Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Lothar Determann and Chetan Gupta
As of Jan. 1, 2020, companies around the world will have to comply with additional regulations related to processing of personal data of California residents. Pursuant to the California Consumer Privacy Act of 2018 ("CCPA"), covered companies have to observe restrictions on data monetization business models; accommodate rights to access, deletion, and porting of personal data; and issue or update privacy notices to provide detailed disclosures about data handling practices. For a general overview of the statute and its unusual history, see Lothar Determann, The California Consumer Privacy Act of 2018: Broad Data and Business Regulation, Applicable Worldwide, IAPP Privacy Tracker (Jul. 2, 2018).
The CCPA protects all California residents with respect to any personal information that relates to them. However, contrary to its title, the CCPA does not just protect Californians in their roles as consumers, but also as employees, patients, tenants, students, parents, children, etc. This is because Cal. Civ. Code § 1798.140(g) defines “consumer” as any “natural person who is a California resident, . . . however identified, including by any unique identifier.” That section specifies that the term “resident” is defined by Cal. Code Regs. Tit. 18, § 17014 as it read on Sept. 1, 2017, meaning it “includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose,” subject to a number of clarifications and specifications. Therefore, employees in California fall within the definition of “consumer” under the CCPA.
Companies around the world have to comply with the CCPA if they receive personal data from California residents (including employees) and if they—or their parent company or a subsidiary—exceed one of three thresholds: (a) annual gross revenues of $25 million, (b) collection for commercial purposes of the personal information of 50,000 or more California residents, households, or devices annually, or (c) 50% or more annual revenue from selling California residents’ personal information. Parent companies and subsidiaries using the same branding are covered in the definition of “business,” even if they themselves do not exceed the applicable thresholds. Cal. Civ. Code § 1798.140(c).
A. Companies must comply if they have annual revenues in excess of $25 million.
It is not clear whether this number includes only a company’s California revenue or its global sales, as the CCPA does not specify the scope of this provision. For comparison, Cal. Civ. Code § 1714.43(a)(1) applies to companies according to their “annual worldwide gross receipts,” whereas the CCPA merely refers to “annual gross revenues,” Cal. Civ. Code § 1798.140(c)(1)(A). In contrast, Cal. Rev. & Tax. Code § 17942(a) applies only to income “derived from or attributable to this state.” Therefore, if a company with annual revenues over $25 million has even one employee in California (and therefore receives the employee’s personal data), it is possible that the company would automatically be covered by the CCPA.
B. A company will need to comply if it obtains or sells personal information of at least 50,000 California residents annually for commercial purposes.
Given the broad scope of the CCPA, companies may reach this threshold more quickly than anticipated. Most notably, the Act defines "[c]ommercial purposes” as “advancing a person’s commercial or economic interests,” Cal. Civ. Code § 1798.140(f), and "[p]ersonal information” as “any information that . . . relates to . . . a particular consumer or household,” specifically including employment-related information, Cal. Civ. Code § 1798.140(o)(1). Therefore, an employee’s job description, details of an employee’s compensation, performance reviews, and most HR records pertaining to the employee constitute “personal information.” Additionally, non-employee consumers would potentially count towards the threshold, and employers may inevitably gather related personal information by, for example, capturing IP addresses through operation of a website. Consequently, an employer may be subject to the CCPA if it has few employees in California but a large number of other “consumers” located there.
C. Companies can also be subject to the law based on whether they sell California residents’ personal information.
A relatively small company in California may need to comply if it derives more than 50% of its annual revenue from selling California residents’ personal information. “Selling” is defined broadly to mean any disclosing or making available for monetary or other valuable consideration, subject to a number of exceptions, including consumer-directed disclosures to third parties that do not sell the personal information; limited sharing with service providers; and business transfers in bankruptcy, M&A, and similar transactions. Cal. Civ. Code § 1798.140(t).
D. Out-of-state companies may be exempt from the CCPA.
The CCPA does not apply to collection or sale of personal information if “every aspect of that commercial conduct takes place wholly outside of California,” Cal. Civ. Code § 1798.145(a)(6), or if the company is not doing “business in the State of California,” Cal. Civ. Code § 1798.140(c)(1). Most companies with connections to California, however, will find proving either difficult. For one, commercial conduct will not be deemed taking place outside California if a company collects information about a consumer while the consumer is located in California, sells information collected when the consumer was located in California, or conducts any part of a sale in California. Cal. Civ. Code § 1798.145(a)(6). Additionally, under Cal. Rev. & Tax. Code § 23101(a), an out-of-state company is doing business in California if it actively engages “in any transaction for the purpose of financial or pecuniary gain or profit” in California. Employing or collecting information about California residents will usually satisfy either test.
The CCPA prescribes rigid requirements regarding how consumers must be notified of and may exercise the rights guaranteed by the Act. For example, businesses must make available to consumers a toll-free telephone number for submitting requests for information required to be disclosed, and if a business sells personal information as contemplated under the CCPA, it must provide a clear and conspicuous link on its Internet homepage titled “Do Not Sell My Personal Information.” Cal. Civ. Code § 1798.130(a)(1), 1798.135(a)(1). These requirements apply even if they would not necessarily be the most appropriate means of communicating with employees.
Companies around the world will need to start working right away to assess the CCPA’s impact on their businesses, systems, and data handling practices. A year and a half is not a lot of time, as anyone who has been working on EU GDPR compliance knows well. Companies will need to take a number of affirmative steps to comply with the new requirements, including the following:
Lothar Determann and Chetan Gupta practice law at Baker McKenzie LLP, Palo Alto, and advise clients on data privacy and employment law respectively. Chetan Gupta is admitted in California and India. Lothar Determann is admitted in California and Germany and is the author of Determann’s Field Guide to Privacy Law (3d Ed. 2017) and California Privacy Law - Practical Guide and Commentary (3d Ed. 2018). The views expressed in this article are those of the authors and not necessarily those of Baker McKenzie or its clients, or of Bloomberg Law. The authors are grateful for valuable input from their Baker McKenzie colleagues Helena Engfeldt and Jonathan Tam.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)