News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Top 5 Operational Impacts of the CCPA: Part 1 — Determining if you’re a business collecting or selling consumers’ personal information Related reading: OCR issues rule for reproductive health care under HIPAA

rss_feed

""

""

The California Consumer Privacy Act of 2018 was conceived and born in record time — two days — resulting in a comprehensive consumer privacy law that occasionally suffers from redundancy, drafting errors, and lack of clarity. This five-part series is intended to help privacy professionals make operational sense of the law in its current form, understanding that the California legislature has time before the law takes effect in January 2020 to clarify and amend the statute.

Part one of the series addresses the initial question each organization must ask: Do I fall under the law’s scope? Answering this question requires determining if your organization (1) is a “business” that (2) collects or sells (3) “personal information’” from or about (4) “consumers.”

Part two of the series will address the CCPA’s notice and transparency obligations. Part three will cover requirements to abide data access requests, including consumer verification and data disclosure requirements. Part four addresses consumers’ new rights of erasure, to object to the sale of their personal information, and against non-discrimination. Finally, Part five discusses a new cause of action for consumers suffering a data breach and the California Attorney General’s enforcement and regulatory powers under the CCPA.

Look for weekly installments.

Threshold determination: Are you a “business”?

The CCPA applies only to businesses. The threshold question of the law’s scope, therefore, is to determine whether your organization meets the elements of the “business” definition.

The best place to start is with the elements of “business,” defined in Section 1798.140(c)(1)(A-C), that are objective and relatively clear. Answers to at least one of the following three questions must be “yes” for your organization to fall under the law’s scope; if all the answers are “no,” the law does not apply: 

  • Do you have annual gross revenues in excess of $25,000,000?
  • Do you annually buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices?
  • Do you derive 50 percent or more of your annual revenue from selling consumers’ personal information?

Assuming at least one of these is true, your organization is considered a business if all of the following are also true:

  • You are a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of your shareholders or other owners.
  • You collect consumers’ personal information, or someone collects it on your behalf.
  • You alone, or jointly with others, determine the purposes and means of the processing of consumers’ personal information.
  • You do business in California.

Importantly, this list is IAPP’s best interpretation of 1798.140(c)(1), which has a number of commas that could permit for an interpretation that is disjunctive (not all elements are required) rather than conjunctive (they must all be present). If the disjunctive is intended, for instance, the statute might cover not-for-profit entities. This is one item the Attorney General and/or the state legislature will need to clarify.

The phrase “does business in California” is not defined in the CCPA. Instead, one may assume that the requirement is modified by reference to the definition of “consumer” — a natural person who is a California resident — and therefore applies to any business, whether or not geographically located in California, that collects and/or sells the personal information of California residents. This would be consistent with California’s tax and corporations codes, which apply broadly when a company engages in a transaction in California for purposes of financial gain or enters into repeated or successive transactions in California, and its extensive long-arm jurisdiction law for civil litigation. 

Do you “collect” and/or “sell” information?

Consumers have many new rights under the CCPA. These may be enforced against businesses that: (a) collect a consumer’s personal information; (b) collect personal information about a consumer or about consumers; (c) sell consumers’ personal information or disclose it for a business purpose; (d) sell personal information about a consumer to a third party; and/or (e) sell consumers’ personal information to third parties. 

A business is considered to “collect” personal information if it buys, rents, gathers, obtains, receives, or even accesses it, by any means, whether actively or passively, including by observing a consumer’s behavior. This definition is clearly intended to extend to online monitoring and tracking; it is broad in similar fashion to, for example, the EU’s General Data Protection Regulation’s definition of “process.” 

Selling” consumer personal information takes place upon “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” for “monetary or other valuable consideration.” The definition contains exclusions for consumer consent; conveying a consumer’s opt-out instructions to a third party; or data transfers in the course of mergers, acquisitions, bankruptcies and the like.

“Selling” also excludes use for a business purpose, defined as using personal information for the operational purposes of the business or its service provider, so long as “reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed” or for another compatible operational purpose. The CCPA lists seven specific “business purposes” that include such things as counting ad impressions; detecting security incidents; debugging and repairing functionality; short-term “transient use” that isn’t used for profiling; performing services on a business’s behalf, such as fulfilling orders or processing payment (classic “data processor” activities); undertaking internal research for technological development; and “undertaking activities to verify or maintain the quality or safety” of the business’s service or device.

Operationally, privacy professionals disclosing personal information to a service provider for a business purpose will want to ensure their contract restricts the service provider in its use or sale of the personal information. Under Section 1798.145, a business is not liable for the service provider’s violation of the CCPA provided that “at the time of disclosing the personal information, the business does not have actual knowledge or reason to believe that the service provider intends to commit such a violation.” Service providers are “likewise” not liable for the business’s violation (presumably, of which they are not aware).

Although not clearly an exclusion to the law’s scope, moreover, many consumers’ rights conveyed under the CCPA would not apply to any business that only collects personal information for a “single, one-time transaction,” provided the business doesn’t sell the information, retain it, or use it to “reidentify or otherwise link information” to the consumer. 

Is it “personal information” under the CCPA? 

Privacy professionals accustomed to thinking of personal information as “PII” under U.S. state data breach laws will find the CCPA’s definition of personal information far broader than usual. Those who have acclimated to the definition of “personal data” under the EU’s General Data Protection Regulation will not be as surprised.

Personal information is defined in Section 1798.140(o)(1) as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes information typically considered PII under state breach laws – names, unique personal identifiers, account names, social security numbers, driver’s license numbers, passport numbers, biometric information and “other similar identifiers.” But it also includes aliases, IP addresses, “characteristics of protected classifications under California or federal law,” commercial information (defined to include personal property records or purchasing history), geolocation data, internet activity (including browsing and search history as well as web tracking data), professional and employment information, and education information. In addition, “personal information” includes “audio, electronic, visual, thermal, olfactory or similar information” and “inferences drawn” from any of the information contained in the definition.

The statute excludes from the definition publicly available information. It also excludes the following:

  • Protected health information collected by a covered entity as defined under federal laws including HIPAA.
  • The sale of information to or from a consumer reporting agency for use in a consumer report consistent with the Fair Credit Reporting Act.
  • Personal information collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act of 1994, to the extent the CCPA conflicts with those laws. Of course, such information — and thus the businesses that collect and process it — will be covered by the CCPA in the absence of conflict.

The CCPA defines “de-identified” and “pseudonymized” information, presumably to illuminate those terms as they appear in the “research” definition. Although not expressly excluded from the definition of “personal information,” it may be possible for a business to avoid the CCPA’s scope if it de-identifies or pseudonymizes personal information. As noted above, collection for a single, one-time transaction combined with not selling data and not re-identifying it (which presumes that it has been de-identified) appears to avoid many of the statute’s obligations.

Are your customers “consumers”?

Finally, and crucially, the law applies only if the business collects or sells personal information of consumers. The CCPA defines a “consumer” as a natural person — however identified, including by any unique identifier — who is a California resident. 

The term “California resident” is defined in a separate California statute as:

  • Every individual who is in California for other than a temporary or transitory purpose.
  • Every individual domiciled in California who is outside the state for a temporary or transitory purpose.

Accordingly, if your business collects information from natural persons who live in California, even if they are traveling outside the state when they disclose their personal information, the law applies.

That said, the CCPA's Section 1798.145 excludes a business from the law’s scope, even if it collects or sells a consumer’s personal information, “if every aspect of the commercial conduct takes place wholly outside of California.” This occurs when: (1) the business collected the information while the consumer was outside of California; (2) no part of the sale of the consumer’s personal information occurred in California; and (3) no personal information collected while the consumer was in California is sold. This section — confusing due to the contradictions between (1) and (3) — would apply if, for example, a California resident visits a single-source restaurant located outside of California. If, however, the California resident makes a reservation at the restaurant while still in California that business is not excluded.

Photo credit: By Makaristos [Public domain], from Wikimedia Commons

Author
Headshot Rita Heimes, CIPP/E, CIPP/US, CIPM IAPP Staff Contributor
Tags
U.S.
Privacy Law
Privacy Operations Management
Westin Research Center
2 Comments

If you want to comment on this post, you need to login.

  • comment Lydia de la Torre • Jul 24, 2018 
    Hi Rita. This is a very good article. The only clarification I would make is that the GLBA/CaDPA exclusions are very limited. They only apply to the extend those statutes "conflict with" CaCPA. Specifically for GLBA, we already have jurisprudence that stands for the proposition that raising the bar above the requirements in GLBA at the state level is not preempted by GLBA. Financial institutions will be subject to CaCPA.
  • comment Noah Buxton • Oct 5, 2018 
    Is there anymore clarity on this point? "...the statute might cover not-for-profit entities. This is one item the Attorney General and/or the state legislature will need to clarify."  Others seem to be discussing this as a clear cut issue, not an ambiguous one to be interpreted/settled.  Thanks in advance for the reply~
Related Stories
IAB Europe responds to EDPB opinion on pay or consent
IAB Europe published a response to the European Data Protection Board's opinion on the legality of pay-or-consent models for obtaining valid consent to process personal data. IAB Europe said the opinion creates "legal uncertainty for many businesses beyond large online platforms" and the EDPB made "...
Read More queue Save This
New CPPA Board member appointed
The California State Senate Committee on Rules appointed Drew Liebert, an attorney who most recently served as the Senate majority leader's chief of staff, to the California Privacy Protection Agency Board. Liebert replaces Lydia de la Torre, whose three-year term ended in March.Full story...
Read More queue Save This
AI-generated CSAM may impact incident reporting
A report by Stanford University showed an increase in artificial intelligence-generated child sexual abuse material could overwhelm the National Center for Missing and Exploited Children's CyberTipline, The New York Times reports. Computer Scientist and adjunct professor at Stanford University Alex ...
Read More queue Save This
Related Stories
Tags
U.S.
Privacy Law
Privacy Operations Management
Westin Research Center
Recent Comments