On 28 June 2018, California enacted a comprehensive consumer privacy law “the California Consumer Privacy Act of 2018” (CCPA), which will come into effect on 1 January 2020, although the Attorney General of California shall not bring an enforcement action until 6 months after the publication of the CCPA’s implementing regulations or by July 1, 2020.
The CCPA introduces new privacy rights for consumers that will force certain companies conducting business in California to implement structural changes to their privacy governance. Given its extraterritorial reach like the General Data Protection Regulation (GDPR), the CCPA will considerably have a global impact on organisations that collect and process personal information of Californian residents.
As such, this guidance aims to provide clarity to organisations affected by the CCPA on its key provisions and the measures organisations should take to implement them.
The Scope of Application
When the CCPA APPLIES TO BUSINESSES?
The CCPA does not cover every business, but covers the vast majority of Californian, US or international organisations that collect the personal data of Californians. The act will apply to your organisation if it is a legal entity that:
- Does business in California, regardless of whether it has a physical presence/office/establishment/company registration in the state. An organisation appears to “do business in California” simply if it actively engages in any transaction for the purpose of financial or pecuniary gain or profit within the state, and;
- Collects personal information from Californian residents, or buys or sells personal information of Californian residents, and determines the purposes and means of
processing consumer’s personal information
Additionally, to fall within the scope of the CCPA, your organisation must also meet one of the following three criteria:
- Receives, shares, buys or sells personal information of 50,000 consumers, households or devices per year (not necessarily in an exchange for remuneration);
- Gross revenue exceeding $25 Million; or
- Derives 50% or more of its annual revenue from selling consumer’ personal Information.
The CCPA also imposes obligations with respect to third parties and service providers. Your organisation therefore needs to identify and define its relationships with different
parties and implement the necessary processes to comply with certain CCPA obligations such as opt-out sale rule.
Unlike the European General Data Protection Regulation (GDPR), the CCPA does not explicitly refer to “controller” and “processor” to distinguish the decision-making process by different entities with respect to personal data. However, the CCPA does define an organisation’s “service provider” in a similar manner to a “processor”; outlining that it is a legal entity that “processes information on behalf of a business”. Many organisations that receive personal data from businesses subject to the CCPA will be considered ‘service providers’, although not those who themselves play a greater responsibility in determining the purposes and means of processing consumer’s personal information (such as jointly on campaigns or projects).
In this scenario, the CCPA requires that service providers must be bound by a written agreement. Specifically, the contract must prohibit service providers from using consumer information disclosed to them for a purpose different than the one specified in the contractual terms.
To read the full guidance please click on the link below:
Please do not hesitate to contact us if we can support you in your work, share our thoughts and ideas and answer any questions you may have with regards to our response.