In 2018, the world's most onerous privacy law, the European Union's General Data Protection Regulation, went into effect. California then responded, "hold my beer!" and enacted the California Consumer Privacy Act (CCPA). The CCPA imposes significant compliance costs and creates potentially enormous liability for companies that fail to comply. With inhouse counsel in mind, this primer provides an overview of the CCPA's scope, its requirements, and tips on operationalization.

Once Upon a Time...

The CCPA came about because a wealthy Californian was upset at what he perceived to be a lack of transparency and control over how his personal information was being collected, sold, and used by large technology companies, social media companies, and data brokers. He took action by funding a campaign to put on the November 2018 ballot in California an initiative that would have created the most onerous privacy law ever to go into effect in the United States. The law would have created a private right of action for any violation (not just data breaches) and created a tsunami of liability for companies doing business in California. The measure gained support, eventually reaching the threshold number of signatures required to place the initiative on the November ballot.

Realizing that California residents would likely support this measure if it were to be placed on the ballot, pro-business groups reached a lastminute deal pursuant to which the ballot initiative was withdrawn in return for the California State Legislature adopting a law that encompassed most of the same requirements as the ballot initiative. This "compromise" in producing the CCPA was the lesser of two evils for companies doing business in California because it meant a slightly less draconian law and a better chance to amend the law in the future. As a result of the last-minute negotiations rush (the bill was drafted and passed within a couple of weeks), the CCPA contains inconsistencies, typographical errors, and many unresolved issues.

To Whom Does the CCPA Apply?

The CCPA applies to for-profit entities that:

  1. collect consumer personal information (a "consumer" is currently defined as any resident of California—so think employees as well as customers—though there is an amendment to the CCPA pending that would limit the definition of consumer to the more traditional meaning)1 ;
  2. determine the purposes and means of processing (i.e., the business controls what happens to the personal information);
  3. do business in the state of California; and
  4. do any of the following:
    1. earn $25 million in revenue per year (this is not limited to revenue generated solely in California);
    2. receive for commercial purposes, sell, or share for commercial purposes 50,000 consumer records per year; or
    3. derive 50 percent of annual revenue from selling personal information.

The CCPA applies not just to companies located in California, but any company that collects, discloses, or sells personal information about California residents.

Are There Exceptions to the CCPA's Scope?

Yes, the law has many exceptions. For example, the CCPA doesn't apply to information governed by HIPAA/HITECH, GLBA, FCRA, clinical trial information, or information that has been de-identified or aggregated. Note, however, that these are not company-wide exceptions, meaning they apply only to the information. So, for example, a covered entity under HIPAA may still be governed by the CCPA to the extent it collects personal information that is not PHI. There are other exceptions, too, like where a company needs to comply with legal obligations, comply with law enforcement or a subpoena, exercise/defend a legal claim, or prevent the violation of an evidentiary privilege.

What Is "Personal Information" Under the CCPA?

The CCPA adopts the broadest definition of personal information we have ever seen. It means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples of personal information include the following:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers;
  • Any categories of personal information described in California's data breach notification law;
  • Characteristics of protected classifications under California or federal law (e.g., race, gender, and ethnicity);
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • Biometric information;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information;
  • Education information; and
  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

To put the breadth of this definition into perspective, the 50 different state data breach notifications typically limit their definition of personal information to the first two bullets above. The CCPA also includes information gleaned from a Californiabased IP address visiting your website. The way a person sounds, smells, and the amount of heat they emit are all types of personal information under the law. Professional and employment-related information are included in the definition (surprisingly, salary is not considered personal information under most data breach notification laws). If that definition were not broad enough alone, it also includes that any inferences drawn about individuals (or households) from any of these pieces of information would also be considered personal information

To read the full article, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.