The California Consumer Privacy Act is top of mind for many privacy professionals across the U.S., who are working to leverage their GDPR preparation to build CCPA-compliance programs. They are learning that while their recent GDPR preparation is helpful, the CCPA has nuanced requirements that go beyond the GDPR. Emphasis is often placed on the novel “Do Not Sell My Personal Information” link.
After listening to two useful web conferences comparing the CCPA and GDPR (available here, in case you missed them), I wondered if companies outside of the U.S. have realized that California-specific adjustments will be needed. If not, the CCPA’s private right of action and what many consider the litigious nature of the U.S. might soon draw the attention of foreign C-suites.
Participants in the two recent web conferences posed a number of questions, highlighting the challenges privacy pros face in understanding the developing legal landscape. We thought addressing the following 10 frequently asked questions might be helpful to privacy professionals around the globe. A general caveat, though: The following should not be construed as legal advice.
Question: Does the CCPA apply to companies based outside of California?
Answer: Yes, the CCPA will generally apply if doing business in California and collecting the personal information of a California resident. The CCPA grants a “consumer” various rights with regard to personal information held by a “business,” including the rights of notice, access, deletion, portability and reasonable security. It also requires a business that “sells” “personal information” to “third parties” to provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information,” to an internet webpage that enables a consumer or a person authorized by the consumer to opt out of the sale of the consumer’s personal information, among other requirements. The definitions cited above are critical to understanding the law’s jurisdictional and material scope and are explained in response to the following FAQs.
Q: Does the CCPA apply only to consumers or also to employees and other individuals?
A: While the CCPA refers throughout to a “consumer,” currently, the law’s definition of “consumer” is not limited to those engaged in commercial activity, but rather to the residency status of a natural person. The bill’s definition of consumer is “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.” Further, the bill’s definition of personal information includes “professional or employment-related information.”
Q: Does a California resident have rights under the CCPA if outside of California? Does the CCPA apply to nonresidents visiting California?
A: The bill’s definition of a California resident is provided in Section 17014 of Title 18 of the California Code of Regulations, as that section read Sept. 1, 2017. This provides, in part:
[quote]“The term “resident,” as defined in the law, includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”[/quote]
The CCPA also states that:
[quote]“The obligations imposed on businesses … shall not restrict a business’s ability to…[c]ollect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.”[/quote]
The CCPA further provides that a covered business will not be “required [to place] links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.”
Taken together, these provisions highlight the decisions both U.S. and foreign businesses will face when collecting and sharing personal information that might include the data of Californians. Should businesses provide the required “Do Not Sell My Personal Information” link and protections globally only in the U.S. or just to Californians?
Q: Does the CCPA govern nonprofit organizations?
A: The CCPA defines “business” as a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized or operated “for the profit or financial benefit of its shareholders or other owners,” that collects consumers’ personal information, or on the behalf of which such information is collected and that alone or jointly with others determines the purposes and means of the processing of consumers’ personal information, does business in the state of California, and satisfies certain revenue or data-processing thresholds.
Q: Does the CCPA apply to small businesses?
A: The CCPA applies to “businesses” that meet one or more of the following thresholds:
- Has annual gross revenues in excess of $25,000,000, as adjusted pursuant to Paragraph 5 of Subdivision A of Section 1798.185.
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
Q: Does “selling” include sharing personal data with affiliated organizations?
A: Answering this question requires understanding several definitions under the CCPA, including not only “selling,” but also “business,” “business purposes,” “service provider,” “personal information” and “third party.”
“Sell” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
There are exceptions to this general definition, including when the individual directs the transfer of information or the business shares information pursuant to a contract with a service provider for a business purpose of which the consumer has been informed.
Under the CCPA, sharing personal information with an affiliate for valuable consideration would generally be considered a sale if the affiliate is considered a third party. This would be the case unless the affiliate controls or is controlled by the “business” and shares common branding with the business or is a service provider with whom the information is shared pursuant to a contract for a business purpose of which the consumer has been informed.
Q: If a business has entered into a controller-processor data protection agreement with a vendor, is it reasonable to assume the transfer of data to that vendor will not be considered a "sale" under the CCPA? How should businesses categorize and manage service providers differently from third parties in terms of contracts and CCPA obligations?
A: To avoid a data transfer to a vendor being considered a “sale” under the CCPA, the transfer must be to fulfill a business purpose of which the consumer has been informed, and it must be governed by a written contract. The contract with a “service provider” to process personal information on behalf of the “business” must prohibit the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by [the CCPA], including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.”
Q: Does the required “Do Not Sell My Personal Information” link need to go on mobile sites/apps, as well?
A: A business that sells personal information about the consumer to third parties must provide a clear and conspicuous link on the business’s internet “homepage,” titled “Do Not Sell My Personal Information.” In the case of an online service, such as a mobile application, “homepage” means the application’s platform page or download page; a link within the application, such as from the application configuration, “About,” “Information,” or settings page; and any other location that allows consumers to review the notice required before downloading the application.
Q: What are key differences between the CCPA and GDPR on which businesses adapting a GDPR-compliance program to CCPA should focus?
A: While there are numerous differences, described in great detail SB-1121, which:
- Extended the deadline for the attorney general to adopt the law’s implementing regulations from Jan. 1, 2020, until July 1, 2020.
- Delayed the attorney general’s ability to enforce the bill until six months after the publication of those regulations or July 1, 2020, whichever comes sooner.
Given those amendments, the attorney general could enforce the new law prior to July 1, 2020, only if the attorney general adopts implementing regulations prior to Jan. 1, 2020. The fact that the amendments provided the attorney general additional time beyond Jan. 1 to adopt the regulations makes it unlikely (though not impossible) that they will be adopted sooner.
Photo by Sasha • Stories on Unsplash