The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Does the CCPA apply only to data about Californians?
The CCPA applies only to information about a “consumer” – a term which is defined within the statute as including only “a natural person who is a California resident.”1 As a result the Act does not apply to people that reside outside of the state of California, or to information about legal entities.
In comparison, the European GDPR is often misunderstood as only applying to data about European Union “citizens.” In reality the scope of the GDPR varies based, in part, on which of two jurisdictional “hooks” apply to a company.
The first jurisdictional hook is found within Article 3(1) which purports to apply the GDPR to the processing of personal data in the context of activities of any “establishment” of a controller or processor in the European Union. If the GDPR is triggered because a company is established in the European Union, an argument could be made that the GDPR is intended to apply to the processing of data relating to all data subjects – regardless of whether they are citizens or residents of the European Union, the United States, or of another country. Such an interpretation would align with the European Commission’s statement that companies should respect the principles within the GDPR “whatever the nationality or residence” of a data subject.2
The second jurisdictional hook is found within Article 3(2) which purports to apply the GDPR to companies that are “not established in the Union” if they offer goods or services or monitor the behavior of “data subjects who are in the Union.” The term “data subjects who are in the Union” refers to individuals that are physically present in the European Union regardless of their citizenship, nationality, or long-term residence. As a result, it theoretically could apply to United States citizens studying in Europe, vacationing in Europe, or temporarily travelling through Europe.