How to Comply with the California Consumer Privacy Act: Does the CCPA Apply to My Organization?

The California Consumer Privacy Act (“CCPA”) will go into effect in 2020 and is expected to drastically change how U.S. based companies handle personal data. As explained in our previous blog post, the law provides California residents (“consumers”) with rights controlling how their personal information is used, imposes disclosure obligations on organizations, and levies statutory fines in case of infringement. Experts predict that the law will affect at least 500,000 US businesses, the “vast majority” being small and medium business.

Will the CCPA apply to your organization or vendors? Read on.

Which Entities are Regulated by the CCPA?

The CCPA applies to businesses. However, its rules also directly affect service providers and other third parties.

When considering what businesses fall under the CCPA, the law applies to both:

1. Businesses, which are for-profit legal entities that satisfy all of the following tests:
   1. Establishment test: The business does business in California. The act does not define “doing business” in California, but the current text and its interpretation under other State laws suggest that CCPA should apply to any business, regardless of physical presence or place of incorporation, which regularly offers goods or services to persons or entities in California or otherwise purposefully derives benefit from its activities in California. Thus, a few isolated transactions with California consumers likely does not constitute “doing business”, but advertising to California residents or having site content which specifically targets Californians could be sufficient. Some elements that may indicate that a company is doing business in California are taxes paid in the state or ownership of real estate in California.
   2. Collection test: The business is collecting California consumers’ personal information (or having such information collected on the business’ behalf). Collection means “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means”, which involves both the active and passive receipt of consumer information, either directly from the consumer or provided to the business by other parties. Even fleeting access to the data constitutes collection under the CCPA.
   3. Controllership test: The business is determining alone, or jointly with others, the purposes and means of the processing of consumers’ personal information.
   4. Location of the commercial conduct test: Some aspect of the business’s collection or sale takes place in California. The CCPA does not apply if the business collected the personal information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. However, this does not mean that the CCPA will not apply if a business stores, including on a device, personal information about a consumer when the consumer is in California and then collects that personal information when the consumer and stored personal information is outside of California.
   5. Threshold test: The business meets at least one of the following criteria:
      1. $25 million in annual gross revenues.
      2. Buying, selling, sharing, and/or receiving the personal information of at least 50,000 California consumers, households, or devices, per year. If you have a website that attracts 137 different California visitors per day from whom you collect personal information, it is easy to meet this criterion.
      3. Deriving at least 50% of the annual revenue from selling California consumers’ personal information.
2. Any entity that controls or is controlled by a CCPA-regulated business. The CCPA applies to an entity that controls or is controlled by a business which meets all the criteria mentioned above when there is either:
   1. ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business;
   2. control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or
   3. the power to exercise a controlling influence over the management of a company. 

This means that parent and subsidiary companies with which the business shares common branding (shared name, service mark, or trademark), even if these entities are non-profit organizations, will also be subject to the CCPA.

As you may have noted by reading these criteria, the CCPA is not intended to apply to small companies collecting a minimum amount of data, but growing companies that may be meeting these requirements soon should make the necessary CCPA arrangements as soon as possible.

Service Providers

The CCPA also addresses service providers. For example, businesses that receive a verifiable consumer right request to delete his/her personal information must “direct any service providers to delete the consumer’s personal information from their records”. However, not all vendors are considered “service providers” under the CCPA. Service providers are for-profit legal entities that process “information on behalf of a business” and which are bound by written contracts which prohibit them from retaining, using, or disclosing the personal information for any purpose other than those specified in the contract or as otherwise permitted by the CCPA (“business purpose”). 

If a service provider uses personal information in violation of the CCPA, the business using the service provider will not be liable for such misconduct under the CCPA if the business: 1) has executed a CCPA compliant written contract with the service provider; and 2) did not have actual knowledge or reason to believe that the service provider intended to violate the CCPA at the time the business disclosed the personal information.

Even if the service provider is not considered a business as defined above, services providers under the CCPA must rethink how they process personal information since businesses covered by the CCPA have to ensure that their service providers can help the businesses to comply with THEIR obligations (such as erasing the information if requested, or using the information as permitted by the contract). 

Third Parties

Third parties are persons who are not: 1) a CCPA-regulated business; or 2) the recipient of personal information under a contract containing the same restrictions that are imposed for service providers under the CCPA. In short, third parties are natural and legal persons that may use personal information for their own means and purposes. 

The CCPA addresses the circumstances under which a business may sell personal information to a third party. For instance, before selling personal information to a third party, a CCPA-regulated business must provide notice to the consumer and the option to opt-out of the sale or disclosure. 

The CCPA bans third parties from selling personal information about a consumer that has been sold to the third party by a CCPA-regulated business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out. For this, in theory, a third party could rely on the business’ notice and opt-out choice rather than providing its own notice and opt-out opportunity. Nevertheless, relying on them may be insufficient when the original notice or opt-out provided by a business does not comply with the CCPA or when the third party cannot promptly know that a consumer has opted out from the sale of his/her personal information and the third party has already resold the consumers’ personal information. Consequently, it is advised that third parties provide separate notice and an opportunity to opt-out from the sale of personal information. 

Third parties that violate the CCPA restrictions are liable for their violations. In addition, businesses that disclose information to third parties that infringe the CCPA restrictions, knowing (or having a reason to know) at the time of disclosing the personal information that the third person intended to commit such a violation, are also liable for the use of the disclosed information in breach of the CCPA.

What if My Entity is a “Covered Entity” or “Business Associate” Under HIPAA or a Financial Institution Subject to GLBA?

In those cases, the CCPA will not apply to your organization with respect to Protected Health Information (“PHI”) (as defined under the Health Insurance Portability and Accountability Act, “HIPPA“) or Non-Public Information (“NPI”) (as defined under the Gramm-Leach-Bliley Act “GLBA“). However, if you process personal information which is not considered PHI or NPI and is subject to the CCPA, the provisions of the CCPA will apply to the processing of such information with regards to the processing, sale, collection, and disclosure for business purposes.

Do You Want to Get Started with CCPA Compliance?

At VeraSafe, we can help you determine whether CCPA will apply to your organization and prepare a plan of what needs to be done to meet the CCPA obligations before it becomes enforceable. 

To learn more about the CCPA and what your organization needs to do to prepare, please contact one of VeraSafe’s privacy experts today for a free consultation.