How Does the CCPA Apply Outside of California?
California is the world’s fifth-largest economy and has become a pioneer for the rights of consumers. The California Consumer Privacy Act is one piece of legislation that has made an impact far beyond the state’s borders. While the majority of voters overwhelmingly passed the new rules and regulations, out-of-state businesses are still working to understand compliance measures.
In this article, the Accountable team explains how the California Consumer Privacy Act works, how it applies to companies outside of California, and what your company can do to move toward compliance.
What Is the California Consumer Privacy Act?
The California Consumer Privacy Act, also commonly referred to as the “CCPA,” is a set of laws that aim to protect consumer privacy rights of California residents. It was enacted on January 1, 2020, making California the first US state to regulate data protection and privacy.
The CCPA applies to covered businesses engaging in the California commerce and e-commerce ecosystem regardless of location. An assessment conducted by Berkeley Economic Advising and Research, LLC in 2018 estimated that the CCPA will save $12 billion worth of data used for illegal marketing intelligence annually.
CCPA Enforcement
California’s Office of the Attorney General enforces the CCPA. Enforcement responsibilities align with their commitment to cracking down on fraudulent activities and schemes that harm consumers. These efforts also target those unlawfully conducting businesses from outside of California.
Who Does the CCPA Protect?
The CCPA protects California consumers’ rights when dealing with businesses that collect, store, and sell their sensitive data. It defines a consumer as any natural person who is a resident of the State of California. Businesses should also take note that the CCPA applies even when residents are traveling out of state.
Consumers Rights
The CCPA offers residents five primary rights to data privacy and ownership. It also provides legal remedies to aggrieved parties should a breach arise.
Below, we have outlined a short overview of the five core rights the CCPA affords to California consumers:
- Right to be informed
- Right to deletion
- Right to disclosure
- Right to equal services and prices
- Right to opt-out
If you conduct business in California, then it is essential to honor these rights uniformly and consistently.
Protected Data
Personally identifiable information, or PII, is any information that could reveal the identity of the consumer. Examples of PII include:
- Biometric information
- Commercial information
- Education information
- Employer information
- Geolocation data
- Internet or electronic activity
- Personal identifiers
- Sensory information
The above-referenced list is not entirely exhaustive. Remember, PII relates to any information that could identify, describe, associate with, or link to a household or consumer, either directly or indirectly. However, the CCPA does not cover information made publicly available from city, county, state, or federal government records.
Is the CCPA Applicable to Companies Outside of California?
Yes, the CCPA may apply to businesses outside of California if they collect or sell the PII of CA residents, conduct business in the state, and meet at least one of the following:
- Gross annual revenue exceeds $25 million
- Commercially sells or shares PII on more than 50,000 CA residents
- Receives at least 50 percent of yearly revenue from PII sales of CA residents
While the CCPA states that it only applies to companies that “do business” in the state, your business may be covered even when located in another state. The CCPA also applies to websites that meet the criteria listed above.
CCPA Exclusions
The CCPA does provide exclusions to compliance. If your business activities occur “wholly outside of California,” the state will not restrict your ability to sell or collect consumer PII.
Under CCPA Section 1798.145(a)(6), you are considered “wholly outside of California if your situation meets the following three conditions:
- You are collecting information on consumers outside of California, and
- You are not selling the consumer’s PII in California, and
- You are not collecting PII from California consumers
It is also worth mentioning that the CCPA does not apply to PII subject to other federal regulations, including:
- Drivers’ Privacy Protection Act (DPPA)
- Fair Credit Reporting Act (FCRA)
- Gramm-Leach Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
Regardless of other consumer protection laws, entities covered under the preceding least will still need to meet CCPA consumer requirements.
What Are the CCPA Requirements for Businesses Outside of California?
The methods by which you meet CCPA requirements depend upon your business, industry, and company size. Here is a step-by-step process that you can use to help you achieve CCPA compliance:
- Step 1: Update privacy policies and notices
- Step 2: Update databases, processing methods, and data strategies
- Step 3: Implement protocols that protect consumer rights
- Step 4: Make security and website updates
- Step 5: Update your business associate agreements
- Step 6: Routinely train employees on the CCPA
It is challenging to fulfill these requirements without expertise and resources. Ensure you have the right tools in place to protect consumers.
What Happens If Your Business Is Not CCPA-Compliant?
California imposes severe fines on your business if it is not CCPA compliant. You have up to thirty (30) days to comply upon notification of your violation. If the issue goes unresolved, then you receive a fine of up to $7,500 per record.
The CCPA also offers consumers the right to sue you for civil damages related to the breach. Many companies process large amounts of consumer data which can quickly spiral into a class-action lawsuit if a violation occurs.
What Is the Future Outlook on CA Consumer Privacy Laws?
California continues to strengthen its consumer privacy laws. In November 2020, residents voted for the passage of the California Privacy Rights Act (CPRA). This initiative builds upon the legislation of the CCPA and becomes effective on January 1, 2023.
Businesses outside of California must stay on top of the legislative horizon. While the state gives businesses a few years to prepare in advance, time moves by quickly. If you are not currently CCPA compliant, your outside business needs to act as soon as possible.