Is your company regulated under the CCPA?
Five traps for the unwary
As the anticipated Jan. 1, 2020, effective date of the California Consumer Privacy Act (CCPA) draws closer, determining whether a company falls under its mandates is of critical importance. Unfortunately, making that determination can be unexpectedly complicated. Unpleasant surprises may await the unwary.
As a general matter, CCPA grants consumers a number of rights concerning their personal information, including rights of deletion, notice, access, portability, and reasonable security. Implementation of the policies and processes necessary to ensure compliance with the Act can create significant budgetary and operational challenges for covered businesses, so the determination of whether the Act is applicable to any given company is a crucial threshold question.
On its face, the test to determine if an entity is covered by the Act seems pretty straightforward. The Act applies to any “business,” which is initially defined in Section 1798.140(c) of the CCPA as:
A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of $25 million, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
But don’t stop reading there. Before jumping to a quick conclusion that the Act does or does not apply to any given company, there are some important nuances in this definition that may impact the analysis
1. Affiliates count. Section 1798.140(c)(2) of the CCPA expands the definition of “business” to affiliates in a way that is more expansive than one might expect. A business that shares common branding or control with a 1798.140(c)(1) business is also considered to be a “business” under the CCPA. It’s important to note that “common branding” is defined broadly to include a shared name, service mark, or trademark” as is “control” which includes not just the power to vote a majority of the board or shares of an entity, but the “power to exercise a controlling influence over the management of the company.
Takeaway: If a company shares control, influence, or branding with corporate affiliates, it should consider whether the affiliates’ activities pull the company under the jurisdiction of the CCPA.
2. Inadvertent data sales can pull a company within CCPA’s reach (Even if the company doesn’t make a dime). Although a company may not “sell” data in a traditional sense, under the CCPA, selling does not require monetary consideration. For example, if consumers provide their personal information on a business’s website, and that business allows certain third parties to retain, use, or disclose that personal information for a purpose other than that which was set forth in the website’s terms and conditions or as otherwise permitted under the CCPA, those activities could be considered a sale of personal data to the third parties.
Takeaway: Businesses should review their third-party contracts to avoid inadvertent sales of personal information.
3. Lack of permission to process personal information may convert a service provider into a regulated “business.” Unlike the EU’s General Data Protection Regulation, the CCPA does not impose direct requirements on the service providers of regulated companies. The “business” is the regulated entity and, as such, must ensure that its contracts with “service providers” prohibit the service providers from “retaining, using, or disclosing” the personal information pursuant to its contract with the consumer. Should that use limitation not exist, it could be argued that a company that considers itself a mere “service provider” may in fact be a regulated “business” on the grounds that it is collecting consumers’ personal information and determining the purpose and means of processing that information.
Takeaway: Service providers processing personal information of a consumer that do not want to run the risk of being deemed a “business” under CCPA should review their client contracts and practices to ensure their business counterparts obtain appropriate consent for all processing activities conducted by the service provider.
4. Other regulatory obligations may shield a company from the CCPA. If the personal information held by a company is governed by other regulations, such as the Gramm-Leach Bliley Act (GLB), the California Financial Information Privacy Act, the Driver’s Privacy Protection Act, HIPAA, the Fair Credit Reporting Act, or other specified exemptions, the CCPA may not apply. The type of entity regulated under each of these exemptions may not necessarily remain static. For instance, the FTC has recently proposed expanding the categories of businesses that fall within the reach of GLB.
Takeaway: Companies should undertake a comprehensive review of their current regulatory obligations before assuming that the CCPA applies.
5. The definition of personal information is unexpectedly broad. Here in the U.S., we are slowly getting used to the idea that an IP address is personal information. However, the CCPA goes even further than that. One notable CCPA expansion is that personal information is defined in Section 1798.140(o) as information that can be linked, directly or indirectly, with a particular consumer or household. Included on this list is browsing history, products and services purchased or considered, inferences that create a profile reflecting personal abilities, aptitudes and attitudes, audio, electronic, visual, thermal, olfactory information, and a variety of other types of information not previously captured by U.S. privacy laws. In short, if one can learn something about someone that is useful for marketing purposes, chances are, it is “personal information.”
Takeaway: Review the types of information collected from California consumers and compare that against the statute if there is any doubt about whether a specific category will be considered “personal information” under the CCPA.
Final thoughts: While the CCPA exempts a broad swath of companies and activities from its purview, figuring out its applicability to any specific business can be tricky. Knowledge gained from other data privacy regimes, although helpful, may not be determinative of a company’s status under the CCPA. Before making any assumptions, it is crucial to carefully check the wording of the Act and leave behind all preconceived notions of the company’s role in the data cycle.
Press ReleaseCohnReznick earns CMMC Third-Party Assessment Organization AuthorizationThe C3PAO designation allows CohnReznick to assess Department of Defense contractors seeking CMMC compliance under the joint surveillance voluntary assessment program or as soon as the CMMC rule is finalized.
Insight6 keys to a future-ready enterprise risk management (ERM) programMaurice L. Crescenzi, Jr., Bhavesh VadhaniAn optimized ERM program is critical to bringing your organization into the future. Ready to move yours forward? Download our infographic.
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.