When does the CCPA Apply and Who (and What) is Covered?
Less than one week. That is how long it took the California Legislature to draft, introduce, negotiate, and pass the California Consumer Privacy Act (“CCPA”), which explains many of the of the CCPA’s drafting errors, inconsistencies, and ambiguities. Implementation will be difficult, particularly due to the CCPA’s structure. For example, related obligations are randomly placed throughout various sections and substantive provisions are included in the definitions, making it easy to miss key requirements.
This article is part one of a series of articles designed to help organizations better understand how the CCPA affects data collection and use practices.
Part 1: When does the CCPA Apply and Who (and What) is Covered?
When does the CCPA Apply?
The CCPA takes effect January 1, 2020, but will not be enforced until the earlier of six months after the final regulations are published, or July 1, 2020.
Who is Subject to the CCPA?
The CCPA applies to “businesses”. In general, a business is a for profit entity that (i) collects personal information from California residents; (ii) determines the purposes and means of the processing of that information; (iii) does business in California; and (iv) satisfies one or more of the following thresholds:
- The entity’s annual gross revenues exceed $25,000,000;
- The entity buys, receives for commercial purposes, sells, or shares for commercial purposes, personal information of 50,000 California residents; or
- The entity derives 50% or more of its annual revenues from selling personal information from California residents.
If an entity meets the criteria above it is considered a “business” under the CCPA and must comply with a number of obligations, including disclosures concerning the sale of personal information and honoring California residents’ rights.
Questions often arise about what it means to “do business in California” and “determine the purposes and means of the processing”. In short, an organization does business in California if it engages with California consumers in a meaningful way. “Determining the purposes and means of the processing” means the organization is the controller of the personal information (the CCPA adopts this concept from the EU General Data Protection Regulation).
Organizations that are not considered “businesses” and therefore not subject to the CCPA will likely be indirectly affected when contracting with businesses that are subject to the CCPA, and such contracts involve the sharing of personal information that the CCPA regulates. Accordingly, an organization not subject to the CCPA, such as a nonprofit organization should be prepared to address provisions of the CCPA that will likely be included in its contracts with “businesses”.
What Information does the CCPA Cover?
The CCPA regulates “personal information”, which is broadly defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including name, postal address, Internet Protocol (IP) address, email address, social security number, internet search activity, employment and professional information, geolocation data, inferences, and biometric information.
Though the definition of personal information is extremely broad, the CCPA only applies to personal information of a “consumer”, which is defined as a natural person who is a California resident, or a “household”. The draft regulations to the CCPA define household as a person or group of people occupying a single dwelling. The inclusion of the term “household” is likely meant to cover information captured by connected devices within a home, such as a smart TV.