A Closer Look at California’s New Privacy Regime: Two Critical Definitions
Businesses covered by the recently enacted California Consumer Privacy Act of 2018 (CCPA) are scrambling to comply with the statute, which becomes “operative” on January 1, 2020, unless that date is changed by the California legislature. As we have noted in earlier blog posts, the CCPA is the most sweeping privacy law in the U.S. and has significant implications for any business that falls within its coverage.
To assist organizations preparing for its implementation, we are taking a closer look at key aspects of the law. In our first installment, we addressed the question of when covered businesses should aim to be compliant with the CCPA. This blog post addresses two defined terms essential for determining who is covered by the CCPA.
The CCPA defines several terms used throughout the statute, including “consumer” (used 318 times in the statute, including in the title) and “business” (210 times). Understanding these terms is essential for making threshold determinations, such as who has rights under the CCPA and which businesses have requirements under the CCPA. As we will cover in more depth below, the statute’s current language of “consumer” is limited to California residents but “business” may cover many out-of-state companies that “do business” in California.
The CCPA defines “consumer” as “any natural person who is a California resident.” Cal Civ. Code § 1798.140(g). The term “resident” covers any person physically present in California for a non-temporary purpose, and anyone with a domicile in California who is temporarily out-of-state. Id.; Cal Code Regs. tit. 18 § 17014.
As we previously noted, questions have been raised about this definition, such as whether it applies to the employees of covered businesses. The “consumer” definition is also limited to residents of California. However, as we will see in the next section, the CCPA’s definition of “business” does not contain similar geographical limits, so businesses not physically located within the State of California may come within the coverage of the law.
The CCPA’s definition of “business” applies to any for-profit entity that (1) collects consumers’ personal information or has such information collected on its behalf; (2) determines the purposes and means of processing the personal information; (3) “does business” in California; and (4) satisfies one of the following three criteria:
- “Has annual gross revenues in excess of” $25 million;
- “[A]nnually buys, receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices” (meaning a physical object capable of connecting to the internet or another device, Cal Civ. Code § 1798.140(j)); or
- “Derives 50% or more of its annual revenue from selling consumers’ personal information.”
Cal Civ. Code § 1798.140(c). Further, the CCPA generally applies to any entity that controls or is controlled by an entity that meets the above definition and shares common branding, meaning name, servicemark, or trademark. It defines control as owning or having the power to vote more than 50% of a business’s “outstanding shares of any class of a voting security,” control over the election of the majority of a business’s directors, or “the power to exercise a controlling influence over the management of a company.” Id.
While the CCPA does not currently define “does business,” the statute provides an outer limit on its own reach, excluding from the obligations imposed in the statute the collection or sale of consumer personal information “if every aspect of that commercial conduct takes place wholly outside of California.” Id. § 1798.145(6). The CCPA explains that this means the information was collected while the consumer was outside California and, for sales of consumer information, no part of the sale occurred in California. Id. Whether courts (or the regulations that are forthcoming from the state’s Attorney General) will interpret the “does business” language to encompass all activity up to this outer limit is an open question.
In a related development, Bloomberg Law reported last night that California Attorney General Xavier Becerra is gearing up to draft regulations implementing the CCPA and has secured $700,000 in funding and five new staffers to work on the regulations. That report noted that his office will be holding public forums (which we reported on last week), and quoted Becerra saying “we’re an enforcer, we’re not a regulator … I’m being asked to be a regulator.”
While we are still nearly a year away from the “operative” date of the CCPA, outgoing California Governor Jerry Brown has already signed a first amendment to the CCPA. See SB 1121. One key amendment was a modification to limit the law’s applicability where other privacy protections were already in place, such as under the California Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code § 56 et seq.) or the federal government’s Health Insurance Portability and Accountability Act of 1996 and Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA). SB 1121 exempts certain information from the law’s coverage because it is already heavily regulated.
For instance, “[p]roviders of health care,” as defined under CMIA, and HIPAA-covered entities are exempted to the extent that they maintain “patient information” in the same manner as “[m]edical information,” as defined by the CMIA, or “protected health information” as governed by the United States Department of Health and Human Services’ privacy, security, and breach notification rules issued pursuant to HIPAA. Id. § 1798.145(c)(1)(B). We will take a closer look at these exemptions in a future blog post.
Stay tuned for more in depth coverage of the CCPA.