The California Consumer Privacy Act (CCPA) is the most expansive state privacy law in the United States. The law went into effect on January 1, 2020, after months of negotiations and drafting. Although it is a California state law, the law’s broad scope can actually apply to businesses all across the United States. The CCPA reaches across state lines and protects any information that identifies California residents, regardless of where the business is located. Modeled after Europe’s General Data Protection Regulation (GDPR), the CCPA grants extensive rights to individuals over the control and use of their data. The law also contains a detailed disclosure requirements that businesses must adhere to when data is misused. Although Tennessee business owners might assume the CCPA does not apply to them, many Tennessee businesses actually fall within the CCPA’s broad reach.
When does the CCPA Apply To A Tennessee businesses?
The CCPA can apply to a Tennessee business if they are a for profit business that also does business in California and collects and determines the use of California resident’s personal information, so long as they also meet the additional threshold requirements.
Many Tennessee businesses might assume that the CCPA does not apply to them because they are located outside of California or don’t typically handle much customer data. However, many Tennessee companies fall within the CCPA’s broad reach.
Step 1: A Tennessee company must:
- be a for-profit business;
- that “does business” in California, and
- collects personal information of any California resident (or has the information collected on their behalf), and
- determines the purpose and means of processing such personal information.
Step 2: If Step 1 is met, then any of the following must also apply:
- The annual gross revenue is over $25 million, or
- The business (alone or in combination with another) buys, sells, or shares the personal information of 50,000 or more California consumers, households, or devices for commercial purposes, or
- The business derives 50 percent or more of its annual revenue from selling California consumers’ personal information.
Some of these threshold requirements require a deeper analysis to determine if your business is subject to the CCPA in Tennessee. Likewise, some requirements are too ambiguous to fully determine whether the CCPA applies to your business until more guidance is provided. For example, how do you know if your Tennessee business “does business” in California? What is personal information under the CCPA? And, does the annual gross revenue have to come from California customers?
When a business “does business” in California.
When does a Tennessee business “do business” in California under the CCPA? The CCPA does not spell out what it considers as “doing business in California”. Instead, we must turn to California tax laws for guidance. Under those laws, a business “does business” in California so long as there is a commercial connection with the state.
When does a Tennessee business have a commercial connection in California? Obviously, having employees or a physical presence in the state is certainly enough. However, a business likely doesn’t need a physical location or employees in the state to qualify. California tax law has also found that companies who conduct online transactions with California residents are doing business in the state, even without a physical presence. Given California’s massive population, there is a strong likelihood that any businesses that conducts online transaction nationally will inevitably find itself conducting transactions with California residents. Thus, any business that conducts nationwide transactions online will likely fall within the CCPA’s “does business” requirement .
What is Personal Information Under the CCPA?
Personal information is broadly defined under the CCPA, and encompasses any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be directly or indirectly linked, with a particular consumer or household.
The CCPA specifically identifies numerous types of protected personal information. For example:
- Phone numbers;
- IP addresses;
- Email addresses;
- Account names;
- Social security number;
- Driver’s license number;
- Passport number;
- Biometric information;
- Internet network activity;
- Search history;
- Geolocation data;
- Personal records; and
- Purchase history.
This list is not exclusive. The CCPA also includes a catchall for “other unique personal identifiers”, as well as the inferences drawn from using this type of information. However, it does make exceptions for deidentified or aggregate consumer information, and information lawfully made publicly available from federal, state, or local government records.
When Does a Business collects personal information?
The CCPA defines collecting personal information as buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer, by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior. Strange as it sounds, a business does not have to directly collect personal information for the law to apply. Instead, the law applies even if personal information is collected by a third party on your business’s behalf.
Does the $25 million in revenue have to come from California?
One of the most discussed aspects of the CCPA is whether the $25 million in revenue requirments only applies to revenue derived from California. The CCPA does not clarify this point. Thus, it is still unclear whether the $25 million in revenue must originate from California. However, given the difficulty in establishing exactly where revenue is derived from for many companies, and the related complications this would cause for enforcement of the Act, the general thought is that this threshold applies to overall revenue, not just revenue derived from California. Regardless of the uncertainly over certain aspects of the CCPA, a business should not sit on the fence over whether it is worth the investment to implement early. Instead, it is wise to take a proactive approach to compliance, even if the applicability of the CCPA to your business is uncertain.
Consumers under the CCPA and B2B Relationships.
A consumer under the CCPA is any person who is a California resident, even if they are not in the state when the incident occurs. Even though “consumer” is in the title of the act itself, the CCPA can reach beyond a typical business to consumer relationship. In business to business relationships, a businesses might believe they do not fall under the CCPA since they don’t deal with individual consumers. However, the Act can also apply to these relationships if the business collects personal information about contacts at those other businesses, if those contacts are California residents.
Additionally, if a business collects personal information from its own employees, the CCPA still applies. However, businesses are exempt from this provision until January 1, 2021.
How are businesses punished for violating the CCPA?
A Tennessee business that violates the CCPA can face civil fines or injunctions. If a business fails to cure a violation within 30 days, the California Attorney General can fine businesses. Unintentional violations can result in fines of up to $2500, per violation. More severely, intentional violation can bring fines up to $7500.
Additionally, the CCPA separates itself from other state privacy laws by granting consumers a private right of action. This right gives consumers the ability to sue and collect damages directly from businesses. Consumers can succeed on these claims if their personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect the information. Consumers are entitled to statutory or actual damages for the violation, whichever is greater. Fortunately for businesses, statutory damages are low and actual damages can be difficult to prove. Statutory damages range from $100 to $750 per consumer, per incident. However, these costs can add up quickly when a breach or violation effects a thousands of consumers.