This blog post is the first in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”). We received questions both before and during the webinar, and over the coming weeks we will be posting our responses. We will answer the most commonly-asked questions first, so please stay tuned if you don’t see your question in the first one or two posts. And, of course, please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.
Thanks for reading!
Does CCPA Apply to My B2B or Out-of-State Business?
Examples:
(1) I work for a retailer that does not operate stores in California. Does the CCPA apply to me?
(2) I work for manufacturer that does not directly market or sell to California consumers. Does the CCPA apply to me?
(3) I work for a construction company that contracts only with other businesses, not consumers. Does the CCPA apply to me?
The answer to all of the above is quite possibly yes.
The CCPA applies to any for-profit entity that does business in California, collects consumer information, and that: (a) generates $25 million in gross annual revenue or more; (b) handles the data of 50,000 California consumers or devices; OR (c) derives 50% or more of its revenue from selling personal information. If your entity meets this threshold definition, it falls within the CCPA’s definition of a covered business.
There is no requirement that the entity operate physical locations in California to be treated as a business under the CCPA. While the CCPA itself does not define “doing business” in California, for litigation, tax, and other corporate purposes, physical presence is only one of the factors used in determining whether a company “does business” in the state. For example, if your non-California entity is registered with the California Secretary of State and pays taxes in California, it is most likely “doing business” here.
There is likewise no requirement that a company actually target or directly sell to California consumers to become subject to CCPA. If your company meets the threshold definition and collects any personal information that could be used to identify a California consumer or household, your company does not need to actually use that information in marketing or selling to California consumers to be covered under the statute.
Similarly, even if your company’s direct interactions are only with other businesses, and not with consumers, that still does not exempt you from complying with the CCPA if your company otherwise meets the threshold definition. Remember, it is the type of information your company collects–i.e. any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”–that determines whether the CCPA applies. And “consumer” is defined very broadly to include any “natural person” who is a California resident. If your company collects information that can be used to identify a California resident–including in the form of such things as business contacts, outside vendor information, and employee information (absent further judicial or statutory clarification), your company is subject to the CCPA and must comply.
If we are already subject to GLBA, are we also covered by CCPA?
The short answer is yes.
Whether the CCPA applies depends on the type of consumer information your company collects. If your company is a financial institution, some of the consumer information it collects is already covered under the GLBA. That information is specifically exempted from certain provisions of the CCPA. But that does not mean your company as a whole is exempted, including because the CCPA has a much broader definition of personal information than the GLBA.
Your financial institution employer most likely collects consumer information that is not covered by the GLBA, and is therefore not exempted from the CCPA. The GLBA’s definition of “consumer,” for example, is more narrow than the CCPA’s. Under the GLBA, a consumer is “an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes.” The CCPA’s “consumer” is any natural person who is a California resident. Accordingly, if your bank or credit union employer collects the personal information of California residents who are not also GLBA “consumers” (for example, through a website, marketing efforts, or in the form of business or vendor contacts), that information will still be subject to CCPA. Employees of financial institutions are also not necessarily GLBA “consumers.” In its current form, the CCPA does not exempt employee information. Unless the statute is further amended, or clarified by its implementing regulations, personal information of employees would fall under the CCPA’s scope.
CCPA’s private right of action for data breaches also still applies to information covered under the GLBA. Accordingly, your financial institution employer can still be sued under the CCPA for a data breach involving GLBA-covered information, and the same statutory penalties that apply to any other type of personal information would apply.
Next Steps
If you are unsure whether the CCPA applies to your organization or the type of data it collects, it is important to start reviewing your organization’s potential compliance obligations under the CCPA now. Although the CCPA does not go into effect until January 1, 2020, the statute covers data collected beginning January 1, 2019. Dykema’s Privacy and Data Security group is here to help your organization review, update, and develop not only its compliance with CCPA, but also assist with a holistic privacy program that is responsive to the ever-changing landscape of domestic and international obligations and the associated litigation and regulatory risks.
For more information, please email privacycompliance@dykema.com, and a team member – Cindy Motley, Ashley Fickel, or Luke Sosnicki – will promptly contact you.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.