Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s second post in a series of blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional posts and information about our upcoming webinar on the CCPA.

California’s new privacy law, the California Consumer Privacy Act (CCPA) grants California residents extensive new privacy rights. One of the more significant aspects of the law however, is the number of business entities to which it applies. Companies around the world must comply with the CCPA if they do business in California, collect consumers’ personal information, and determine the purposes and means of processing that information. Companies must also meet one of three criteria: (a) have annual gross revenue in excess of $25 million; (b) buy, receive, or sell personal information of at least 50,000 California consumers, households, or devices; or (c) derive at least 50% of its annual revenue from selling California consumers’ personal information. Consumer is defined as a natural person who is a California resident. The new rules may also apply to parent companies and subsidiaries that share common branding with the business.

The CCPA applies to a broad number of businesses, covering nearly all commercial entities as long as there is a California nexus. The International Association of Privacy Professionals estimated that the CCPA will affect upwards of 500,000 U.S. businesses, including those that sell goods or services to California residents even if the business is not physically located in California. Further, while the CCPA does not apply to conduct that takes place wholly outside of California, California is estimated to make up about 13% of the U.S. marketplace, which is more than any other individual U.S. state.

A major criticism of the CCPA is that it does not apply to the collection and use of consumers’ personal information by California state and local government agencies. However, there is already some discussion of passing additional legislation to apply similar controls to California government authorities. The CCPA does not apply to non-profit organizations.

See our earlier blog with a summary of CCPA’s major provisions here.

Stay tuned for our next blog article on the expended definition of personal information under the CCPA.

Our other CCPA articles

Article 1: Summary of CCPA’s major provisions

Article 2: CCPA covered entities

Article 3: CCPA definition of personal information

Article 4: CCPA disclosure requirements

Article 5: CCPA “Right to Deletion”

Article 6: California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

Article 7: Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Article 8: GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Article 9: CCPA: “Attorney General Amendment” Likely Dead

Article 10: Nevada, New York and other states follow California’s CCPA

Article 11: “What’s cooking” in Sacramento: CCPA’s “employee exception” bill is amended; “publicly available information” exception is broadened, and consumer access rights are clarified

Article 12: Back At The Negotiating Table: CCPA Amendments Debate Continues

Article 13: One-Month Countdown to Pass CCPA Amendments Begins

Article 14: CCPA: “Wait and see” is not the right approach

Article 15: And then there were five: CCPA amendments pass legislature

Article 16: Mic Drop: California AG releases long-awaited CCPA Rulemaking

Article 17: California Governor Signs All 5 CCPA Amendments

Article 18: Here We Go Again: Another Ballot Initiative for CCPA in 2020

Article 19: Privacy Officers’ New Year’s Resolutions

Article 20: State of the Untion: CCPA and beyond in 2020