The July 1 Deadline is Looming: California is Ready to Enforce its Consumer Privacy Act
Last year, the California Attorney General set a July 1, 2020, deadline for enforcement of the state’s Consumer Protection Act (the “CCPA” or the “Act”). If you thought the pandemic would toll this deadline, you are seriously mistaken. On June 2nd, the California Attorney General announced that he had submitted the final CCPA Regulations for approval. These Regulations—unchanged from their third iteration in mid-March—set forth the detailed and often maze-like operative obligations for how companies must implement the requirements of the CCPA. While it is unlikely that these final Regulations will be officially enacted prior to the July 1, 2020, enforcement deadline, the Attorney General has not budged from this deadline, creating some ambiguity into how and to what extent the AG will rely upon the Regulations when the enforcement period begins.
Why does this matter? The CCPA details the requirements for how businesses who operate in California should collect, use, and process personal information throughout that information’s lifecycle, and grants consumers certain rights over their personal information. The Regulations interpreting these requirements may not be “official” until October 2020 (although it is possible that the Regulations could be enacted earlier). In light of this, some businesses are taking a risky wait-and-see approach with regard to CCPA compliance.
Does the CCPA apply to my Company?
Keep in mind that a business does not have to be located in California in order for the CCPA to apply, thus becoming a ready target on the July 1, 2020, enforcement date. The Act applies to all businesses, wherever located, that meet the established criteria. Section 179.140(c) defines a “business” and the three triggering criteria as follows:
(c) “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
There is much in this threshold definition of “business” to unpack. Perhaps most important to note is that the Act applies even to for-profit businesses operating outside of California[1], but with customers located in California. The critical ingredient in this mix is the California consumer.
Moving to the three criteria, the most straightforward is the revenue requirement. This will ensnare most larger organizations within the scope of CCPA compliance. Applying the other two threshold criteria requires an organization to determine what “personal information”[i] is collected, what is done with that information, and how much of that information is from California consumers.
The first step in this analysis is to determine whether or not the data an organization collects is considered “personal information” under the CCPA. The CCPA has a very broad definition for what qualifies as “personal information.”[2]
(1) “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household” and includes the following 11 categories of “personal information.” 179.140(o).
The CCPA also includes a listing of the categories of data that are considered “personal information.” Keep in mind that this information is not necessarily entered by the consumer in a form—it can be captured by a website “cookie,” as well. These categories are listed as:
- identifiers;
- personal information protected against security breaches (Cal. Civ. Code § 1798.80(e));
- protected classification information;
- commercial information;
- internet or other similar network activity;
- geolocation;
- audio/video data;
- professional or employment-related information;
- education information;
- biometrics; and
- inferences drawn from other personal information.
Other categories of activities would include both obvious interactions with California consumers, such as online purchases, but also less obvious interactions, such as website visits, because IP addresses (generated by a website visit) are included in the definition of “identifiers.”[3]
As you might expect with such a broad definition of “personal information,” it is easy to see how the other criteria could apply to smaller businesses. For example, the criterion setting the threshold to “receiving” or “sharing” information for a commercial purpose likely would include an organization’s website receiving at least 50,000 unique visitors from California per year. (This may seem like a lot, but if you break down the numbers, this would be on average only 137 unique visits from California per day.)[4] The final criterion is meant to capture data aggregators and other organizations where the buying and selling of personal information is a revenue stream.
Counting Down to the Deadline: Some Practical First Steps
Most business people are unaware of the amount and types of data collected by their website’s cookies during a consumer’s website visit. For this reason, we recommend a careful discussion with your web development team to determine: (i) whether or not any information is collected (based on the categories listed above) and (ii) how many unique visitors the website has per day and per year.
If these metrics reveal that your business might fall within the scope of the CCPA, the Data Protection and Privacy Team at Butzel Long is here to assist you with a further assessment and will work to address your organization’s CCPA compliance prior to the July 1, 2020, deadline.
Claudia Rast
734.213.3431
rast@butzel.com
Jennifer Dukarski
734.213.3427
dukarski@butzel.com
Ashley Glime
734.213.3631
glime@butzel.com
[1] The CCPA can apply to non-US for-profit businesses with California consumers, as well.
[2] There is one caveat to the definition of “personal information” worth considering: until 2021, an exemption exists for personal information that is exchanged in a business to business (B2B) transactions and within an employment context.
[3] Passive website interactions may also be included within the definition of “personal information.”
[4] And the “visits” could be from one person, using multiple devices. For example, if a California consumer accessed your website with both a mobile phone and a tablet, that would count as two unique visits.