TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | CCPA myth buster: Not all records count Related reading: On implementing the CCPA amid a regulatory US patchwork

rss_feed

""

""

""

The California Consumer Privacy Act grants California residents extensive new privacy rights and imposes most of its burdens on businesses. So the question many organizations are asking themselves is: Am I a "business"? There are two tests that answer that question. One is based on meeting one of three thresholds, while the other is based on belonging to a group and sharing branding with a business that meets the thresholds. 

Most major corporations will meet the annual gross revenue threshold, although we do not know if that threshold — $25 million in "gross revenue" — will be based exclusively on revenue derived from California or if only the revenue of the individual entity is to be considered. Most data brokers (or at least what we have considered traditionally to be "data brokers") will meet the percentage of annual revenue threshold, as they do derive more than 50% of their annual revenue from "sales." 

For small businesses (including most startups), the analysis revolves around the number of records threshold. The CCPA's language on the threshold is: “alone or in combination, [it] annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” 

Broadly speaking, current commentary on the CCPA either ignores the reference to "commercial purposes" or categorically modifies the threshold to: "possesses the personal data of more than 50,000 consumers, households or devices," dropping the reference to "commercial purposes" completely. 

But the CCPA clearly specifies its application when a business "buys/sells or receives/shares … for the business’ commercial purposes." Since "commercial purposes" qualifies "receives/shares," not all personal information can be deemed to be received or shared for commercial purposes. The CCPA does not provide a test for what constitutes "commercial purposes" and the reference it provides in the definition — "to advance a person's commercial or economic interests" —  if considered in isolation, can lead to the belief virtually all disclosures are done for commercial purposes. However, a provision in a statute is not to be interpreted in isolation. The statute is to be interpreted so as to be internally consistent and so that a particular section shall not be divorced from the rest of the act. 

The key question is: How are business purposes different from commercial purposes and, more specifically, are those two concepts mutually exclusive in the CCPA? Yes, business and commercial purposes are mutually exclusive, and there are several textual references that support this interpretation, including:

  • In order for an activity to qualify as research under CCPA, it has to simultaneously be "[c]ompatible with the business purpose for which the personal information was collected" and not entail any use for "commercial purpose." If the definition of commercial purposes were to be broadly interpreted to virtually swallow the definition of business purpose, then no activity could qualify as research. 
  • In the context of the provisions on the right of access and the right to be informed, businesses are required to disclose the "business or commercial" purposes for collecting or selling the information, which tends to imply that the purpose for every disclosure has to be analyzed and deemed either business or commercial in nature, but not both. 
  • The act ties the role of service provider to disclosures for business purposes but not for "commercial purposes," which again indicates that these two concepts should be interpreted as mutually exclusive. 

If commercial purposes are something other than business purposes, then records shared or received for operational purposes should not count towards the threshold. This interpretation is consistent with the fact that the legislature created three distinct thresholds. An expansive interpretation of the concept of "commercial purposes" de facto renders the other thresholds meaningless, as most if not all organizations disclose more than 50,000 personal information records in any given year given the expansive definition of personal information under the CCPA.

To illustrate this with an example: A recent San Francisco Chronicle article from July 21, 2019, on the CCPA stated a small flower shop owner was concerned about the burden of CCPA compliance on his small business. "He handles more than 50,000 web visitors and store transactions per year, which makes his business subject to the law’s requirements," the article stated. But through the lens of interpreting business purposes and commercial purposes as mutually exclusive, assuming there are no targeted ads on the site (which would require separate analysis), the sharing triggered by web visitors would not count towards the thresholds. Also, assuming the flower shop owner uses personal records only to complete a sales transaction and then deletes the record, those records would not count towards the "counting records" threshold under this interpretation. 

To be sure, small businesses — including emerging growth companies (and their representatives) — may want to raise this question more forcefully in upcoming public sessions with the California attorney general. 

Photo by Joseph Barrientos on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

5 Comments

If you want to comment on this post, you need to login.

  • comment Lewis Barr • Oct 2, 2019
    Jennifer, thanks for your well-expressed analysis.
  • comment Lewis Barr • Oct 2, 2019
    And thank you, too, Lydia.
  • comment Jonathan Frost • Oct 3, 2019
    This is a great article that provides a line of reasoning that can be used to advocate on behalf of a data-collecting business in litigation.  However, for the purpose of counseling clients, I think we need to look at the entire definition of "commercial purposes" in the CCPA:  " “Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism."
    
    When the noncommercial speech carveout of commercial information is taken into account, the argument that research exemption would  become vacuous with a broad interpretation of “commercial purpose” loses much of its force., because the research exemption can be satisfied in a business setting whenever the research constitutes noncommercial speech (as defined under federal and California law).  This means that the research provision can still have meaning, even if “to advance a person’s commercial or economic interests” is interpreted literally. 
    
    Given that the statute states that it will be “shall be liberally construed to effectuate its purposes” of “giving consumers an effective way to control their personal information”,  I would personally be very cautious about advising clients who operationally collect 50k records in their business that the CCPA does not apply to them.
  • comment Richard Santalesa • Oct 3, 2019
    Agree with Jonathan Frost's comments. Until we see regs from the CA AG or guidance thereto that adopts the position in the article above (which I would be very happy to see happen) I'd be cautious taking that approach as well. 
    This also puts aside the very real challenge and burden of 'counting' such records collected, potentially in different places, to then tally them up to 50k - and maintaining documentation in connection should an enforcement action come calling to demonstrate that you are not in fact in scope because you do not have 50K.
  • comment Barry Weber • Jul 16, 2020
    Mathematically the word "or" can mean any of (a and not b, b and not a, a and b).   The word "or" does not imply mutual exclusivity.   I've read the article on mutual exclusivity and there is an option that is not discussed.   Business use can be a superset of commercial and non-commercial purposes.   This would allow research to be a business use and not a commercial use.   It would also allow all commercial use to be a business use.    This would imply that the categories of use should be a superset.  But the threshold of the 50K would only apply to those records collected for commercial use.