Insight

The CCPA Impacts Non-US Companies. Are You Prepared?

Morgan Lewis Practical Advice on Privacy: Guide to the CCPA

December 05, 2019

California is the fifth largest economy in the world. Its new laws and regulations have an impact far beyond its borders. Many Non-US companies do business in California. The California Consumer Privacy Act (CCPA), which becomes effective on January 1, 2020, applies broadly, and includes companies that are based outside of the state. This article discusses how the CCPA impacts non-US companies and what those companies need to do to prepare for CCPA compliance.

A “covered business” subject to the CCPA is any for-profit organization or legal entity that

  • does business in California;
  • collects California residents’ “personal information” either directly or through a third party on its behalf;
  • determines the purposes and means of processing that information; and
  • one of the following applies: (i) has gross revenues in excess of $25 million; or (ii) annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; or (iii) derives 50% or more of its annual revenues from selling consumers’ personal information.

Additional analysis concerning the above criteria follows.

First Step: Is Your Company a ‘Business’ or a ‘Service Provider’ and Does It ‘Collect’ ‘Personal Information?’

The CCPA defines many terms broadly. For example, the definition of “business” includes any entity that controls or is controlled by a business if they share common branding. This definition includes, for instance, a non-US parent company that does business in California through a branch located in California or another state. It should be noted that the CCPA applies to brick-and-mortar businesses as well as the collection of personal information over the internet or electronic records.

The CCPA may indirectly apply to non-US-based companies if they are classified as a “service provider” to a business subject to the CCPA. A “service provider” is a legal entity that receives information from a business pursuant to a written contract that prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business or as otherwise permitted under the CCPA. Similar to the European Union’s General Data Protection Regulation (GDPR), consumers may make certain requests directly to a “service provider” regarding the information they have collected, how the information is shared, and how it is used. Pursuant to draft CCPA Regulations issued by the California attorney general, the “service provider” can either comply with the request or inform the consumer to submit the request directly to the covered business. Moreover, the “service provider” may not use personal information received from a consumer or a business for any other purpose. It only may combine such personal information to detect data security incidents or protect against fraudulent or illegal activity. The service provider may, however, use information in de-identified or aggregate form.

Example: A German game developer working for a company in California that receives the IP address of a gamer in California under a service provider contract with the California company may not use that IP address to send marketing emails of its own to the gamer and may not sell the gamer’s personal information. The game developer must also respond to inquiries it receives directly from the gamer in California to find out what the game developer has stored about the gamer, although the game developer may refer the gamer to the California company for a response.

The term “collects” is defined in the CCPA to include “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” The CCPA’s definition of “business” resembles the GDPR’s concept of a “data controller” that European companies are familiar with. Under the GDPR’s definition, an entity is a controller if it either alone, or jointly with others, determines the purposes and means of processing of consumers’ personal information.

The term “personal information” is also broadly defined under the CCPA. As the California legislature recently clarified, the CCPA covers “personal information” broadly defined as including information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition comprises unique personal identifier, online identifier, and IP address such that it would include a “device” that can be associated with an individual or household (Sec. 1798.140 (o) (1) (A)). A “device” means any physical object that is capable of connecting to the internet, directly or indirectly, or to another device. This could be a smartphone, a computer, any IoT device or other internet-protocol-enabled equipment. The reasonableness standard now applies both to information that “is reasonably capable of being associated with. . .a particular consumer or household” and to information that “could reasonably be linked, directly or indirectly, with a particular consumer or household.” Internet or other electronic network activity, such as browsing history, search history, and information regarding consumers’ or households’ interaction with a website, application, or advertisement is covered, in addition to name, address, personal identifier, IP address, email address, account name, Social Security number, driver’s license number, or passport number. By contrast, GDPR always relates the information to living individuals, not to “households,” and does not apply the “reasonableness” threshold.

Note the General Exemptions

Certain personal information collected from job applicants, employees, owners, directors, staff, officers, and contractors of a business is currently exempted from the “request” requirements of the CCPA for one year, until January 1, 2021. The notice provisions and private right of action still apply to exempted information. The exempted “personal information” includes that collected and used

(1) about a person as a job applicant, employee, owner, director, officer, medical staff member, or contractor of that business;

(2) solely for the purpose of maintaining emergency contact information; and

(3) solely to administer benefits to an individual’s dependents.

The CCPA also exempts from the definition of “personal information” vehicle information and vehicle ownership information that is retained or shared by dealers and vehicle manufacturers for purposes of a warranty repair or recall-related vehicle repair. The dealer or vehicle manufacturer receiving such information cannot sell, share, or use that information for any other purpose.

Moreover, some types of information that are governed by US federal or California privacy statutes are currently excluded from the CCPA. For example, medical information subject to Health Insurance Portability Accessibility Act (HIPAA) or the California Confidentiality of Medical Information Act and personal information subject to the Gramm-Leach-Bliley (GLBA) or the California Financial Privacy Act is exempt.

Second Step: Does Your Company Exceed One of the Relevant Thresholds?

If a company determines that it is a “business,” or a “service provider” and it “collects” personal information, it needs to decide whether it exceeds one of the three thresholds of the CCPA:

(1) Annual gross revenues in excess of $25 million; or

(2) Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices, alone or in combination; or

(3) It derives 50% or more of its annual revenue from selling consumers’ personal information.

This is not an easy decision. The first threshold can be tricky because the amount does not appear to be limited to California revenues. Whether “US gross revenue” or “worldwide revenue” is meant is currently open to interpretation. It is probably better to play it safe and assume that “worldwide revenue” is the relevant metric until further guidance is provided. The term “gross revenue” is also not defined. It is advisable to look at the most recent tax statement of the “covered business.”

For the other two thresholds one should keep in mind that the term “personal information” is broader than the term “personal data” pursuant to the GDPR, and the term “consumer” includes employees, job applicants, independent contractors, owners, officers, and directors.

Third Step: Commence with Your Compliance Measures

The CCPA will become effective on January 1, 2020. Although the attorney general cannot bring claims for violations until July 1, 2020 (or earlier, if the proposed regulations are finalized before the end of 2019), it is possible his office would issue notices regarding noncompliance prior to that date. As of January 1, 2020, consumers will have a new private right of action for security breaches involving nonencrypted and non-redacted information. It is advisable to have at least some CCPA compliance measures in place by January 1, 2020, as consumers in California will have rights under the CCPA by that date. You should not assume that GDPR compliance automatically satisfies CCPA compliance as the scope and individual rights under both laws are different. Covered Non-US companies should therefore

  • assess what “personal information” is collected based on the CCPA’s broad definition;
  • review and update privacy policies;
  • revise website home pages that cater to California consumers;
  • determine whether the third parties with whom the company shares personal information are “service providers” and identify those non-service providers to whom the company “sells” information under CCPA;
  • devise and implement methods to accept, process, verify, and respond to consumer requests from California residents – including requests to know, requests to delete, or requests to opt out of sale;
  • provide the required notices to employees, owners, officers, directors, job applicants, and independent contractors;
  • consider enhancing safeguards around “personal information”; and
  • review and assess “reasonable security procedures” in place to protect personal information.

If you are involved in running a business that might be covered by the CCPA, seek professional assistance to make these determinations and implement these procedures. For EU-based data controllers or processors, full compliance could become even more challenging as personal information from California consumers that is stored in or accessed from the EU/EEA may also fall under the GDPR. For instance, opt-out or access requests under the GDPR and CCPA are treated differently.

At Morgan Lewis, we are helping many companies to determine what they need to do and guide them in doing it. That includes companies that principally operate outside the United States and companies that have implemented GDPR and now must take different or additional steps because of the CCPA.

The California attorney general issued proposed regulations for the CCPA on October 10, 2019. The proposed regulations are pending public comment through December 6, 2019. As part of the rulemaking process, the California attorney general will then decide whether any modifications should be made to the proposed regulations before they become final. In the meantime, the proposed regulations provide useful guidance as businesses prepare for and comply with the CCPA, which takes effect on January 1, 2020.

Please visit our CCPA Resource Center for more information and the latest updates.

HOW WE CAN HELP

The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the newly proposed regulations, and how to accept requests. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:

San Francisco
Carla Oakley
Michelle Park Chiu
Gene Park

Los Angeles
Joseph Duffy

Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis
Julian Williams

New York
Martin Hirschprung

Washington, DC
Dr. Axel Spies