Implementing the California Consumer Privacy Act of 2018 will take time, and organizations should start evaluating exposure and designing compliance plans now. There are many open questions, but that does not mean you can’t conduct an initial assessment that enables you to start planning for the resources you will need during 2019. This article outlines a pragmatic four-step approach to how to assess your exposure to the CCPA by identifying what entities in your group will be subject to the act (that is, what entities will qualify as “business” under California civic code).
Step one: Create your 'list of suspects'
The first step is to identify the for-profit entities that do “business in California." There is one existing test you can use for this purpose: Foreign entities (i.e. entities not incorporated in California) “doing business” in California are required to comply with certain provisions of California tax and corporate law and California courts have developed a test to make this determination. Factors that indicate an entity is “doing business in California” include physical presence in California (for example, an office or building, but for online entities it often comes down to where the servers are located and where the banking is done), having employees in California, and holding special licenses to conduct business within California.
Factors that typically do not indicate an entity is “doing business in California” include maintaining, defending, or settling any action before a California court; holding meetings of directors, managers or shareholders; maintaining bank accounts; selling through independent contractors; and soliciting or procuring orders if the orders require acceptance outside of California before becoming binding contracts.
Conducting a fact-based test is time consuming, and there is a shortcut that may suffice for an initial assessment. Under California law, foreign entities operating in California must generally register by filing a form with the California secretary of state and pay an annual minimum franchise tax of $800. By combining the list of entities paying taxes in California (including the yearly $800 minimum franchise tax) with the list of entities incorporated in California or registered with the California secretary of state you can create an initial “list of suspects." Make sure to exclude entities that do not operate for profit (i.e. a foundation).
This initial list is potentially under-inclusive. Entities that are out of compliance with California registration and tax requirements will not be in the list. Additionally, the California attorney general may issue guidance that expands the scope of what “doing business” in California means beyond what it means under California corporate law.
Step two: Identify the 'controllers' in the list
Once you have your “list of suspects," step number two is to exclude entities that do not act as controllers (i.e., do not “alone or jointly with others" determine “the purposes and means of the processing” under California Civil Code Article 1798.140 (c)(1)). Groups with global footprints likely already have records from past compliance efforts that can answer this question (for example, GDPR Article 30 records). If your organization has never been exposed to foreign data protection laws, it's a good idea to become acquainted with what being a controller means (check the ICO website for resources on this) and rely on competent outside counsel advice to ensure you are getting the analysis right.
The California attorney general may issue guidance on what determining “the means and purposes” means under the CCPA that does not align with GDPR. That said, who is a “controller” is a core concept for most if not all data protection laws and has a remarkable history of being interpreted consistently across jurisdictions.
Step three: Look into revenue and data 'sales'
The next step would be to look into revenues and data “sales” to identify which entities meet at least one of the three thresholds under California civic code.
Under the code, any entity with $25M in gross revenue qualifies as a “business." Presumably, the revenue to consider is the revenue from the preceding tax year counting back from January 2020 (when the law goes into effect). You will not have that figure, and therefore you must approximate based on the gross revenue figures available, and lean on the side of caution. There are two open questions: whether the $25M threshold should operate at the group level, and whether revenue not derived from California should count.
Under California code, any entity that “alone or in combination” sells or shares for commercial purposes, or buys or receives for commercial purposes more than 50,000 records of California residents, “households," or "devices” a year qualifies as a “business” under the CCPA. Because the definition of "sale" and "commercial purposes" in the act are unclear, multiple interpretations are possible. Therefore, absent guidance, assessments will have to be risk-based and undergo thorough revisions. High-risk activities include operating as a data broker, controller to controller transfers without data-subject consent, controller to processor transfers without appropriate contract, and mergers/acquisitions/asset sales where the data is re-purposed.
Be aware that entities that would not be traditionally considered data brokers may be conducting sales under the CCPA. The main risk factors are controller-to-controller transfers and non-compliant contracts with service providers. Controller-to-controller transfers that are not done at the request of the data subject are at high risk to be considered data sales under the CCPA. Controller-to-processor transfers (in the CCPA terminology, “business” to “service provider”) that are not based on a written CCPA-complaint contract are a risk factor as well. Transfers to third parties where the third party assumes control of all or part of the business (i.e. mergers and acquisitions) are generally not considered sales, but the law contains an unclear provision that leaves open the possibility of counting them as sales if the data is uses are altered by the acquiring entity.
The use of identifiers for the purposes of communicating that an individual has exercised its right to “opt out” is not a “sale” under the CCPA.
Step four: Include group entities operating under the same brand
Once an entity qualifies as a “business,” (that is, any entities in your list after following steps one through three above) all of the group entities that control or are under the control of such entity immediately qualify as “business” under the CCPA as long as they operate under the same brand. This is the case regardless of their revenue or number of sales. The CCPA does not specify whether group entities with no connection to California or non-for-profit entities can be excluded from this general rule.
By Makaristos from Wikimedia Commons