Texas Businesses Take Heed
Five misconceptions about the California Consumer Privacy Act debunked
By Jana Terry
If you haven’t given the California Consumer Privacy Act1 too much thought because you didn’t think it would apply to businesses outside of California, think again. Here are five misconceptions about the reach and scope of the CCPA.
Our business doesn’t sell anything to individual California
consumers, so we don’t have any data that is governed by the
Reality: Obviously the California Consumer Privacy Act is aimed at the personal data of “consumers.” But it’s not strictly a consumer protection law.
Under the CCPA, a “consumer” is any individual California “resident.” The CCPA is a far-reaching law that applies to the personal information of all people who reside in California.
The CCPA defines “personal information” as anything that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Some examples of personal information include real name or alias, mailing address, email address, telephone number, online identifier, IP address, Social Security number, driver’s license or state ID number, signature, biometric information, insurance policy number, and more.
Finally, the information does not need to be accurate or true to count as personal information.
Our business has no locations in California, so the CCPA
doesn’t apply to us.
Reality: It is true that the CCPA does not apply if every aspect of the collection or sale of the California resident’s personal information takes place “wholly outside of California” or if the company is not doing “business in the state of California.” But if companies have any nexus to California, then they will probably fail the exemption tests. For example, if a business collects any personal information from a California resident while they are in California or if any part of a sale of a California resident’s personal information occurs in California, then the transaction is not “wholly” outside of California. As for the second test, under California law, an out-of-state business does business in California if it “actively engag[es] in any transaction for the purpose of financial or pecuniary gain or profit.” Any company that enters into contracts with companies or persons in California, or that employs persons in California, will be deemed to be doing business in California for purposes of the CCPA.
We don’t hold enough personal information of California
residents to come within the scope of the CCPA.
Reality: A business holding the personal information of even a single California resident may be subject to the CCPA. In general, if your company is a for-profit business that receives (by any means) personal information pertaining to a California resident (or if some other company collects such information on your company’s behalf), your business is subject to the CCPA if any of the following criteria are met:
1. The company receives, sells, or shares for commercial purposes, the personal information of at least 50,000 California residents, households, or devices annually;
2. The company derives 50% or more of its annual revenues from selling California residents’ personal information; or
3.The company has annual gross revenues in excess of $25 million.
In short, if your business generates, wholly outside of California, more than $25 million in annual gross revenues and holds the personal information of even one California resident, your business will be required to comply with the CCPA with respect to that data, unless some exemption applies.
We only have employee data, and the CCPA is being amended to
exempt that data from the law.
Reality: It is true that the CCPA was amended to temporarily exempt employers from having to comply with most provisions of the CCPA with respect to job applicant and employment-related personal information. However, the exemption is only for one year and does not apply across-the-board. In particular, employers of California residents that are subject to the CCPA are now required to inform their employees, prior to or at the point of collection, as to the categories of personal information that will be collected about them and the purposes of that collection. Additionally, the data breach portion of the CCPA (the only part of the CCPA that gives rise to a private right of action) applies to employers. TBJ
This article, which was originally published on Beckstead Terry’s
Employment, Compliance & Privacy Report blog, has been edited and
reprinted with permission.
JANA TERRY is a partner in Beckstead Terry, a boutique employment, compliance, and privacy law firm in Austin. Terry is credentialed by the IAPP as a certified information privacy professional (CIPP/US).