What is the California Consumer Privacy Act (CCPA)?
As you may be aware, the California Attorney General will begin enforcing the California Consumer Privacy Act of 2018 (“CCPA”) on July 1, 2020. Proposed Regulations for enforcing the CCPA were recently published by Attorney General Beccera. The CCPA applies to the personal information of California residents. Following is a high-level summary of the CCPA and the rights and obligations it creates.
What Is Personal Information?
Personal Information is very broadly defined in the CCPA to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” Note that this broad definition covers information that does not actually include the name of an individual, but that can still be used to identify a person or household. Items included in the definition are pieces of data like online identifiers, internet protocol (“IP”) addresses, email addresses, social security numbers, browsing history from a computer, and geolocation data. The “personal information” covered by the CCPA is likely much broader than most people expect. For the remainder of this article, we’ll use “PI” for “personal information” of a California resident.
Does the CCPA Apply to My Business?
At the outset, your organization should assess whether the CCPA is applicable. The CCPA applies to any business collecting PI that (a) has gross revenues in excess of $25 million; (b) annually (i.e., during a twelve (12) month span) buys, sells, or collects PI of 50,000 or more consumers, households, or devices; or (c) derives fifty percent (50%) of its annual revenue from sharing PI. Parent companies and subsidiaries using the same branding are also covered by the CCPA even if these parents or subsidiaries standing alone do not exceed these thresholds. Sub-part (b) can sneak up on businesses because this threshold can be met if a business’s website averages more than 137 visits per day by California residents within a year.
The CCPA does not apply to businesses that do not collect PI, but businesses should be aware of the very broad definition of PI in the CCPA summary above.
The CCPA also does not apply to certain entities such as (1) non-profit businesses that do not operate for “profit or financial benefit;” (2) financial institutions subject to regulation under the Gramm-Leach-Blilely Act; (3) consumer reporting agencies subject to the Fair Credit Reporting Act; and (3) health care providers subject to the Health Insurance Portability and Accountability Act (“HIPPA”). Entities should be very careful when making the determination of whether the CCPA applies to its operations.