Does the CCPA Apply to Your Business?

With the CCPA going into effect soon, and the look back period already in place for the current time period, I thought it would be helpful to lay this out, as the CCPA has gone through some amendments and there is some confusion out there about the CCPA’s scope.

If your company falls into either 1 or 2 below (or both), then it is subject to the CCPA and should comply with its requirements:

1. The company (i) is a for profit business, (ii) that does business in the State of California (there is a legal test to determine this), (iii) that collects, or has collected for it, California consumer’s personal information and determines the processing of such information

AND

the company also meets at least one of the following factors: (x) it has at least $25,000,000 in annual gross revenue, (y) it buys, sells, shares or receives the personal information of at least 50,000 California consumers each year, or (z) it receives at least half of its annual revenue from “selling” California consumer’s personal information.

2. The company controls or is controlled by a business that meets the requirements in 1. above.

Avoiding the Dreaded Link under CCPA: “Do Not Sell My Personal Information”

Many companies that do substantial business in CCPA may fall under the scope of the CCPA. If they do, and they don’t take actions beforehand, they are required to put a link, in a clear and conspicuous manner, on the company’s homepage (as well as in the privacy policy), that reads “Do Not Sell My Personal Information“. If this link is clicked on it must provide a mechanism (that must work) in which the consumer can opt of of having its personal information “sold”, and the company must refrain from soliciting the sale date of the opted out individual for 12 months after the opt out. It should be noted that the CCPA allows the link to not appear on the company’s main web-page if the company creates a web-page for CA residents only (because of the technology infrastructure needed to do this, its likely most companies subject to CCPA will not be able to do so, at least not right away).

When the company’s legal department or outside counsel tells the marketing department that the link has to be put on the main website of the company by January 1, 2020, the reaction is “We can’t do that. How do we avoid it?” Anyone involved in sales or business development understands that a link of that nature will not help revenue generation and the PR issues associated with it are not favorable.

By way of background the CCPA applies to any business (of a certain size or that generates over a threshold amount of revenue from CA), that “sells” personal information about California consumers to third parties. CCPA Section 1798.120(a). “Sell” under the CCPA is defined broadly meaning sharing the personal information for any value at all.

The answer to the marketing department’s question of how the company gets out of putting the link on the company’s homepage is that the company has to take action to ensure that it is not subject to the requirements of the CCPA, specifically that the company does not “sell” personal information. Each company likely has multiple vendors, subcontracts, service providers and other parties it has contracted with. A number of those agreements likely involve the sharing, making available, or outright sale of personal information to the third party. Usually the agreement includes more than simply the personal information. What the company should do is go through all of their agreements and amend any that involve the sharing or making available of personal information so that it is clear that any consideration provided by the third party under the agreement is not in exchange for personal information (i.e. that no consideration is changing hands related to the personal information). This assumes that the company’s business operations do not generally involve sale of this data (if they do, the CCPA will apply, absent a fundamental change in the company’s business model), and this course of action may not be available for all companies.

New York’s Proposed Privacy Law

Lately, seemingly following California’s lead, a member of the New York State Legislature proposed legislation which would have solidifies the privacy rights of individuals in New York.

The proposed bill was hailed as providing stronger protection for individuals that the California Privacy Act. Notably, it would provide increased transparency to let individuals know what data companies collected, who they’ve shared that data with, make certain requests that it be corrected or deleted, and choose to not have their data shared or sold at all. Importantly the bill would have enshrined a new concept of Information/Data “Fiduciary”. It would also allow individuals to bring private causes of action for breach. The New York law would have applied to move companies than the CCPA (i.e. the scope was broader).

The text of the bill is available here: https://www.nysenate.gov/legislation/bills/2019/s5642

For better or worse, this bill has been defeated by lobbyists and will not be passed, as least not anytime soon in this configuration. Credit to Senator Kevin Thomas, from Long Island, for pushing it as far as he could.

Service Provider Exemption in the CCPA

One of the larger exemptions to being deemed a seller of personal data under the CCPA is the “service provider” exemption. I am not going to quote the statutory language as frankly its written in a confusing way. But the CCPA states that a business will not be deemed a seller of personal data, with respect only to its relationship with a service provider, where such business uses or shares with a service provider personal information of a consumer, where:

  • its necessary to perform a business purpose, and
  • the service provider does not further collect, sell or use the personal information, and
  • the business has provided notice that information is being used or shared in its terms and conditions (which should comply with CA law, see 1798.135)

The CCPA broadly defines “business purpose” as that which uses the personal information for the business or a service provider for reasonable and necessary uses proportinate to get the operational purpose for which it was collected. Specifically, auditing, security purposes, debugging, transient use, performance of services (providing accounts, customer service, etc.), internal research, verifying quality or security of services or products.

If a business gets a right to delete information, it should pass that request along to its service providers and they should process the request and delete the information they have.

An agreement addressing specific items should be in place between the company and its service providers and many companies are now scrambling to amend all of their current agreements with service providers to ensure compliance with CCPA.

New York’s Cybersecurity Requirements for Financial Service Companies

New York was concerned that companies with sensitive data, such as people’s banking information, social security numbers and other financial records could be unlawfully accessed by hackers (other nations, individuals, companies). The New York Department of Financial Services (“DFS”) has promulgated regulations entitled the “Cybersecurity Requirements for Financial Services Companies” which can be found at 23 NYCRR 500.

The regulation applies to “Covered Entities” which means any person or individual holding a permit or license or otherwise authorized to operate under the New York Banking Law, the Insurance Law or the Financial Services Law. Subject to certain exemptions, discussed briefly below, Covered Entities have to have a Cybersecurity Program, based on a risk assessment that the Covered Entity has to perform, that fulfills the following:

(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;

(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

(5) recover from Cybersecurity Events and restore normal operations and services; and

(6) fulfill applicable regulatory reporting obligations.

Additionally, each Covered Entity, unless exempt, has to appoint a Chief Information Security Officer, and adopt a Cybersecurity Policy, addressing the following:

(a) information security;

(b) data governance and classification;

(c) asset inventory and device management;

(d) access controls and identity management;

(e) business continuity and disaster recovery planning and resources;

(f) systems operations and availability concerns;

(g) systems and network security;

(h) systems and network monitoring;

(i) systems and application development and quality assurance;

(j) physical security and environmental controls;

(k) customer data privacy;

(l) vendor and Third Party Service Provider management;

(m) risk assessment; and

(n) incident response.

The regulation also requires other items, such as regular reporting to the DFS, training, confidentiality, encryption and other items.

A Covered Entity may be exempt from some but not all of the requirements of the regulation. Notably, those with fewer than 10 employees (or contractors), or less than $5,000,000 in gross annual revenue in last three year, or less than $10,000,000 in year end total assets (calculated as per GAAP) are exempt from some of the onerous items. Similarly, those that don’t hold any important information and those that are only a related, subsidiary or affiliated persons or entities (that are Covered Entities themselves) that are part of or connected to a Covered Entity that is fulfilling its obligations under the regulation are exempt from other portions of the regulation. New York State DFS provided helpful charts in its FAQ for the regulation available here.

The “Look Back” Requirement of the California Consumer Privacy Act of 2018

So while the California Consumer Privacy Act of 2018 won’t take effect until 2020 (or later depending on when the regulations are issued), when it does go into effect, part of it will require companies who are subject to the act to have kept records of the data collected within the 12 months prior to the effectiveness of the act. This seems a little retroactive in application and its questionable legally of how this will be enforced, but any companies that are doing business in California should be cognizant of the application and time periods here and should have a procedure in place to track what is being collected and from whom. Additionally when the Act does come into effect, the companies will have to inform California consumers about the data that has been collected, how it was used, especially if it was sold to or shared with third parties. Having a procedure in place to track it now is important.

Updates to the California Consumer Privacy Act of 2018

We introduced the California Consumer Privacy Act of 2018 (CCPA) before, and there has been some updates since then.  While the CCPA was to take effect on January 1, 2020, the date of effectiveness and the date when the California Attorney General has to promulgate the regulations for same has been pushed back to July 1, 2020.  Similarly, the time of enforcement of same is to be that date if the regulations are published then and if not, then six months from the date of publication of the regulations.


There was lobbying in California regarding the private right of action in the CCPA and there was some language added to clarify the limits of consumer suits against companies.

On the federal level, Senator Marco Rubio introduced what he called the American Data Dissemination Act (and used the acronym “ADD Act”), which he presents as a federal data protection bill which would require the FTC to promulgate national regulations on data protection and would explicitly preempt state laws like the CCPA. It is to be based on the antiquated Privacy Act of 1974. Its unclear without specific statutory language or regulations on the ADD Act to determine the reasons for its genesis. If it were to follow the European model, an entirely new statutory scheme would likely be needed. The purpose could also be to halt the rise of 50 different data protection laws, one from each state. In any event, the members of Congress have been getting heavily lobbied by the US Chamber of Commerce and other business groups. It should be interesting to see how it all plays out. Companies should not however, presume that the CCPA will be pre-empted and should begin to prepare for same now.  

The Opportunity in Opportunity Zones

One of the more interesting and useful items to come out of the Tax Cut and Jobs Act of 2018 are the creation of so-called Opportunity Zones. An Opportunity Zone is a particular census tract which the government has designated as a distressed community, and investments in same are entitled to certain benefits vis a vis the investor’s capital gains taxes from such investment. The goal is to stimulate investments into such areas which would not otherwise have occurred. 

The benefits that Opportunity Zones provides are related solely to the timing and possible reduction of an investor’s capital gains taxes. The program won’t apply to ordinary income tax issues, and there are no credits or other type of incentives provided for in the program (its less exciting than some folks originally thought but still a large benefit to the right investors/projects/companies though). The Opportunity Zones program provides for a delay, reduction or elimination of capital gains taxes in three ways as set forth below:

  • First is a temporary tax deferral for any taxpayer who has capital gains but re-invests same, within 180 day time period, into an Qualified Opportunity Fund (discussed below). The gain is deferred but must be recognized on the earlier of the date on which the opportunity zone investment is sold or December 31, 2026 (there is some grey area with respect to holding the investment past December 31, 2026 and hopefully the IRS clears it up). You do not have to live or work in an opportunity zone, you just have to invest in it (in a company located in one or property located in one). IRS came out with this form for these re-investments –  Form 8949
  • Second is a step-up in basis for any capital gains that were invested  (i.e. re-invested) in an Qualified Opportunity Fund. The basis of the original investment is increased by 10% if the investment in the Qualified Opportunity Zone Fund is held by the taxpayer for at least 5 years, and by an additional 5% if held for at least 7 years, excluding up to 15% of the original gain from taxation.
  • Third is a total exclusion (i.e. the investor’s basis is increased to FMV) from taxable income of capital gains from the sale or exchange of an investment (but not the original capital gain which is handled by the second point above) in a Qualified Opportunity Zone Fund if held for more than 10 years.

The Opportunity Zone program allows funds to be set up, called Qualified Opportunity Zone Funds, which funds pool investor money (as a partnership or corporation) for investing in eligible property located in a Qualified Opportunity Zone (a list of such Qualified Opportunity Zones are set out in IRS Notice 2018-48 – https://www.irs.gov/pub/irs-drop/n-18-48.pdf  )

To become a Qualified Opportunity Zone Fund, an eligible corporation or partnership self-certifies by filing Form 8996, Qualified Opportunity Fund, with its federal income tax return. Early-release drafts of the form and instructions are posted, with final versions expected in December. The return with Form 8996 must be filed timely, taking extensions into account.

The California Consumer Privacy Act of 2018

So the wave of privacy laws originating in Europe has hit the United States.  On June 28, 2018, the California Consumer Privacy Act of 2018 was signed into law (referred to in this post as the “Act” or the “Law”).  It is both similar to, and distinct from, the GDPR.  Companies should absolutely not assume that if they are GDPR compliant, that they would also compliant with the California law.  The California law has broad out of state reach and violations carry serious monetary penalties, including actions from the Attorney General of the State of California, or individuals (either separately or as a class action).   Companies should make sure they are out in front of this law.  The date the Act is set to take effect is January 1, 2020. Read more