Does the CCPA Apply to Your Business?

With the CCPA going into effect soon, and the look back period already in place for the current time period, I thought it would be helpful to lay this out, as the CCPA has gone through some amendments and there is some confusion out there about the CCPA’s scope.

If your company falls into either 1 or 2 below (or both), then it is subject to the CCPA and should comply with its requirements:

1. The company (i) is a for profit business, (ii) that does business in the State of California (there is a legal test to determine this), (iii) that collects, or has collected for it, California consumer’s personal information and determines the processing of such information

AND

the company also meets at least one of the following factors: (x) it has at least $25,000,000 in annual gross revenue, (y) it buys, sells, shares or receives the personal information of at least 50,000 California consumers each year, or (z) it receives at least half of its annual revenue from “selling” California consumer’s personal information.

2. The company controls or is controlled by a business that meets the requirements in 1. above.

Avoiding the Dreaded Link under CCPA: “Do Not Sell My Personal Information”

Many companies that do substantial business in CCPA may fall under the scope of the CCPA. If they do, and they don’t take actions beforehand, they are required to put a link, in a clear and conspicuous manner, on the company’s homepage (as well as in the privacy policy), that reads “Do Not Sell My Personal Information“. If this link is clicked on it must provide a mechanism (that must work) in which the consumer can opt of of having its personal information “sold”, and the company must refrain from soliciting the sale date of the opted out individual for 12 months after the opt out. It should be noted that the CCPA allows the link to not appear on the company’s main web-page if the company creates a web-page for CA residents only (because of the technology infrastructure needed to do this, its likely most companies subject to CCPA will not be able to do so, at least not right away).

When the company’s legal department or outside counsel tells the marketing department that the link has to be put on the main website of the company by January 1, 2020, the reaction is “We can’t do that. How do we avoid it?” Anyone involved in sales or business development understands that a link of that nature will not help revenue generation and the PR issues associated with it are not favorable.

By way of background the CCPA applies to any business (of a certain size or that generates over a threshold amount of revenue from CA), that “sells” personal information about California consumers to third parties. CCPA Section 1798.120(a). “Sell” under the CCPA is defined broadly meaning sharing the personal information for any value at all.

The answer to the marketing department’s question of how the company gets out of putting the link on the company’s homepage is that the company has to take action to ensure that it is not subject to the requirements of the CCPA, specifically that the company does not “sell” personal information. Each company likely has multiple vendors, subcontracts, service providers and other parties it has contracted with. A number of those agreements likely involve the sharing, making available, or outright sale of personal information to the third party. Usually the agreement includes more than simply the personal information. What the company should do is go through all of their agreements and amend any that involve the sharing or making available of personal information so that it is clear that any consideration provided by the third party under the agreement is not in exchange for personal information (i.e. that no consideration is changing hands related to the personal information). This assumes that the company’s business operations do not generally involve sale of this data (if they do, the CCPA will apply, absent a fundamental change in the company’s business model), and this course of action may not be available for all companies.

New York’s Proposed Privacy Law

Lately, seemingly following California’s lead, a member of the New York State Legislature proposed legislation which would have solidifies the privacy rights of individuals in New York.

The proposed bill was hailed as providing stronger protection for individuals that the California Privacy Act. Notably, it would provide increased transparency to let individuals know what data companies collected, who they’ve shared that data with, make certain requests that it be corrected or deleted, and choose to not have their data shared or sold at all. Importantly the bill would have enshrined a new concept of Information/Data “Fiduciary”. It would also allow individuals to bring private causes of action for breach. The New York law would have applied to move companies than the CCPA (i.e. the scope was broader).

The text of the bill is available here: https://www.nysenate.gov/legislation/bills/2019/s5642

For better or worse, this bill has been defeated by lobbyists and will not be passed, as least not anytime soon in this configuration. Credit to Senator Kevin Thomas, from Long Island, for pushing it as far as he could.

Service Provider Exemption in the CCPA

One of the larger exemptions to being deemed a seller of personal data under the CCPA is the “service provider” exemption. I am not going to quote the statutory language as frankly its written in a confusing way. But the CCPA states that a business will not be deemed a seller of personal data, with respect only to its relationship with a service provider, where such business uses or shares with a service provider personal information of a consumer, where:

  • its necessary to perform a business purpose, and
  • the service provider does not further collect, sell or use the personal information, and
  • the business has provided notice that information is being used or shared in its terms and conditions (which should comply with CA law, see 1798.135)

The CCPA broadly defines “business purpose” as that which uses the personal information for the business or a service provider for reasonable and necessary uses proportinate to get the operational purpose for which it was collected. Specifically, auditing, security purposes, debugging, transient use, performance of services (providing accounts, customer service, etc.), internal research, verifying quality or security of services or products.

If a business gets a right to delete information, it should pass that request along to its service providers and they should process the request and delete the information they have.

An agreement addressing specific items should be in place between the company and its service providers and many companies are now scrambling to amend all of their current agreements with service providers to ensure compliance with CCPA.

The “Look Back” Requirement of the California Consumer Privacy Act of 2018

So while the California Consumer Privacy Act of 2018 won’t take effect until 2020 (or later depending on when the regulations are issued), when it does go into effect, part of it will require companies who are subject to the act to have kept records of the data collected within the 12 months prior to the effectiveness of the act. This seems a little retroactive in application and its questionable legally of how this will be enforced, but any companies that are doing business in California should be cognizant of the application and time periods here and should have a procedure in place to track what is being collected and from whom. Additionally when the Act does come into effect, the companies will have to inform California consumers about the data that has been collected, how it was used, especially if it was sold to or shared with third parties. Having a procedure in place to track it now is important.

Updates to the California Consumer Privacy Act of 2018

We introduced the California Consumer Privacy Act of 2018 (CCPA) before, and there has been some updates since then.  While the CCPA was to take effect on January 1, 2020, the date of effectiveness and the date when the California Attorney General has to promulgate the regulations for same has been pushed back to July 1, 2020.  Similarly, the time of enforcement of same is to be that date if the regulations are published then and if not, then six months from the date of publication of the regulations.


There was lobbying in California regarding the private right of action in the CCPA and there was some language added to clarify the limits of consumer suits against companies.

On the federal level, Senator Marco Rubio introduced what he called the American Data Dissemination Act (and used the acronym “ADD Act”), which he presents as a federal data protection bill which would require the FTC to promulgate national regulations on data protection and would explicitly preempt state laws like the CCPA. It is to be based on the antiquated Privacy Act of 1974. Its unclear without specific statutory language or regulations on the ADD Act to determine the reasons for its genesis. If it were to follow the European model, an entirely new statutory scheme would likely be needed. The purpose could also be to halt the rise of 50 different data protection laws, one from each state. In any event, the members of Congress have been getting heavily lobbied by the US Chamber of Commerce and other business groups. It should be interesting to see how it all plays out. Companies should not however, presume that the CCPA will be pre-empted and should begin to prepare for same now.  

The California Consumer Privacy Act of 2018

So the wave of privacy laws originating in Europe has hit the United States.  On June 28, 2018, the California Consumer Privacy Act of 2018 was signed into law (referred to in this post as the “Act” or the “Law”).  It is both similar to, and distinct from, the GDPR.  Companies should absolutely not assume that if they are GDPR compliant, that they would also compliant with the California law.  The California law has broad out of state reach and violations carry serious monetary penalties, including actions from the Attorney General of the State of California, or individuals (either separately or as a class action).   Companies should make sure they are out in front of this law.  The date the Act is set to take effect is January 1, 2020. Read more

Individual Data Subject Rights Under the GDPR

Any company that is subject to the GDPR, among other things, must ensure that it does and can timely comply with requests from any EU data subject with respect to the data subject’s rights under the GDPR, which are:

  1. Right of access – EU data subjects are entitled to know if their data is being processed and if so the terms of same.
  2. Right to rectification – EU data subjects have the right to correct information held by any controller.
  3. Right to erasure – Be ready to completely remove any EU data subject’s personal data from your systems (if anything cannot be removed they need to be told why) upon their request.
  4. Right to restriction of processing – Be ready to restrict certain EU data subject’s personal data from being processed in any manner in which a specific EU data subject states it no longer consents to (even if he/she provided consent for such processing earlier).
  5. Right to data portability – Be ready to provide a copy of each EU data subject’s personal data upon their request, and this can include sending it to the data subject or sending it to a third party. Your company should be able to comply with any request within 30 days at no charge to EU user.
  6. Right to object – Be ready to halt certain activities with respect to the personal data of any EU data subject if notice is provided to you by such EU data subject (this is in addition to the right to restricting processing and prior consent can be modified or taken away at EU data subject’s whim).