News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | IAPP FAQs: Are GDPR-compliant companies prepared for CCPA? Related reading: NIST Privacy Framework recognizes critical need for workforce development

rss_feed

""

The California Consumer Privacy Act is top of mind for many privacy professionals across the U.S., who are working to leverage their GDPR preparation to build CCPA-compliance programs. They are learning that while their recent GDPR preparation is helpful, the CCPA has nuanced requirements that go beyond the GDPR. Emphasis is often placed on the novel “Do Not Sell My Personal Information” link.

After listening to two useful web conferences comparing the CCPA and GDPR (available here and here, in case you missed them), I wondered if companies outside of the U.S. have realized that California-specific adjustments will be needed. If not, the CCPA’s private right of action and what many consider the litigious nature of the U.S. might soon draw the attention of foreign C-suites.

Participants in the two recent web conferences posed a number of questions, highlighting the challenges privacy pros face in understanding the developing legal landscape. We thought addressing the following 10 frequently asked questions might be helpful to privacy professionals around the globe. A general caveat, though: The following should not be construed as legal advice.

Question: Does the CCPA apply to companies based outside of California?

Answer: Yes, the CCPA will generally apply if doing business in California and collecting the personal information of a California resident. The CCPA grants a “consumer” various rights with regard to personal information held by a “business,” including the rights of notice, access, deletion, portability and reasonable security. It also requires a business that “sells” “personal information” to “third parties” to provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information,” to an internet webpage that enables a consumer or a person authorized by the consumer to opt out of the sale of the consumer’s personal information, among other requirements. The definitions cited above are critical to understanding the law’s jurisdictional and material scope and are explained in response to the following FAQs.

Q: Does the CCPA apply only to consumers or also to employees and other individuals?

A: While the CCPA refers throughout to a “consumer,” currently, the law’s definition of “consumer” is not limited to those engaged in commercial activity, but rather to the residency status of a natural person. The bill’s definition of consumer is “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.” Further, the bill’s definition of personal information includes “professional or employment-related information.”

Q: Does a California resident have rights under the CCPA if outside of California? Does the CCPA apply to nonresidents visiting California?

A: The bill’s definition of a California resident is provided in Section 17014 of Title 18 of the California Code of Regulations, as that section read Sept. 1, 2017. This provides, in part:

format_quote“The term “resident,” as defined in the law, includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”

The CCPA also states that:

format_quote“The obligations imposed on businesses … shall not restrict a business’s ability to…[c]ollect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.”

The CCPA further provides that a covered business will not be “required [to place] links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.”

Taken together, these provisions highlight the decisions both U.S. and foreign businesses will face when collecting and sharing personal information that might include the data of Californians. Should businesses provide the required “Do Not Sell My Personal Information” link and protections globally only in the U.S. or just to Californians?

Q: Does the CCPA govern nonprofit organizations?

A: The CCPA defines “business” as a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized or operated “for the profit or financial benefit of its shareholders or other owners,” that collects consumers’ personal information, or on the behalf of which such information is collected and that alone or jointly with others determines the purposes and means of the processing of consumers’ personal information, does business in the state of California, and satisfies certain revenue or data-processing thresholds.

Q: Does the CCPA apply to small businesses?

 A: The CCPA applies to “businesses” that meet one or more of the following thresholds:

  • Has annual gross revenues in excess of $25,000,000, as adjusted pursuant to Paragraph 5 of Subdivision A of Section 1798.185.
  • Alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices.
  • Derives 50% or more of its annual revenues from selling consumers’ personal information.

Q: Does “selling” include sharing personal data with affiliated organizations?

A: Answering this question requires understanding several definitions under the CCPA, including not only “selling,” but also “business,” “business purposes,” “service provider,” “personal information” and “third party.”

“Sell” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

There are exceptions to this general definition, including when the individual directs the transfer of information or the business shares information pursuant to a contract with a service provider for a business purpose of which the consumer has been informed.

Under the CCPA, sharing personal information with an affiliate for valuable consideration would generally be considered a sale if the affiliate is considered a third party. This would be the case unless the affiliate controls or is controlled by the “business” and shares common branding with the business or is a service provider with whom the information is shared pursuant to a contract for a business purpose of which the consumer has been informed.

Q: If a business has entered into a controller-processor data protection agreement with a vendor, is it reasonable to assume the transfer of data to that vendor will not be considered a "sale" under the CCPA? How should businesses categorize and manage service providers differently from third parties in terms of contracts and CCPA obligations?

A: To avoid a data transfer to a vendor being considered a “sale” under the CCPA, the transfer must be to fulfill a business purpose of which the consumer has been informed, and it must be governed by a written contract. The contract with a “service provider” to process personal information on behalf of the “business” must prohibit the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by [the CCPA], including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.”

Q: Does the required “Do Not Sell My Personal Information” link need to go on mobile sites/apps, as well?

A: A business that sells personal information about the consumer to third parties must provide a clear and conspicuous link on the business’s internet “homepage,” titled “Do Not Sell My Personal Information.” In the case of an online service, such as a mobile application, “homepage” means the application’s platform page or download page; a link within the application, such as from the application configuration, “About,” “Information,” or settings page; and any other location that allows consumers to review the notice required before downloading the application.

Q: What are key differences between the CCPA and GDPR on which businesses adapting a GDPR-compliance program to CCPA should focus?

A: While there are numerous differences, described in great detail here, areas to focus include:

  • The definition of personal data under the CCPA, which is broad and explicitly includes household data. It states, in part: “'Personal information' means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household …”
  • New consumer rights and associated business requirements, particularly those associated with the “sale” of personal data, including the requirement that a business that sells a consumer’s personal information to third parties provide a clear and conspicuous link on its internet homepage, titled “Do Not Sell My Personal Information,” to an internet webpage that enables the consumer to opt out of the sale of the personal information.
  • The categorization of information shared for “business purposes” versus “commercial purposes” and required disclosures pursuant to a consumer access request.
  • Required contractual terms when sharing personal data with “service providers.”

Q: Does the CCPA enter into force Jan. 1, 2020, or July 1, 2020?

A: The CCPA enters into force Jan. 1, 2020. On Aug. 31, 2018, the California State Legislature passed SB-1121, which:

  • Extended the deadline for the attorney general to adopt the law’s implementing regulations from Jan. 1, 2020, until July 1, 2020.
  • Delayed the attorney general’s ability to enforce the bill until six months after the publication of those regulations or July 1, 2020, whichever comes sooner.

Given those amendments, the attorney general could enforce the new law prior to July 1, 2020, only if the attorney general adopts implementing regulations prior to Jan. 1, 2020. The fact that the amendments provided the attorney general additional time beyond Jan. 1 to adopt the regulations makes it unlikely (though not impossible) that they will be adopted sooner.

Photo by Sasha • Stories on Unsplash

Author
Headshot Caitlin Fennessy, CIPP/US IAPP Staff Contributor
Tags
U.S.
Privacy Law
Privacy Operations Management
Westin Research Center
Comments

If you want to comment on this post, you need to login.

Related Stories
Notes from the IAPP, April 12, 2019
Greetings from Portsmouth, New Hampshire! It’s the second week of April, and we hope this week’s snowfall was the last of the season. While everyone here is well accustomed to frigid spring temperatures, we are looking forward to the warmth of Washington during the Global Privacy Summit in just a c...
Read More queue Save This
Caitlin Fennessy joins IAPP as senior privacy fellow
To augment and help lead the IAPP's growing contingent of researchers, journalists, and subject matter experts, the IAPP has hired Caitlin Fennessy, CIPP/US, to take on the new role of senior privacy fellow. She will begin her role in early March.  Currently, Fennessy serves as director of the EU-U...
Read More queue Save This
Related Stories
Tags
U.S.
Privacy Law
Privacy Operations Management
Westin Research Center
Recent Comments