California: Operationalising CPRA - scope and application
The California Consumer Privacy Act of 2018 ('CCPA'), signed into law in 2018, granted consumers new rights with respect to the collection and use of their personal information. The CCPA was amended by the California Privacy Rights Act of 2020 ('CPRA'), which became fully operative on 1 January 2023, and which also created the California Privacy Protection Agency ('CPPA'), a new regulatory body dedicated exclusively to privacy regulation. The CPPA released its revised CCPA Regulations on 4 April 2023.
Part one of this series, Operationalising CPRA, discussed how the CPRA changed consumer rights. In Part two, Jennifer Guerrero, Senior Counsel at Buchalter PC, explores the scope of the CCPA as amended by the CPRA.
Background to the CCPA
The CCPA requires the California Attorney General ('AG') to provide implementing regulations on key areas of the law, and also grants the AG's Office ('OAG') the authority to 'adopt additional regulations as necessary to further the purposes of [CCPA]'. The first set of CCPA Regulations went into effect on 14 August 2020 and additional amendments to the same went into effect on 15 March 2021. Subsequently, the amended CCPA, sometimes referred to as the CPRA, Proposition 24, or CCPA 2.0, took effect on 1 January. The CPPA held a public meeting, on 3 February 2023, adopting and approving the set of draft rules which implement and clarify the CCPA as amended by the CPRA. The CPPA then released its revised CCPA Regulations on 4 April 2023, which entered into effect immediately upon their approval by the California Office of Administrative Law on 30 March 2023.
'Businesses' subject to the CCPA
There are four main categories of entities subject to the CCPA1.
- Covered businesses:
- Any legal entity organised or operated for-profit or financial benefit of its shareholders or other owners.
- Any legal entity that collects consumer's personal information.
- Any legal entity that, alone or jointly, determines the process or means of processing personal information.
- Any legal entity that meets one of the following thresholds:
- has an annual gross revenue (not exclusive to California) in excess of $25 million during the preceding calendar year; or
- alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 100,000 or more consumers, households, or devices; or
- derives 50% or more of its annual revenues from selling or sharing a consumers' personal information3.
- Businesses with shared control and branding (common control business):
- shares common branding that the average consumer would perceive that two or more entities are commonly owned; and
- shares consumer's personal information with the commonly controlled entity.
- Joint ventures:
Joint ventures or partnerships that hold at least a 40% interest in a covered business or Common Control Business are individually subject to the CCPA.
- Voluntary compliance businesses:
Any legal entity that voluntarily certifies to the CCPA that it complies with and agrees to be bound by the CCPA.
A 'business' is defined under the CCPA as a 'sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organised or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the thresholds'.
Generally, any business that is not organised or operated for the profit or financial benefit of its owners is excluded from the CCPA4. The OAG sought to clarify this further in the draft rules and created a definition for a 'Nonbusiness' as a person or entity that does not meet the definition of a 'business', and explicitly states that non-profits and government entities are Nonbusinesses. Entities that service Nonbusinesses and covered businesses only need to comply with the CCPA in relation to the data subject to the written contract with the covered business.
While Nonbusinesses are not regulated by the CCPA, it is unclear whether a Nonbusiness may fall within the scope of the CCPA where it:
- controls or is controlled by a covered business and meets the requirements for a common control business (e.g., a co-branded corporate foundation);
- enters a joint-venture with covered business; or
- contracts with an entity through an agreement that requires compliance with the CCPA.
To the extent that a Nonbusiness may subject itself to the CCPA, it is likely the scope of the CCPA would be limited to the data subject to CCPA.
Common control businesses
The CPRA also expanded the definition of businesses to include commonly controlled entities, like parents, subsidiaries, or affiliates that meet the requirements. Specifically, entities that: (i) control or are controlled by a for-profit business; (ii) share common branding that the average consumer would understand that two or more entities are commonly owned; and (iii) shares consumer's personal information, must also comply with CCPA.
'Control' or 'controlled' means ownership of, or the power to vote, more than 50% of the outstanding shares of a business; any manner of control over the appointment of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. Notably, a business is not required to comply with the CCPA unless all three elements are met. For example, if the trademark or branding would not lead a consumer to believe that the entities are commonly owned, then the CCPA would not be extended to that business. In addition, if the two entities are commonly owned and share branding, but do not share consumer's personal information, then the business would also fall outside of the scope of the CCPA.
Joint ventures and voluntary compliance businesses
In addition to common ownership entities, the CPRA expanded the definition of a 'business' to two additional categories: (i) joint ventures or partnerships 'composed of businesses in which each business has a at least 40 percent interest' in a covered business; and (ii) '[a] person that does business in California', not otherwise considered a business, that voluntarily certifies to the new CPRA enforcement agency 'it is in compliance with, and agrees to be bound by, this title'.
Each business or entity 'that composes [sic] the joint venture or partnership' is considered a separate business for the purposes of CCPA compliance. However, personal information in the possession of each business and disclosed to the joint venture or partnership may not be shared with the other business.
Related entities: data brokers, service providers, contractors, and third parties
Article 4 of the CCPA addresses the different relationships that a business might have with entities it may sell, share, disclose, or otherwise make available consumers' personal information. The CPRA amendment to the CCPA clarified and revised the definitions and obligations for data brokers, service providers, third parties, and contractors, including the scope of their compliance obligations under the CPRA.
Depending on the transactional characterisation, CCPA imposes different contractual and compliance requirements for each group under the CCPA. In some cases, a service provider may even be a 'business' under the CCPA, but under a particular contractual arrangement, performing services as a service provider. In fact, a data broker may even be a 'business' under the CCPA and a third party under different contractual arrangements. §1798.115(d) of the CCPA and the AG's Final Statement of Reasons make it clear that a 'business' can also be a 'third party' and a 'data broker'. Further, transactional designations may change the scope or application of the CCPA requirements. For example, a way to satisfy its §1798.115(d) obligations is that '… the business can comply with Subsection (e) [of the CCPA regulations]', which states that 'a data broker registered with the attorney general … does not need to provide a notice at collection ...'.
Service providers, contractors, and third parties
The CCPA defines a service provider as a 'person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer's personal information for a business purpose pursuant to a written contract…'. A 'contractor' under the CCPA is similar to a service provider, and is defined as a person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract. In the Final Statement of Reasons, dated 2 February 20235, the OAG clarified that the main distinction between a service provider and contractor is that a contractor does not necessarily process personal information 'on behalf of a business' but is 'a person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract with the business…'.
Under the CCPA, a third party is defined in the negative to include any person or entity that is not data collector or covered business, a service provider, or a contractor. Likewise, if a person does not have an agreement in place that meets the requirements set forth in §1798.140(j)(1)(ag) of the Civil Code, that person cannot, by definition, be a contractor or service provider, and would be treated as a 'third party,' according to §1798.140(ai) of the Civil Code. A third party's contractual obligations under the CCPA only apply to the personal information that the business sold to or shared with them6.
Data brokers collect information about consumers from many sources including websites, other businesses, and public records. The data broker analyses and packages the data for sale to other businesses. §1798.99.80 of the California Civil Code defines a data broker as 'a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship'. While data brokers are separately regulated under California's data broker law, they are also subject to the CCPA. In fact, some of the CCPA requirements may not apply to data brokers that are registered, like 'notice at collection' requirements7.
Any business established in or outside of California is required to register as a data broker if it (i) meets one of the threshold requirements established by the CCPA; (ii) knowingly collects and sells to third parties personal information of consumers, as the terms 'personal information', 'selling', 'consumer', and 'third party' are defined under the CCPA; (iii) does not have a direct relationship with all the consumers whose information it sells; and (iv) cannot claim a statutory exemption. Consumer reporting agencies covered by the federal Fair Credit Reporting Act of 1970 ('FCRA'), financial institutions covered by the Gramm-Leach-Bliley Act ('GLBA'), and entities covered by the Insurance Information and Privacy Protection Act are all exempted from the data broker registration requirement.
Consumer 'personal information' subject to the CCPA
The CCPA protects consumers by regulating the businesses that collect, use, access, and disclose their personal information. Consumers are defined under the CCPA as a natural person who is a California resident. Personal information means any information related to a particular consumer or household, including all information regardless of whether the information can directly or indirectly identify an individual. The categories of personal information required for disclosure under the CCPA are set by statute as follows:
- identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers;
- any categories of personal information described in subdivision (e) of Section 1798.80;
- characteristics of protected classifications under California or federal law;
- commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- biometric information;
- internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement;
- geolocation data.
- audio, electronic, visual, thermal, olfactory, or similar information;
- professional or employment-related information;
- education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act 1974 ('FERPA'); and
- inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.
Notably, in the only OAG Opinion published related to the CCPA, the OAG clarified when 'inferences' were considered personal information. Specifically, the OAG seemingly expanded the definition to include inferences drawn 'from any of the information identified in this subdivision' to include inferences that stem from publicly acquired data.
Carve-outs and exemptions
The CCPA's explicitly carves out 'publicly available information', of the definition of 'personal information'. 'Publicly available information', is defined broadly to include:
'[I]nformation that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience'.
In addition, the CCPA excludes de-identified or pseudonymised information that cannot be reasonably linked to an individual. Information collected outside of California is also excluded from the CCPA. However, the commercial conduct must wholly take place outside of California. Specifically, if the business collected that information while the consumer was outside of California, no part of the sale of the consumer's personal information occurred in California, and no personal information collected while the consumer was in California is sold.
The CCPA also contains a number of exceptions for certain categories of information, including medical records, credit reporting, banking, and vehicle safety records, where the information is governed by another privacy statute. The purpose of these exemptions is to avoid interfering with those regulatory schemes and placing undue burdens on businesses. The most significant exemptions are tied to three federal laws: the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), the GLBA, and the FCRA. The most common exemptions include:
- 'medical information' under the Confidentiality of Medical Information Act ('CMIA');
- 'Protected Health Information' ('PHI') in the hands of a covered entity or business associate as defined by HIPAA;
- De-identified information derived from PHI;
- 'identifiable private information' as defined by the Federal Policy for the Protection of Human Subjects;
- personal information that is collected and used in a limited employment context that relates to certain provisions of the CCPA, including purpose of administering employment benefits, emergency contact information in the employment file, or for use related to their role as an applicant, employee, independent contractor or owner of that business;
- personal information collected by financial institutions and financial services businesses and subject to GLBA, the California Financial Information Privacy Act, or the Agriculture Improvement Act of 2018;
- collection, maintenance, disclosure, sale, communication or use of any personal information subject to the FCRA so long as the activity is authorised by the FCRA;
- data processed following the Driver's Privacy Protection Act of 1994; and
- warranty and recall information in any industry is exempt from the CCPA.
Notably, many of these exemptions only apply to the categories of data; meaning that if the entity otherwise qualifies as a business or other designation subject to CCPA, they must comply with the CCPA requirements for all the other data sets that are within scope of the CCPA. For example, marketing data, patient or customer service call centre information, social media and app data, and data licensed from a third party would not likely be covered under the exemptions. More specifically, non-protected information includes the email addresses, advertising identifiers (cookies and mobile device IDs), and IP addresses collected via the websites of every organisation, including the information collected on consumers about their interests and concerns for marketing purposes.
Sensitive personal information
Sensitive personal information is a specific subset of personal information defined under the CCPA that imposes additional requirements. Sensitive personal information includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer's health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership. Sensitive personal information explicitly excludes information that is publicly available.
Employee and B2B personal information
CCPA exemptions for employment-related personal information and personal information reflecting B2B transactions described in §1798.145(m)-(n) of the Civil Code expired on 31 December 2022. Since the legislature did not extend the exemption for employee and B2B personal information, many categories of human resources and business contact data are now considered personal information under the CCPA.
In the employee or human resources context, personal information would include an employee's contact information, insurance and benefits elections, bank and direct deposit information, emergency contacts, dependents, resume and employment history, performance evaluations, wage statements, time punch records, stock and equity grants, compensation history, and many other forms of data routinely collected in the context of the employment relationship. Notably, employers need to be aware that the employee records contain 'sensitive personal information' (such as financial information, social security numbers, communications content, health information, and biometrics).
Similarly, personal information of B2B would include all individual business contact's information, including name, email, and inferences.
Determining the means of processing
The definition of a business under the CCPA requires that the business, alone or jointly with others, 'determine[s] the purposes or means of processing' of personal information. The CCPA does not provide any other guidance as to what this means. While the language is nearly identical language to that used in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') to define a controller (the term equivalent to 'business' under the CCPA), it is unclear whether the legislature intended to remain silent on the definition to ensure a broad reach in applicability. However, to the extent the GDPR guidance is analogous, entities may consider the following factors as guidance to determine whether their business qualifies as a data controller if their business is responsible for some or all of the following:
- decides to collect or process the personal data;
- decides what the purpose or outcome of the processing is to be;
- decides what personal data should be collected;
- decides which individuals to collect personal data about;
- obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller;
- processes the personal data as a result of a contract between the business and the data subject;
- exercises professional judgment in the processing of the personal data; and
- maintains a direct relationship with the data subjects.
Doing business in California
The CCPA does not define 'doing business in California'. In the OAG comments, it stated that 'doing business in the State of California' should be construed in accordance with its plain meaning and other California law8 and seemed to assume that an out-of-state entity that sells to California residents may meet this threshold in at least some circumstances9.
Generally, California law requires non-California companies to 'qualify' (i.e., get a certificate of authority) as a condition to doing business in the state, but there is no clear definition of what it means to 'do business'. Rather, different California agencies define or interpret what it means to 'do business' in California. One is from the Franchise Tax Board, and determines whether an individual or business will have tax liabilities in California. The other is established by the California Corporations Code, and it determines what corporate filing obligations an out-of-state business will have with the California Secretary of State.
Franchise Tax Board definition
According to the Franchise Tax Board, doing business in California consists of 'actively engaging in any transaction for the purpose of financial or pecuniary gain or profit'. An out-of-state entity is treated as 'doing business' in California if:
- the entity is commercially domiciled in California (meaning the entity is controlled in California, like a headquarters);
- sales in California exceed the lesser of $500,000 or 25% of the entity's total sales;
- the entity has real or tangible property in California exceeding the lesser of $50,000 or 25% of the entity's total real and tangible property; or
- the amount paid in California by the entity for compensation exceeds the lesser of $50,000 or 25% of the total compensation paid.
Note that even if none of the above situations apply, any foreign entity could still be considered to be doing business in California if it is a member or general partner of an entity that does business in California, or if any of the entity's members, managers, or other agents conduct business in California on behalf of the entity.
Corporations Code definition
Under the California Corporations Code, 'doing business' is referred to as 'transact[ing] intrastate business', which is defined as 'entering into repeated and successive transactions of its business in [California], other than interstate or foreign commerce'. While it does not list what activities constitute doing business, the statute provides a 'nonexclusive' list of activities that do not constitute doing business in California that may be instructive in the CCPA context, including:
- maintaining, defending, or settling any action or suit or any administrative or arbitration proceeding;
- effecting sales through independent contractors;
- transacting any business in 'interstate' commerce (i.e., between or across states);
- conducting an isolated transaction completed within a period of 30 days and not in the course of a number of repeated transactions of like nature; or
- merely being a shareholder, member or manger, or limited partner of a California corporation, limited liability company, or limited partnership (or a similar non-California entity transacting intrastate business) does not constitute 'doing business'.
Several features determine the scope of applicability of the CCPA: the types of entities, the jurisdictional boundaries, the types of data, and the range of activities that are included or excluded. The patchwork or various inclusions, exclusions, and exemptions in various definitions that makes the determination of application less than straight forward and vary based upon the specific facts. While there are various nuances to the scope, the CCPA is intended to regulate for-profit entities and their vendors who do business in California and collect, use, share, or sell California residents personal information.
Jennifer Guerrero Senior Counsel
Buchalter PC, Los Angeles
1. Determining whether a business is subject to the CCPA requires a fact-specific determination. Businesses should consult with an attorney who is aware of all pertinent facts and relevant compliance concerns.
3. Note that the definitions for 'selling' and 'sharing' extends this threshold to any for-profit business that derives 50% or more of its annual revenues any form of disclosure of a California consumers' personal information, whether for monetary value, remuneration, or for which any business receives a benefit would satisfy this threshold.
9. Id. at rows 11-12.