Starting January 1, 2020, the California Consumer Privacy Act (CCPA), far and away the broadest consumer data privacy law passed by any State to date, goes into effect.
What is the CCPA?
CCPA grants California “consumers” extensive rights as to how their personal information is collected, stored, and used, as well as gives them a private cause of action against businesses who violate its requirements.
For businesses (including those not even located in California) that collect or process the personal information of California consumers, CCPA includes very specific disclosure requirements for those consumers, as well as stiff statutory penalties for failure to comply.
As with the implementation of the EU’s General Data Protection Regulation (GDPR) last year, CCPA is causing much hand-wringing among owners and management of both online and traditional businesses as D-Day for CCPA approaches. But does CCPA even apply to your business?
Which Businesses Fall under CCPA?
To answer this question, we go to the text of the law itself (which, it should be noted, is still undergoing proposed amendments):
(c) “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Cal. Civ. Code §1798.140
What does this mean in plain English-speak? Let’s break it down.
IF your company:
- is a for-profit business;
- “does business” in the State of California; AND
- collects California consumers’ personal information (or such information is collected for your company) and is the one determining the purposes and means of processing that information,
THEN your business may be subject to CCPA if any of the following apply:
- it has annual gross revenues of at least $25,000,000;
- it buys, sells, shares and/or receives “for commercial purposes” the personal information of at least 50,000 California consumers, households, or devices annually; OR
- it derives at least 50 percent of its annual revenue from selling California consumers’ personal information.
I call this the “25-50-50 Rule”™.
Keep in mind that even if your company doesn’t specifically do any of the above, it can still count as a “business” subject to CCPA if controls or is controlled by another entity that does meet the definitional test above. (See Cal. Civ. Code §1798.140(c)(2))
Again, CCPA was slapped together and passed in a harried fashion, and amendments to the law are still being proposed as of the date of this post. The act and the discussion above could very well change between now and the implementation date in a few weeks, and certainly after the public comment period concludes next Summer.
If you are an Arizona e-commerce or an offline business with questions about whether your activities fall under CCPA or what steps you should take to meet the numerous requirements of the Act, feel free to contact our law firm at the phone number or e-mail address below or use the contact form to the right.
Ben Bhandhusavee is the Managing Attorney for BHANDLAW, PLLC, a Phoenix business and technology law firm working with start-up companies, creative intellectual property, Internet and digital media matters, and complex corporate M&A and technology transactions. Ben can be reached at (602) 222-5542 or by e-mail at [email protected]