The California Consumer Privacy Act Part 2: Does it Apply to My Business?
As we explained in our last alert, California’s new comprehensive data privacy law is to take effect on January 1, 2020. For companies subject to this law, compliance will require a substantial investment of time, effort, and money.
So, what makes a business subject to this law? In this alert, we look at the applicability of the California Consumer Privacy Act (CCPA), as well as the exceptions and limitations of the law.
Applicability
The first step is to determine whether the business collects “personal information” from California residents. The CCPA’s definition of “personal information” is broad.
- “Personal information” is information that
- identifies, relates to, describes, is capable of being associated with or could reasonably be linked
- directly or indirectly, with a particular consumer or household.”
- “Personal information” does not include “publicly available information”
- lawfully made available from federal, state, or local government records
- provided the business’ use is compatible with its public purpose.
Thresholds
The CCPA will still not apply unless the business meets one of three numerical thresholds. In the prior year, the business must have
- Had annual gross revenues of greater than $25 million
- Received or disclosed the personal information of more than 50,000 California:
- residents
- households
- devices (i.e., one person’s phone, tablet and laptop = 3 CA devices) or,
- Derived 50%+ of annual revenue from selling California resident personal information.
- “Selling” means:
- selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means
- to another business or a third party for monetary or other valuable consideration.
- “Selling” means:
Exemptions
The CCPA exempts certain financial and health personal information, but not financial services or health care businesses generally. All personal information, even exempted information, remains subject to data breach lawsuits under the CCPA.
Certain Financial Information. If the business is a bank, brokerage, insurance company, credit reporting agency or other financial services company, the CCPA does not apply to personal information
- Collected, processed, sold or disclosed pursuant to the Gramm-Leach- Bliley Act or its regulations
- Subject to the Fair Credit Reporting Act
- Subject to California’s Financial Information Privacy Act or
- Subject to California Driver’s Privacy Protection Act of 1994
The GLBA’s Privacy Rule and this exemption applies to the personally identifiable information of an existing customer, such as a customer with an online account. Marketing and other communications unrelated to the financial services may not meet the exemption.
Certain Health Information. The CCPA also does not apply to:
- Protected health information collected by a covered entity or business associate under:
- HIPAA
- HI-TECH (Health Information Technology for Economic and Clinical Health Act)
- Medical information governed by the Confidentiality of Medical Information Act or,
- Information collected as part of a clinical medical trial subject to the Federal Policy for the Protection of Human Subjects.
To reiterate, the CCPA exemptions apply only to the information collected for the purpose of complying with the health care and financial statutes and regulations. If a business collects demographic or website visitor information unrelated to its services, the CCPA arguably applies to that information.