The first thing to realize about California Consumer Privacy Act (CCPA) compliance is that you don’t have to be a California-based business to be affected. As of 2018, California was the world’s 5th largest economy. You’re better off to ask yourself what the chances that you’re not subject to the CCPA. US-based or global, you have to consider the factors involved, all of which are more likely to make you subject to, rather than exempt from, the CCPA.
If you answer yes to any of these 3 questions, you’re probably subject to the CCPA – and its requirements for personal information protection.
- Does your business’s worldwide annual gross revenues meet or exceed $25 million?
- Do you annually touch the personal information of 50,000 or more California residents? Their households? Or their devices?
- Does half or more of your annual revenue come from selling the personal information of California residents?
Before you gleefully answer “No” to all three, here’s the catch. You need to understand the definitions applied to the qualifiers in the questions.
Start with the definition of personal information – guaranteed to blow your mind. If we include the full definition here, you’ll throw your hands up in disgust and not read any further. Essentially, it’s “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household or device.” That’s extremely broad.
Let’s move on to “touching” personal information. An Internet Protocol, or IP address, can be considered personally identifiable information – yes, you read that correctly. That means a visit to your company website where IP information is automatically collected (think about your handy dandy Google Analytics always running in the background). You’ve just touched personally identifiable information.
To get even more granular: Do you know which of your website visitors are considered California residents?
I know 50,000 annually sounds like a lot of website visitors. Especially if you don’t consider yourself to be enterprise-level. But it breaks down to only 137 visitors from California per day. Now wrap in the personal information definition. It includes households and devices. It’s pretty hard to have a website as a company of any size and not have that number of touches per year.
Then there’s “selling” the personal information. Many wouldn’t consider the everyday interactions with client and consumer data as selling. However, the definition of “selling” in the CCPA stretches all understanding. It can mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
How does a business comply with the CCPA? The very thought of what it will take overwhelms. As both a certified information privacy manager and professional who regularly attends regulatory seminars, I can tell you that every CCPA-related event is thick with corporate legal counsel – a fair number from those great big companies that we all know. We’re all impatient to understand how compliance can happen. Stay tuned as I share more insights and commentary on the CCPA in the weeks to come. Topics include: the “HIPAA Exemption”, the various interpretations of “selling” personal information, the “opt out” option, and more.
Julia Huddleston is a Certified Privacy Manager and a Certified Privacy Professional through the IAPP (International Association of Privacy Professionals). She’s deeply involved in privacy compliance activities with clients and how policies and procedures are implemented to protect data privacy. You can reach her at Apgar & Associates: 503-384-2538.
Resource(s): IAPP CCPA Comprehensive Seminar 2019.