This is our Data Privacy & Cybersecurity Practice Group’s first client alert in a series that will break down the major elements of the California Consumer Privacy Act (CCPA). This alert focuses on the CCPA’s applicability.
California’s new privacy law, the CCPA, goes into effect on January 1, 2020. It is the most expansive state privacy law in US history, imposing GDPR-like transparency and individual rights requirements on companies. The law will impact nearly every entity that handles “personal information” regarding California residents, including (at least for now) employees. An overview of the CCPA’s applicability is set forth below.
Who Will the CCPA Impact?
Most of the CCPA’s obligations apply directly to a “business,” which is an entity that:
1. Handles personal information about California residents
2. Determines the purposes and means of processing that personal information
3. Does business in California and meets one of the following threshold requirements:
a. Has annual gross revenues in excess of US$25 million
b. Annually handles personal information regarding at least
50,000 consumers, households, or devices
c. Derives 50% or more of its annual revenue from selling personal information
However, “service providers” that handle personal information on behalf of a business and other third parties that receive personal information will also be impacted. As currently written, however, the CCPA does not apply to nonprofit organizations.
The CCPA’s three threshold requirements seem relatively straightforward, yet upon examination raise additional questions that will need to be clarified down the road. For example:
• Does the 50,000 devices threshold cover devices of California residents only, or apply more broadly?
• Is the US$25 million annual revenue trigger applicable only to revenue derived from California or globally?
• What timeframe do businesses that suddenly find themselves within the CCPA’s ambit have to bring themselves into compliance with its provisions?
What is Personal Information as Defined in the CCPA?
The CCPA defines personal information broadly in terms of (a) types of individuals and (b) types of data elements. First, the term “consumer” refers to, and the CCPA applies to data about, any California resident, which ostensibly includes website visitors, business-to-business (B2B) contacts and (at least for now) employees. It is not limited
to business-to-consumer customers that actually purchase goods or services. Second, the data elements that constitute personal
information include nonsensitive items that historically have been less regulated in the US, such as internet browsing histories, IP addresses, product preferences, purchasing histories, and inferences drawn from any other types of personal information described in the statute, including:
• Identifiers, such as name, address, phone number, email address
• Characteristics of protected classifications under California and federal law
• Commercial information, such as property records, products purchased and other consuming history
• Biometric information
• Internet or other electronic network activity
• Geolocation data
• Olfactory, audio and visual information
• Professional or educational information
Does the CCPA Have Any Exemptions?
The CCPA will apply to a broad number of businesses, covering nearly all commercial entities that do business in California, regardless of whether the business has a physical location or employees in the state. However, there are some nuanced exemptions.
As a general matter, the exemptions are based on the types of information that a business collects, and not on the industry of the business collecting the information. These include information that is collected and used “wholly outside” of California, subject to other state and federal laws, or sold to or from consumer reporting agencies.
Specifically, the excluded categories of personal information include:
1. Activity Wholly Outside of California
The CCPA does not apply to conduct that takes place wholly outside of California, although it is unclear how such an exemption will apply in practice. The statute provides that this exemption applies if:
• The business collects information while the consumer is outside of California
• No part of the sale of the consumer’s personal information occurs in California
• No personal information collected while the consumer is in California is sold
Determining when a consumer is outside of California when his or her personal information is collected will be challenging for businesses. For example, given that an IP address is expressly included as personal information under the law, is a business supposed to do a reverse-lookup to determine whether an individual’s IP address originates in California?
2. Data Subject to Other US Laws
While the CCPA exempts certain types of information subject to other laws, importantly it does not exempt entities subject to those laws altogether. Entities subject to these laws are also not exempt from the CCPA’s statutory damages (i.e., no injury necessary) provisions relating to data breaches. Likewise, some types of information (clarified below) are not exempt from the data breach liability provision. At a glance, these exemptions appear helpful; however, they may end up making operationalizing the law even more difficult for certain entities. For example:
• Protected health information (PHI) and “medical information.” The CCPA exempts all PHI collected by “covered entities” and “business associates” subject to HIPAA, and medical information subject to California’s analogous law, the Confidentiality of Medical Information Act (CMIA). It also exempts any patient information to the extent a “covered entity” or “provider of healthcare,” respectively, maintains the patient information in the same manner as PHI or medical information. However, many of these entities and their business associates collect information beyond what is considered PHI, such as employment records, technical data about website visitors, B2B information, and types of research data. This data may not be eligible for the CCPA exemption.
• Clinical trial information. The CCPA exempts information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.
• Financial information. Information processed pursuant to the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (CalFIPA) is exempt from the CCPA.
Much like the health-related exemption, this rule does not exempt entities subject to these laws altogether from its requirements
to the extent an entity is processing information not expressly subject to GLBA/CalFIPA. This particular exemption does not apply to the data breach liability provision.
• Consumer reporting information. The CCPA exempts information sold to and from consumer reporting agencies if that information is reported in, or used to generate, a consumer report and use of that information is limited by the Fair Credit Reporting Act.
• Driver information. The CCPA exempts information processed pursuant to the Driver’s Privacy Protection Act of 1994 (DPPA). Importantly, entities subject to this law are not altogether exempt and this exemption does not apply to the data breach liability provision.
Moreover, the differences in definitions of relevant terms (e.g., personal information under the CCPA versus nonpublic personal information under GLBA) are important to consider when assessing relevant obligations and could result in institutions being only partially exempt from CCPA compliance.