CCPA Practice Tip Series

PDF

Professionals

Practice Areas

Adam A. Berkland, Charles H. Bowyer and Allen T. O'Rourke
Robinson Bradshaw Publication

The California Consumer Privacy Act of 2018 (CCPA) went into effect on Jan. 1, 2020, creating an array of new obligations and legal risk regarding the personal information of California consumers for businesses covered by the law. Complying with the CCPA can be challenging, but Robinson Bradshaw attorneys are here to help. We are providing a series of CCPA Practice Tips to help businesses understand the new requirements and implement compliance strategies. Drawing on our experience helping clients to prepare for the CCPA, we will break down the challenge of compliance into small, digestible pieces and address key practical issues facing businesses. Of course, every business covered by the law will need a compliance strategy tailored to its unique circumstances. If you have questions about any of the information provided here or about how the CCPA may apply to your business, please do not hesitate to contact any member of our Cybersecurity and Privacy Practice Group for assistance.

Please note that our CCPA Practice Tips take into account not only the CCPA as amended but also the regulations proposed by the California attorney general in October 2019 and other guidance that may become available by the time of publication. As the text of those regulations could change before they become finalized, we plan to update our guidance here as needed to reflect such changes. Please contact us for the most up-to-date information. Click here to subscribe to our Cybersecurity & Privacy list and receive the future Practice Tips via email.

Tip #1: Step-by-Step Approach to Compliance

Published Jan. 2

As the CCPA has now gone into effect, businesses will have about six months before July 1, 2020, when the California attorney general can begin enforcing the CCPA. It could be even longer before the CCPA's implementing regulations are finalized. However, consumers covered by the law can now begin submitting certain types of legal requests to businesses handling their personal information. Businesses also can face litigation under the CCPA's limited private right of action for data breaches of certain personal information.

This first Practice Tip of our series provides an overview of what the CCPA requires from most businesses covered by the law and then outlines a general step-by-step approach to compliance. In future Practice Tips, we will address the applicability of the CCPA, including what types of business are covered and how key terms are defined, and examine important aspects of compliance in greater detail.

Overview of CCPA Obligations

Generally, for most businesses covered by the CCPA, there are four basic requirements that must be addressed from the outset to comply. The business has to do the following:

  1. Provide additional disclosures to consumers, including notifying consumers in ways that go beyond what has been traditionally covered by a privacy policy.
  2. Honor consumers' rights to request specific information about what personal information the business collects, uses, discloses and sells about that consumer (a "Request to Know") and to request the deletion of that consumer's personal information collected or maintained by the business (a "Request to Delete").
  3. Update contracts with service providers and other businesses with which the business shares personal information.
  4. Adopt commercially reasonable data security measures to protect personal information from unauthorized access, theft or disclosure.

Notably, there are additional obligations for a business that:

These situations trigger special requirements under the CCPA that are beyond the scope of this Practice Tip. Please contact us for more information if you have questions about compliance in such situations.

Finally, the CCPA's obligations do not currently extend to the personal information of a business's own employees or job applicants or to the personal information of the individual employees or other personnel of business entity clients, customers, service providers or partners/collaborators (e.g., B2B services). The CCPA's obligations around treatment of personal information from these types of individuals have been suspended until Jan. 1, 2021.

Step-by-Step Approach to Compliance

Each business is unique and will need a compliance strategy tailored to its needs. However, we have developed the step-by-step approach outlined below through our experience helping companies prepare for the CCPA. These basic steps provide a helpful framework and starting point for businesses working to comply with the CCPA.

In future installments of our CCPA Practice Tip Series, we will focus on specific steps for compliance in greater detail. Before we do that, however, our next Practice Tip will address the scope of the CCPA and what businesses are covered by the law. If you have questions about any of the information provided here or about how the CCPA may apply to your business, please feel free to contact any member of our Cybersecurity and Privacy Practice Group or any other Robinson Bradshaw attorney with whom you are working.

Tip #2: Which Businesses Must Comply

Published Jan. 9

This second Practice Tip of our series explores the threshold issue of who must comply with the CCPA that has now gone into effect. In general, the obligations apply only to "businesses" collecting consumers' personal information. The CCPA's concept of a "business" generally means:

– Has annual gross revenues in excess of $25 million;
– Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices; or
– Derives 50% or more of its annual revenues from selling consumers' personal information.

"Business" also includes any entity that is an affiliate of and shares common branding with an entity meeting the above definition. This likely covers any affiliate with a shared name, service mark or trademark.

Doing Business in California

The CCPA's phrase "does business in the State of California" is not defined any further in the statute. However, based on prior legislation, it is clear that a physical operation in California is not required. Also, given how the statute includes an exception for situations where every aspect of the collection and use of consumers' personal information takes place wholly outside of California, the drafters of the CCPA clearly believed that businesses domiciled outside of California may be subject to the law. Thus, lots of businesses located throughout the United States, especially those with an online presence, will likely be regarded as "doing business" in California for purposes of the CCPA.

Collects Personal Information of Consumers

Here "consumer" means any individual California resident. Of course, this is much broader than how the word is typically used. For example, a company's own personnel and job applicants as well as the employees and other individual representatives of its business clients (e.g., when engaging in business-to-business transactions) are technically "consumers" under the CCPA so long as they are California residents. However, because of an amendment regarding this issue, the effective date of the CCPA has been delayed to Jan. 1, 2021, regarding these types of individuals.

Personal InformationAlso bear in mind that the CCPA applies both when a business collects personal information on its own and also when the business directs a third-party service provider to collect the information on behalf of the business. Indeed, when service providers are involved, the CCPA includes requirements for what to include in the service agreement.

Determines the Purposes and Means of Processing Personal Information

The CCPA only directly places obligations on a business that "alone, or jointly with others, determines the purposes and means of the processing" of consumers' personal information. Generally, this occurs when the business has a direct relationship with the consumer – that is, they are "your" customer or client – or in other situations where the business is able to dictate and control how the personal information is used. In contrast, service providers that collect, store or otherwise process personal information on behalf of a business client or customer as directed are generally only obligated to comply with certain elements of the CCPA and only to the extent that their business client or customer requires them to do so by contract.

The Extent of the Business, Personal Information and Revenue

Finally, the business must also either (i) have annual gross revenues in excess of $25 million, (ii) annually buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices or (iii) derive 50% or more of its annual revenue from selling (as defined in the CCPA) consumers' personal information. As to the first threshold, there is some debate over whether the $25 million revenue threshold is revenue globally, nationally or in the state of California. Until more guidance is provided, it is safest to assume global revenue should be considered. Additionally, due to the broad definition of "consumer" discussed above, many more businesses will meet the second threshold than a first glance would suggest.

Some Exceptions

Even if you operate a "business" covered by the CCPA, the law's requirements would not apply to your processing of certain types of personal information, including the following:

– Health information covered under the California Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act (HIPAA);
– Information collected in a clinical trial subject to the Federal Policy for the Protection of Human Subjects (the Common Rule);
– Personal information transferred to or from a consumer reporting agency if such information is already protected by the Fair Credit Reporting Act (FCRA);
– Consumer financial information protected by the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (FIPA); and
– Personal information covered by the federal Driver’s Privacy Protection Act.

Tip #3: Scope of "Personal Information" and "Sales"

Published Jan. 16

After determining that the CCPA applies, a business will need to carefully assess so-called "data flows" of personal information in order to develop a compliance strategy. To this end, here are some key questions to be answered:

The answers to these questions will go a long way to defining the scope of a business's obligations under the CCPA. For example, the CCPA imposes stricter requirements on businesses that "sell" personal information, collect the personal information of persons under the age of 16, or treat consumers differently based on their agreeing to the collection or sale of personal information or their other exercise of CCPA rights. Accordingly, for this third Practice Tip, we focus on what counts as "personal information" and "selling" such information for purposes of the CCPA.

Personal Information

"Personal information" is broadly defined in the CCPA. It means "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

HouseholdsBeyond this general definition, the CCPA provides a list of examples of items that would be personal information if reasonably linked or linkable with a particular consumer or household:

As these examples make clear, the CCPA's concept of personal information goes far beyond the typical categories of personally identifiable information found in U.S. privacy laws. Thus, you must think expansively in the assessment of data flows within your business to identify all personal information that may be covered by the CCPA.

The CCPA does specify a number of exceptions which provide some limits to the scope of personal information subject to the law. For example, "deidentified" personal information, "aggregate consumer information," and 'publicly available information" (i.e., available from federal, state or local government records) are specifically excluded. Furthermore, as mentioned in our earlier Practice Tip concerning the scope of the CCPA, certain types of personal information already governed by industry-specific federal or California laws are also carved out of the statute. Finally, two key areas of personal information have been carved out of the CCPA until Jan. 1, 2021. These are, broadly speaking, a company's own personnel and job applicants as well as the employees and other individual representatives of its business clients, such as when engaging in business-to-business transactions.

Sales of Personal Information

A business that "sells" personal information faces additional requirements under the CCPA, including more disclosure obligations and the requirement to have a mechanism for consumers to opt out of the sale of their personal information. Accordingly, after figuring out the data flows of personal information, businesses must also determine whether any of their disclosures of personal information would be considered a "sale" for CCPA purposes.

"Sell," "selling" and the like basically mean a business's disclosure of personal information to a third party for anything of value. Specifically, the term is defined very broadly to mean "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."

As with the concept of personal information, this definition of selling goes well beyond what the term typically means. In particular, "other valuable consideration" could mean a wide range of things, such as getting access to another's marketing list or learning additional consumer insights to help with marketing. Thus, in assessing whether a disclosure of personal information to a third party could amount to "selling" under the CCPA, it is important to consider the whole relationship with the third party and how the business may benefit from the disclosure.

The CCPA does specify a number of exceptions, however. The following transfers of personal information are not considered "sales" under the CCPA:

Main Menu