The California Consumer Privacy Act entered into force Jan. 1, 2020, enforcement began July 1, CCPA regulations went into effect in August, and further proposed modifications to the CCPA regulations were issued in October and earlier this month. The California Privacy Rights Act became “effective” Dec. 16 per the California Constitution, five days after the Secretary of State certified the statement of vote, capping a busy year for privacy law in California.
Businesses focused on understanding and complying with potential obligations under the CCPA and its regulations now need to consider whether they will be subject to the CPRA. A starting point is assessing whether the organization is a “business” within the law’s scope and if there are exemptions that may apply to either the entity or the activity.
Since the CPRA generally builds upon and amends the CCPA’s requirements — the ballot initiative is a “redline document” of the CCPA — comparing the current CCPA provisions to any differences in the CPRA is instructive.
It is worth noting the CPRA contemplates significant rulemaking before the majority of its provisions become operative Jan. 1, 2023, and the law also may be amended. Monitoring further developments in the law will be important.
Definition of 'business' under CCPA
The CCPA and CPRA generally apply to “businesses,” using the definition to frame the scope of the respective laws. CCPA Section 1798.140(c)(1) defines “business” as a for-profit legal entity doing business in California that collects consumers’ “personal information” and (1) has annual gross revenues of more than $25 million; (2) annually buys, receives for commercial purposes, sells, or shares for commercial purposes, “personal information of 50,000 or more consumers, households, or devices”; or (3) derives more than 50% of its annual revenues from selling consumers’ personal information.
In its responses to comments during the CCPA rulemaking process (Comment 5), the Office of the Attorney General confirmed the annual gross revenue threshold in Subsection A is not limited to revenue generated only in California or from California residents.
An entity also is a “business” under Section 1798.140(c)(2) of the CCPA if it controls or is controlled by a “business” and they share common branding.
Definition of 'business' under the CPRA
The basic definition of “business” remains the same in the CPRA, Section 1798.140(d)(1) — a for-profit legal entity doing business in California that collects consumers’ personal information — but the thresholds change.
- Subsection A clarifies the $25 million annual gross revenue threshold relates to the preceding calendar year.
- Subsection B doubles the threshold for buying, selling or sharing personal information, removes the reference to “devices” and otherwise simplifies the terms. The CPRA threshold will be “annually buys or sells, or shares the personal information of 100,000 or more consumers or households.” This change presumably means more small- and medium-size businesses will not be subject to the CPRA.
- Subsection C broadens the threshold by adding the term “sharing,” so the provision asks whether an entity “[d]erives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.”
The CPRA also amends the definition of business based upon control and common branding, adding the requirement the business share consumers’ personal information with the other entity for the entity to be a “business.”
Two new categories are included in the CPRA’s definition of “business”: (1) joint ventures or partnerships “composed of businesses in which each business has a 40 percent interest;” and (2) “[a] person that does business in California,” not otherwise considered a business, that voluntarily certifies to the new CPRA enforcement agency “it is in compliance with, and agrees to be bound by, this title.”
Key definitions within 'business'
There are several defined terms within the definition of “business” under both the CCPA and CPRA that may impact whether the law applies.
Consumer. Under the CCPA, a “consumer” is “a natural person who is a California resident,” referencing the definition in Section 17014, Title 18 of the California Code of Regulations. The CPRA does not change this definition.
Personal information. The CCPA broadly defines this term to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Publicly available information and deidentified or aggregated consumer information are excluded from the definition.
The definition of “personal information” remains substantially the same in the CPRA, but it adds a new, separately defined term — “sensitive personal information” — to the definition. The CPRA also revises the exclusion for publicly available information.
Sell. The term “sell” in the CCPA means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating ... a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The definition excludes certain transactions, including when a business uses or shares a consumer’s personal information with a service provider if certain conditions are met.
The CPRA revises the definition of sell so the term applies only to transfers of a consumer’s personal information by a business to a third party (not another business). It also revises the exclusions and removes the carve-out for transactions with service providers.
Share. Both the CCPA and CPRA include the term “share” in the definition of business, but the CPRA specifically defines the term in Section 1798.140(ah). Under the CPRA, “share” means “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating ... a consumer’s personal information by the business to a third party for cross‐context behavioral advertising, whether or not for monetary or other valuable consideration ....” As discussed in this AdExchanger article, the definition addresses the issue of whether behavioral advertising is subject to the term “sale” under the CCPA.
Doing business in California. The phrase “does business in the State of California” is not defined. During the CCPA rulemaking process, the OAG took the position the phrase “should be given meaning according to the plain language of the words and other California law.”
Other California laws that define this term do so broadly. For example, California’s Revenue and Tax Code, Section 23101(a) defines “doing business” as “actively engaging in any transaction for the purpose of financial or pecuniary gain or profit.” The California Corporations Code, Section 191(a) defines “transact intrastate business” as “entering into repeated and successive transactions of its business in this state, other than interstate or foreign commerce.” The California Franchise Tax Board considers a company to be “doing business in California” if (1) it is engaged in any transaction for the purpose of financial gain within California; (2) it is organized or commercially domiciled in California; or (3) its sales, property or payroll exceed certain thresholds.
Exemptions
The CCPA contains a number of exemptions, including in Sections 1798.145 and 1798.146. For example, businesses are allowed to “collect, use, retain, sell or disclose consumer information” that is deidentified or aggregated and may collect or sell a consumer’s personal information “if every aspect of that commercial conduct takes place wholly outside of California.” The CCPA generally does not apply to employee information, business-to-business information and data subject to certain other laws, like health care or financial services information.
The CPRA amends Section 1798.145, revising some of the existing exemptions and adding new provisions. The CPRA modifications include extending the exemptions for employee information and B2B transactions to Jan. 1, 2023, and elaborating on the ability of law enforcement agencies to direct businesses not to delete information.
New provisions include (1) excluding household data from the obligations imposed in Sections 1798.105 through 115; (2) allowing businesses not to comply with a request to delete if the request involves certain educational information; (3) finding the deletion and opt-out provisions don’t apply if the consumer has consented to the use of the information “to produce physical items such as a school yearbook” if certain other conditions are met; and (4) allowing businesses to “cooperate with a government agency request for emergency access to a consumer’s information.”
The CPRA does not address the exemptions in Section 1798.146 or the other amendments to the CCPA that became effective in Sept. 2020 when AB 713 was signed into law.
It is unclear how these provisions will be treated. Section 31 of the CPRA addresses effective and operative dates and Subsection C states the provisions of the CCPA “amended or reenacted by this act, shall remain in full force and effect and shall be enforceable until the same provisions of this Act become operative and enforceable.” This provision does not appear to address amendments to the CCPA that were not captured in the November 2019 ballot initiative. It will be interesting to hear practitioners’ thoughts on this issue going forward.
Conclusion
Companies should assess whether they come within the scope of the CPRA well before the Jan. 1, 2023, operative date (for the majority of its provisions) and the Jan. 1, 2022, look-back. The rulemaking for the CPRA is expected to be extensive and monitoring this process, as well as developments regarding the new independent enforcement agency, may assist in determining compliance obligations.
Photo by Paul Hanaoka on Unsplash