Should you worry about California Consumer Privacy Act?

Overview

The U.S. privacy law system is scattered across multiple federal and state legal acts. In sharp contrast to other legal systems, e.g. the General Data Protection Regulation (GDPR) which was universally implemented across the entire European Union, it was notably confusing to identify what privacy rules apply to consumers located in the United States.

As a huge breakthrough in that regard, on June 28, 2018, California adopted the California Consumer Privacy Act (CCPA) and became the first U.S. state with a comprehensive law dedicated to consumer privacy. The CCPA is planned to come into effect on January 1, 2020, yet still appears to, and is expected to, be a work in progress.

If you do business in the European Union, you are already familiar with the apocalyptic countdown associated with the coming into effect of the GDPR. On one hand, it did impose numerous new obligations on companies worldwide collecting, processing or storing personal data of individuals in the EU, some incredibly difficult to fulfill. On the other, the turmoil caused by the regulation was probably unwarranted, and the number of legal harbingers ready to avert a catastrophe for a hefty fee – preposterous.

Agreed, taking into account the effect of the GDPR, as well as global data privacy and cybersecurity trends overall, the developments in data protection regulation in the U.S. are not surprising and arguably long overdue. The CCPA is the first step for the changes and its smooth implementation will lead the way for other states. Therefore, we would like to make sure that entrepreneurs get a solid grasp on its basics before deciding whether to conduct the implementation themselves or procure help of an attorney. Please mind that this article is not legal advice.

Scope of the California Consumer Privacy Act

The first and probably the most important thing to mention when discussing California Consumer Privacy Act is that the CCPA only applies to for-profit entities doing business in California that meet one of the following criteria: (1) has a gross revenue greater than $25 million; (2) annually buys, receives, sells or shares personal information of more than 50,000 consumers, households or devices for commercial purposes; (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Seems pretty straightforward, but there are at least three basic traps waiting for unwary entrepreneurs.

Firstly, it is debatable at what point a company is deemed to “do business in California”. The CCPA does not define it as of now, but it’s important to realize that “doing business” will be certainly construed broadly and include companies not registered in California, but having footprint in the state, i.e. entering into contracts via a local agent, having an office, employing individuals or even reaching a certain economic threshold – click here to see how “doing business” is interpreted in the context of corporate income tax collection.

Secondly, the criterium no (2) may be fulfilled quicker than it seems. The number 50,000 may appear to be outside of the scope of concern of any small business or startup. However, as confirmed by the Standardized Regulatory Impact Assessment prepared for California Attorney General and available here, each instance will count towards the limit, quote: “any firm that collects personal information from more than 137 consumers or devices a day will meet the 50,000 threshold”. In other words 137 consumers uploading their personal information every day for 365 days, will be enough to subject a company to the CCPA. In practice, the number of consumers required will likely be lower, as it can be safely assumed that each consumer uses software or browses internet on multiple devices and the definition clearly differentiates the category of devices from consumers.

Thirdly, the CCPA also applies to any entity that controls or is controlled by a covered business or shares common branding with a covered business.

Still, in comparison with the GDPR which applies to any and all businesses and persons collecting, storing and/or processing personal data, the scope of the CCPA is much narrower. Not only the entity must meet one of the thresholds but it must be also doing business in California, which in itself is a separate legal test that needs to be met.

Furthermore, the CCPA protects the personal information only of the consumers that are California residents (either in California for other than a temporary or transitory purpose or domiciled in California but currently temporarily outside of the state). It must be noted that consumers within the meaning of the CCPA include not only customers of goods and services, but also employees. On the same note, personal information in the California Consumer Privacy Act is defined as information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household (e.g., real name, postal address, email address).

Main Obligations Imposed by the California Consumer Privacy Act

Under the California Consumer Privacy Act, the above-listed companies must inform consumers about the categories of personal information collected as well as the intended use for each of such categories. Further notice is also required to collect any additional personal information categories and/or use the collected personal information for unrelated purposes. Even though the requirement is less detailed than that of the GDPR (which requires data controllers to provide detailed information about the personal data collection and processing activities), it should be sufficient to ensure that consumers gain a quite clear understanding of what personal information is being collected and processed.

The GDPR’s application is widely considered to be overbroad and – at times – preposterous. It must be noted that the CCPA more appropriately identifies the zeitgeist needs and focuses significantly more on personal information sales than the GDPR – the list of subjects the CCPA applies to clearly shows that it is mostly intended to regulate companies selling consumers’ personal information. The CCPA requires such companies to enable and comply with consumers’ requests to opt-out of the sale of personal information to third parties, including a mandatory obligation to include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website homepage (meanwhile the right to opt-out of personal information collection overall is not expressly granted).

Finally, California Consumer Privacy Act, similarly to the GDPR, grants consumers a right to request disclosure of personal data, including information about purposes of processing of the personal data and third parties receiving such personal data at the same time creating an obligation to companies to provide such information to consumers. Furthermore, the CCPA grants the right to deletion of personal data to consumers whose data is being or has been collected. However, the CCPA does not grant consumers a right to object to the processing of personal data, except for the abovementioned right to opt-out of personal information sales.

Summary

The CCPA provides a quite extensive set of rules as related to personal data collection and covers all most problematic data collection and processing issues, including the obligation to inform consumers about the collection of personal data (including the scope and purposes), obligation to obtain the consumers’ consent, (limited) right to opt-out of processing of personal data, right to deletion of personal data. The requirements set forth in the Act are in most part consistent with requirements of the GDPR, however, it must be kept in mind that compliance with the GDPR does not automatically guarantee compliance with the CCPA as certain rules of the abovementioned regulations, especially procedural and administrative, differ. Nevertheless, due to the scope of subjects it applies to, the coming into effect of the CCPA is not likely to bring major changes to operations of most small companies doing business in California, especially if collecting personal data for sale is not a part of their business model.