Do I need to worry about the new Californian privacy law?

On 1st January 2020, California's new consumer privacy law — cunningly called the "The California Consumer Privacy Act" but known by most as the "CCPA" — came into force. (There's an unofficial, but very useful, version here.)

If you've already gone through the implementation of the GDPR, you're either heaving a sigh of "what, something else?", or else thinking "great; we're probably most of the way there already".

This is a very simple blog post, and answers just one question: do you need to worry about the CCPA?

Unlike the GDPR, which applies to lots of business (pretty much every business in the EU, and quite a lot outside it), the CCPA has a more limited scope.

The four-step test to see if you need to worry about the CCPA

You need to think about the CCPA if you:

  1. are a business; and

  2. buy, rent, gather, obtain, receive, or access any personal information about Californian residents (or have someone else to do this on your behalf); and

  3. do business in California; and

  4. meet any one or more of the following:
  • have gross annual revenue of more than $25m; or
  • buy, receive, sell or share for commercial purposes, in each year, personal information of 50,000 or more Californian residents, households, or devices; or
    • make more than 50% of its revenue from selling Californian residents' personal information

You also need to think about the CCPA if your business controls, or is controlled by, a business which meets the conditions above, and shares common branding.

What does it mean to "do business in California"?

You'd have thought that they'd have made that crystal clear, right?

Wrong.

There is not (at least, as far as I've been able to tell), a simple test to determine whether you "do business in California" or not, and different people have different opinions as to what counts.

The following are, in my view, likely to increase the odds of you "doing business in California":

  • you have retail premises there
  • you have staff there
  • you target advertising to residents of California
  • you make references to selling to California in your marketing or on your website
  • you use testimonials from residents of California in your marketing or on your website
  • a substantial chunk (see, this isn't really a legal test) of your business comes from sales to residents of California

The following are — in my completely non-binding opinion — unlikely to amount to "doing business in California":

  • your website is accessible to residents of California
  • you do not restrict or block residents of California from buying your products or services
  • you occasionally sell to residents of California

Ultimately, the Act exists to safeguard the rights of residents of California. If whatever you are doing impacts the rights of a sufficient number of Californians in a material way, you might reasonably expect some attention if you don't comply.

Perhaps we'll see more on this when the CCPA beds in a bit more.

Bugger. I'm in scope

With a bit of luck, the processes and procedures you've implemented for the GDPR will stand you in good stead, but they will not, on their own, enable you to comply — there are some nuances, and some bits which the CCPA requires which go beyond what the GDPR requires.

If you're a client, get in touch, and we'll do what we can to help you. We can introduce you to good privacy lawyers in the USA if you need specialist advice.

I'm not in scope, but it's close

If the only reason you are not in scope is because you don't quite meet either of the revenue requirements, or because you're just under the threshold for number of Californian residents etc., it would be sensible to regularly review your position.

Put a note in your calendar to check that you're still out of scope, or else you run the risk of tripping over the threshold, and being required to comply, without you realising.

(Of course, whether anything bad would happen as a result is a different matter — we'll just have to wait and see what, if any, enforcement action happens about non-compliant overseas businesses.)

I'm not in scope, and it's not even close

If you're not even close to being in scope — perhaps your revenues are miles off, or you just don't do business in the state of California — then this is probably not something you need to worry about.