By all accounts, the sweeping privacy rights law passed by the California legislature in late June promises to upend the business model that has been relied upon by e-commerce companies for decades. As e-commerce has developed over the years and grown into its own market segment, U.S. companies have collected and monetized the personal data of their customers and users with minimal regulatory restriction. Now, with the passage of the California Consumer Privacy Act, California consumers have been given unprecedented control over their personal information collected by businesses.
But does a California law apply to a business located outside of California? If there is anything electronic commerce has taught us over the past 20 years, it is that online businesses must comply with their customers’ state consumer protection laws. As a result, according to an analysis by the International Association of Privacy Professionals, it is estimated that more than half a million U.S. companies will be impacted by the law, many of them small-to-mid-sized businesses.
In a nutshell, the law applies to a business that collects a consumer’s personal information It defines “business” as a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity, provided that it:
- Is organized or operated for the profit or financial benefit of its owners
- It alone or with others determines the purposes and means of the processing of commercial information of products or services purchased, or of purchasing or consumer histories or tendencies
- Does business in the state of California
- And satisfies one or more of the following three thresholds:
- Has annual gross revenues exceeding $25,000,000
- Annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
Of note, natural persons do not fall within the definition of “business” no matter what such person’s data collection and use activities are.
The fact that a business does not have a physical location in California does not exempt it from its legal obligation to comply with California law, unless every aspect of the business’ commercial conduct with respect to the consumer’s personal information takes place “wholly outside of California.” This means that none of the following activities may have occurred in California: the collection of the information from the consumer; sale of the consumer’s information, and the sale of any personal information collected while the consumer was in California,
A “consumer” is a natural person who is a California resident for state taxation purposes, “however identified, including by any unique identifier.” A “unique identifier” means “a persistent identifier that can be used to recognize a consumer, a family or a device”,– such as a device identifier, an IP address, cookies, beacons, mobile ad identifiers or similar technology, and even telephone numbers – that can be used to identify a particular consumer or device. Clearly, the legislators intended the law to address the technological developments that use such non-traditional identifiers to identify a consumer or a device, so that the use of such data is also subject to the rights granted under the law.
The law’s definition of “personal information” is broader than any other federal or state U.S. privacy law to date. In addition to standard identifiers classified as “PI” under other U.S. privacy laws, the California law’s definition of “PI” includes less traditional identifiers, such as a “unique personal identifier” (which is a defined term also used in the definition of consumer), an online identifier IP address, browsing history, search history, interaction with a website, app or advertisement, and inferences drawn from personal information for profiling purposes.
Since the law’s stated purpose is to give consumers greater control over the collection, use, sale or transfer of their personal information, including the right to request that the consumer’s information be deleted and the right to opt out of the sale of personal information by a business, the inclusion of the broad list of characteristics and behaviors in the definition of personal information acknowledges the increasing role of technology in the daily lives of consumers.
For businesses that potentially may be impacted by this law, there are as many questions as there are answers. Hopefully, many of these questions will be answered by the regulations to be drafted over the next 12-18 months. Businesses that have taken steps to comply with the General Data Protection Regulation will likely find that they already have processes and policies in place that permit them to comply, without too much additional trouble and expense. Those businesses would most certainly share two lessons learned from their journey to GDPR compliance: first, it is never too early to start the process, and second, conducting a data inventory is important. Understanding what data a business has, how it is used, and where it resides within an organization’s systems is a key first step to analyzing the business’ data protection legal obligations.
For more information, contact Jane Hils Shea, Melissa Kern, Michael Nitardy, or any other member of Frost Brown Todd’s Privacy and Information Security Team.