The brand-new California Consumer Privacy Act of 2018, which swept through the California legislature last week with startling speed as a compromise measure preempting an even stricter ballot initiative, will apply to more than 500,000 U.S. companies, the vast majority of which are small- to medium-sized enterprises. These figures were derived by an IAPP examination of the language of the law as applied to U.S. census data about American businesses. 

The new act, which provides California residents with new rights, including a right to transparency about data collection, a right to be forgotten, a right to data portability, and a right to opt out of having their data sold (opt in, for minors), applies to businesses that collect consumers’ personal information, as well as to those that sell consumers’ personal information or disclose it for a “business purpose.”

The law defines the term “business” as a for-profit legal entity that collects consumers’ personal information and does business in the state of California. For purposes of our analysis, we assume that this law does not apply to nonprofit entities, although that is not entirely clear from the definition. We also assume, consistent with well-established jurisprudence on long-arm jurisdiction, that “doing business” in California applies to companies that sell goods or services to California residents even if the business is not physically located in the state.

In addition, to fall within the law’s jurisdiction, a business must meet one of the following conditions:

  • Have $25 million or more in annual revenue.
  • Possess the personal data of more than 50,000 “consumers, households, or devices.”
  • Earn more than half of its annual revenue selling consumers’ personal data.

A “consumer” is defined as a natural person who is a California resident, which is very broadly defined in a separate statute as (1) every individual who is in the state for other than a temporary or transitory purpose, or (2) every individual who is domiciled in the state who is outside the state for a temporary or transitory purpose. This definition, therefore, includes California residents while they are traveling.

The law does not apply to information already regulated under the Health Insurance Portability and Accountability Act, the Graham-Leach Bliley Act, the Fair Credit Reporting Act, or the Drivers’ Privacy Protection Act; it still applies to entities covered by these laws to the extent they collect and process other personal information about California consumers.

The most objective measure in the definition is the application to companies with $25 million or more in annual revenue. Because finding information on annual revenue of privately held companies is challenging, we followed a rule of thumb in the business-reporting world that estimates a company’s revenue by the number of employees it has. Under this assumption, a company will gross an average of at least $100,000 per employee.

Using information from the U.S. Census Bureau, we find that in 2015, 121,687 California companies had more than 500 employees, which translates to more than $50 million in annual revenue. Another 36,818 companies had between 100 and 500 employees. Assuming conservatively that just 40 percent of them had at least 250 employees or an estimated $25 million in revenue, that leaves 136,414 companies in California in 2015 that likely fall under the jurisdiction of the new law. Excluding health care companies (approximately 18 percent of the U.S. GDP and thus 18 percent of companies), we’re left with 111,859 companies.

That’s a lot of companies. But this number accounts for just the companies in California that would be affected. The law, as explained above, has far broader reach, since outside of purely local businesses, few in any American companies with individual customers do not process data about consumers from California — by far the largest U.S. state. According to the latest U.S. Census Bureau, there are 1.2 million businesses in the United States with more than 500 employees, that is, according to our assumption, 1.2 million businesses with $50 million in annual revenue. 

To be conservative, we take into account just the proportion of these companies that are in the financial services, retail, professional services or information industries, thus highly likely to process consumers’ personal data. According to official statistics, those sectors account for 44 percent of the U.S. economy, which is 528,000 companies of the 1.2 million U.S. companies that gross more than $50 million and 49,280 businesses out of the 111,859 California companies we arrived at above. We added the 49,280 California businesses to the 528,000 U.S. companies but subtracted a number equal to California’s 13.3 percent share of the U.S. economy (so as not to double count), arriving at a grand total of 507,280 companies.

Assuming that “doing business in California” applies to any business collecting data about California consumers, the new California privacy law is thus estimated to apply to more than half a million companies in the U.S. alone. Its application beyond U.S. borders could significantly expand the impact of the legislation.

By Makaristos [Public domain], from Wikimedia Commons