By all accounts, the sweeping privacy rights law passed by the California legislature in late June promises to upend the business model that has been relied upon by e-commerce companies for decades. As e-commerce has developed over the years and grown into its own market segment, U.S. companies have collected and monetized the personal data of their customers and users with minimal regulatory restriction. Now, with the passage of the California Consumer Privacy Act, California consumers have been given unprecedented control over their personal information collected by businesses.
But does a California law apply to a business located outside of California? If there is anything electronic commerce has taught us over the pastย 20 years, it is that online businesses must comply with their customersโ state consumer protection laws. As a result, according to an analysis by the International Association of Privacy Professionals, it is estimated that more than half a million U.S. companies will be impacted by the law, many of them small-to-mid-sized businesses.
In a nutshell, the law applies to a business that collects a consumerโs personal information It defines โbusinessโ as a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity, provided that it:
- Is organized or operated for the profit or financial benefit of its owners
- It alone or with others determines the purposes and means of the processing of commercial information of products or services purchased, or of purchasing or consumer histories or tendencies
- Does business in the state of California
- And satisfies one or more of the following three thresholds:
- Has annual gross revenues exceeding $25,000,000
- Annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumersโ personal information.
Of note, natural persons do not fall within the definition of โbusinessโ no matter what such personโs data collection and use activities are.
The fact that a business does not have a physical location in California does not exempt it from its legal obligation to comply with California law, unless every aspect of the businessโ commercial conduct with respect to the consumerโs personal information takes place โwholly outside of California.โ This means that none of the following activities may have occurred in California: the collection of the information from the consumer; sale of the consumerโs information, and the sale of any personal information collected while the consumer was in California,
A โconsumerโ is a natural person who is a California resident for state taxation purposes, โhowever identified, including by any unique identifier.โ A โunique identifierโ means โa persistent identifier that can be used to recognize a consumer, a family or a deviceโ,โ such as a device identifier, an IP address, cookies, beacons, mobile ad identifiers or similar technology, and even telephone numbers โ that can be used to identify a particular consumer or device. Clearly, the legislators intended the law to address the technological developments that use such non-traditional identifiers to identify a consumer or a device, so that the use of such data is also subject to the rights granted under the law.
The lawโs definition of โpersonal informationโ is broader than any other federal or state U.S. privacy law to date. In addition to standard identifiers classified as โPIโ under other U.S. privacy laws, the California lawโs definition of โPIโ includes less traditional identifiers, such as a โunique personal identifierโ (which is a defined term also used in the definition of consumer), an online identifier IP address, browsing history, search history, interaction with a website, app or advertisement, and inferences drawn from personal information for profiling purposes.
Since the lawโs stated purpose is to give consumers greater control over the collection, use, sale or transfer of their personal information, including the right to request that the consumerโs information be deleted and the right to opt out of the sale of personal information by a business, the inclusion of the broad list of characteristics and behaviors in the definition of personal information acknowledges the increasing role of technology in the daily lives of consumers.
For businesses that potentially may be impacted by this law, there are as many questions as there are answers. Hopefully, many of these questions will be answered by the regulations to be drafted over the next 12-18 months. Businesses that have taken steps to comply with the General Data Protection Regulation will likely find that they already have processes and policies in place that permit them to comply, without too much additional trouble and expense. Those businesses would most certainly share two lessons learned from their journey to GDPR compliance: first, it is never too early to start the process, and second, conducting a data inventory is important. Understanding what data a business has, how it is used, and where it resides within an organizationโs systems is a key first step to analyzing the businessโ data protection legal obligations.
For more information, contactย Michael Nitardy, or any other member of Frost Brown Toddโs Privacy & Data Security Team.