are not altogether exempt and this exemption does not apply to the data breach liability provision.
Moreover, the differences in definitions of relevant terms (e.g., “personal information” under the CCPA versus “nonpublic personal information” under GLBA) are important to consider when assessing relevant obligations and could result in institutions being only partially exempt from CCPA compliance.
Do you need help or more information?
Squire Patton Boggs’s Data Privacy and Cybersecurity Group is happy to help you figure out whether and to what extent the CCPA will impact your business, as well as assisting you in developing and implementing a compliance program.
See our earlier blog posts discussing the nuances of the CCPA and the possibility of a federal privacy framework here.
Stay tuned for our next blog in the series about conducting gap assessments in preparation for CCPA compliance.