The California Consumer Privacy Act grants California residents extensive new privacy rights and imposes most of its burdens on businesses. So the question many organizations are asking themselves is: Am I a "business"? There are two tests that answer that question. One is based on meeting one of three thresholds, while the other is based on belonging to a group and sharing branding with a business that meets the thresholds.
Most major corporations will meet the annual gross revenue threshold, although we do not know if that threshold — $25 million in "gross revenue" — will be based exclusively on revenue derived from California or if only the revenue of the individual entity is to be considered. Most data brokers (or at least what we have considered traditionally to be "data brokers") will meet the percentage of annual revenue threshold, as they do derive more than 50% of their annual revenue from "sales."
For small businesses (including most startups), the analysis revolves around the number of records threshold. The CCPA's language on the threshold is: “alone or in combination, [it] annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”
Broadly speaking, current commentary on the CCPA either ignores the reference to "commercial purposes" or categorically modifies the threshold to: "possesses the personal data of more than 50,000 consumers, households or devices," dropping the reference to "commercial purposes" completely.
But the CCPA clearly specifies its application when a business "buys/sells or receives/shares … for the business’ commercial purposes." Since "commercial purposes" qualifies "receives/shares," not all personal information can be deemed to be received or shared for commercial purposes. The CCPA does not provide a test for what constitutes "commercial purposes" and the reference it provides in the definition — "to advance a person's commercial or economic interests" — if considered in isolation, can lead to the belief virtually all disclosures are done for commercial purposes. However, a provision in a statute is not to be interpreted in isolation. The statute is to be interpreted so as to be internally consistent and so that a particular section shall not be divorced from the rest of the act.
The key question is: How are business purposes different from commercial purposes and, more specifically, are those two concepts mutually exclusive in the CCPA? Yes, business and commercial purposes are mutually exclusive, and there are several textual references that support this interpretation, including:
- In order for an activity to qualify as research under CCPA, it has to simultaneously be "[c]ompatible with the business purpose for which the personal information was collected" and not entail any use for "commercial purpose." If the definition of commercial purposes were to be broadly interpreted to virtually swallow the definition of business purpose, then no activity could qualify as research.
- In the context of the provisions on the right of access and the right to be informed, businesses are required to disclose the "business or commercial" purposes for collecting or selling the information, which tends to imply that the purpose for every disclosure has to be analyzed and deemed either business or commercial in nature, but not both.
- The act ties the role of service provider to disclosures for business purposes but not for "commercial purposes," which again indicates that these two concepts should be interpreted as mutually exclusive.
If commercial purposes are something other than business purposes, then records shared or received for operational purposes should not count towards the threshold. This interpretation is consistent with the fact that the legislature created three distinct thresholds. An expansive interpretation of the concept of "commercial purposes" de facto renders the other thresholds meaningless, as most if not all organizations disclose more than 50,000 personal information records in any given year given the expansive definition of personal information under the CCPA.
To illustrate this with an example: A recent San Francisco Chronicle article from July 21, 2019, on the CCPA stated a small flower shop owner was concerned about the burden of CCPA compliance on his small business. "He handles more than 50,000 web visitors and store transactions per year, which makes his business subject to the law’s requirements," the article stated. But through the lens of interpreting business purposes and commercial purposes as mutually exclusive, assuming there are no targeted ads on the site (which would require separate analysis), the sharing triggered by web visitors would not count towards the thresholds. Also, assuming the flower shop owner uses personal records only to complete a sales transaction and then deletes the record, those records would not count towards the "counting records" threshold under this interpretation.
To be sure, small businesses — including emerging growth companies (and their representatives) — may want to raise this question more forcefully in upcoming public sessions with the California attorney general.
If you want to comment on this post, you need to login.