The California Consumer Privacy Act of 2018 was conceived and born in record time — two days — resulting in a comprehensive consumer privacy law that occasionally suffers from redundancy, drafting errors, and lack of clarity. This five-part series is intended to help privacy professionals make operational sense of the law in its current form, understanding that the California legislature has time before the law takes effect in January 2020 to clarify and amend the statute.
Part one of the series addresses the initial question each organization must ask: Do I fall under the law’s scope? Answering this question requires determining if your organization (1) is a “business” that (2) collects or sells (3) “personal information’” from or about (4) “consumers.”
Part two of the series will address CaCPA’s notice and transparency obligations. Part three will cover requirements to abide data access requests, including consumer verification and data disclosure requirements. Part four addresses consumers’ new rights of erasure, to object to the sale of their personal information, and against non-discrimination. Finally, Part five discusses a new cause of action for consumers suffering a data breach and the California Attorney General’s enforcement and regulatory powers under CaCPA.
Look for weekly installments.
Threshold determination: Are you a “business”?
CaCPA applies only to businesses. The threshold question of the law’s scope, therefore, is to determine whether your organization meets the elements of the “business” definition.
The best place to start is with the elements of “business,” defined in Section 1798.140(6)(1)(A-C), that are objective and relatively clear. Answers to at least one of the following three questions must be “yes” for your organization to fall under the law’s scope; if all the answers are “no,” the law does not apply:
- Do you have annual gross revenues in excess of $25,000,000?
- Do you annually buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices?
- Do you derive 50 percent or more of your annual revenue from selling consumers’ personal information?
Assuming at least one of these is true, your organization is considered a business if all of the following are also true:
- You are a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of your shareholders or other owners.
- You collect consumers’ personal information, or someone collects it on your behalf.
- You alone, or jointly with others, determine the purposes and means of the processing of consumers’ personal information.
- You do business in California.
Importantly, this list is IAPP’s best interpretation of 1798.140(6)(1), which has a number of commas that could permit for an interpretation that is disjunctive (not all elements are required) rather than conjunctive (they must all be present). If the disjunctive is intended, for instance, the statute might cover not-for-profit entities. This is one item the Attorney General and/or the state legislature will need to clarify.
The phrase “does business in California” is not defined in CaCPA. Instead, one may assume that the requirement is modified by reference to the definition of “consumer” — a natural person who is a California resident — and therefore applies to any business, whether or not geographically located in California, that collects and/or sells the personal information of California residents. This would be consistent with California’s tax and corporations codes, which apply broadly when a company engages in a transaction in California for purposes of financial gain or enters into repeated or successive transactions in California, and its extensive long-arm jurisdiction law for civil litigation.
Do you “collect” and/or “sell” information?
Consumers have many new rights under CaCPA. These may be enforced against businesses that: (a) collect a consumer’s personal information; (b) collect personal information about a consumer or about consumers; (c) sell consumers’ personal information or disclose it for a business purpose; (d) sell personal information about a consumer to a third party; and/or (e) sell consumers’ personal information to third parties.
A business is considered to “collect” personal information if it buys, rents, gathers, obtains, receives, or even accesses it, by any means, whether actively or passively, including by observing a consumer’s behavior. This definition is clearly intended to extend to online monitoring and tracking; it is broad in similar fashion to, for example, the EU’s General Data Protection Regulation’s definition of “process.”
“Selling” consumer personal information takes place upon “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” for “monetary or other valuable consideration.” The definition contains exclusions for consumer consent; conveying a consumer’s opt-out instructions to a third party; or data transfers in the course of mergers, acquisitions, bankruptcies and the like.
“Selling” also excludes use for a business purpose, defined as using personal information for the operational purposes of the business or its service provider, so long as “reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed” or for another compatible operational purpose. CaCPA lists seven specific “business purposes” that include such things as counting ad impressions; detecting security incidents; debugging and repairing functionality; short-term “transient use” that isn’t used for profiling; performing services on a business’s behalf, such as fulfilling orders or processing payment (classic “data processor” activities); undertaking internal research for technological development; and “undertaking activities to verify or maintain the quality or safety” of the business’s service or device.
Operationally, privacy professionals disclosing personal information to a service provider for a business purpose will want to ensure their contract restricts the service provider in its use or sale of the personal information. Under Section 1798.145, a business is not liable for the service provider’s violation of CaCPA provided that “at the time of disclosing the personal information, the business does not have actual knowledge or reason to believe that the service provider intends to commit such a violation.” Service providers are “likewise” not liable for the business’s violation (presumably, of which they are not aware).
Although not clearly an exclusion to the law’s scope, moreover, many consumers’ rights conveyed under CaCPA would not apply to any business that only collects personal information for a “single, one-time transaction,” provided the business doesn’t sell the information, retain it, or use it to “reidentify or otherwise link information” to the consumer.
Is it “personal information” under CaCPA?
Privacy professionals accustomed to thinking of personal information as “PII” under U.S. state data breach laws will find CaCPA’s definition of personal information far broader than usual. Those who have acclimated to the definition of “personal data” under the EU’s General Data Protection Regulation will not be as surprised.
Personal information is defined in Section 1798.140(o)(1) as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes information typically considered PII under state breach laws – names, unique personal identifiers, account names, social security numbers, driver’s license numbers, passport numbers, biometric information and “other similar identifiers.” But it also includes aliases, IP addresses, “characteristics of protected classifications under California or federal law,” commercial information (defined to include personal property records or purchasing history), geolocation data, internet activity (including browsing and search history as well as web tracking data), professional and employment information, and education information. In addition, “personal information” includes “audio, electronic, visual, thermal, olfactory or similar information” and “inferences drawn” from any of the information contained in the definition.
The statute excludes from the definition publicly available information. It also excludes the following:
- Protected health information collected by a covered entity as defined under federal laws including HIPAA.
- The sale of information to or from a consumer reporting agency for use in a consumer report consistent with the Fair Credit Reporting Act.
- Personal information collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act of 1994, to the extent CaCPA conflicts with those laws. Of course, such information — and thus the businesses that collect and process it — will be covered by CaCPA in the absence of conflict.
CaCPA defines “de-identified” and “pseudonymized” information, presumably to illuminate those terms as they appear in the “research” definition. Although not expressly excluded from the definition of “personal information,” it may be possible for a business to avoid CaCPA’s scope if it de-identifies or pseudonymizes personal information. As noted above, collection for a single, one-time transaction combined with not selling data and not re-identifying it (which presumes that it has been de-identified) appears to avoid many of the statute’s obligations.
Are your customers “consumers”?
Finally, and crucially, the law applies only if the business collects or sells personal information of consumers. CaCPA defines a “consumer” as a natural person — however identified, including by any unique identifier — who is a California resident.
The term “California resident” is defined in a separate California statute as:
- Every individual who is in California for other than a temporary or transitory purpose.
- Every individual domiciled in California who is outside the state for a temporary or transitory purpose.
Accordingly, if your business collects information from natural persons who live in California, even if they are traveling outside the state when they disclose their personal information, the law applies.
That said, CaCPA Section 1798.145 excludes a business from the law’s scope, even if it collects or sells a consumer’s personal information, “if every aspect of the commercial conduct takes place wholly outside of California.” This occurs when: (1) the business collected the information while the consumer was outside of California; (2) no part of the sale of the consumer’s personal information occurred in California; and (3) no personal information collected while the consumer was in California is sold. This section — confusing due to the contradictions between (1) and (3) — would apply if, for example, a California resident visits a single-source restaurant located outside of California. If, however, the California resident makes a reservation at the restaurant while still in California that business is not excluded.
Photo credit: By Makaristos [Public domain], from Wikimedia Commons
If you want to comment on this post, you need to login.