New California privacy law can apply to large number of European companies, including those without a physical presence or traditional sales within the state.
Just over one year ago, the Governor of California signed into law the California Consumer Privacy Act (CCPA), the most comprehensive and restrictive privacy law to date in the United States. Met with equal measures of praise and criticism, the new law was the result of the state’s peculiar legislative process that itself requires a brief explanation.
California’s state constitution allows members of the public to propose new laws to a public vote during a general election. In this particular case, the drive for a new privacy law was inspired by both the Cambridge Analytica scandal and passage of the General Data Protection Regulation (GDPR) in Europe. Local privacy activists successfully added their draft of a new privacy law to the 2018 election ballot, seeking little input or consultation from businesses or government. In response, the state legislature rushed through its own privacy bill on the final day of a deadline to avoid the ballot proposal from reaching voters. As a result of this haste, the current CCPA is riddled with inconsistencies and errors, which the legislature and Attorney General are currently attempting to address before the law takes effect on January 1, 2020. While certain aspects of the law will likely change before then, it is expected that the main provisions and mechanisms of the law will remain substantially the same as currently drafted.
So what does this mean for European businesses, many of whom are still suffering growing pains and fatigue after the recent enactment of the GDPR? On the positive side, the CCPA was clearly influenced by the GDPR and contains a number of similarities, such as its introduction of the rights of transparency, access, and data portability. But the law also diverges from the GDPR in many respects including its categorization of personal data and business activities affected. Of particular concern to many foreign companies is the law’s establishment of private legal action (including class action lawsuits) against violators in what is considered a highly litigious jurisdiction known for extreme verdicts. As a result, any European company doing business in the state (or merely collecting data of its residents for commercial purposes) may potentially find itself within the ambit of the new law and should promptly begin a preliminary assessment if it hasn’t already done so.
In broad terms, the law primarily concerns the activities of for-profit entities doing business in the state who collect the personal information of California residents for their own purposes. Now each of the highlighted elements deserves further analysis based on a company’s particular activities, but suffice it to say for this overview that if your company commercially targets or services consumers who reside in California that involves the collection of their personal information, then the law may apply to your operations.
If the above threshold requirements are met, the CCPA further divides covered companies into three different categories, each with different obligations: businesses, service providers and third parties. A business may be loosely compared to the role of data controller under the GDPR, but in order to qualify as such under the CCPA, a company must also meet one or more of the following elements:
It should be relatively straightforward for a company doing business in the state to confirm whether it meets the first or third element. But a company may overlook or misinterpret certain activities that do affect Californians and their data, thereby bringing it within the second element. For example, with the global nature of e-commerce today, it is not unusual for even a small European company or startup to collect and share data on more than 50,000 California residents (or their devices) through digital marketing, newsletters and mobile device apps. In addition, European companies who maintain majority control or ownership of a covered US business are also subject to the CCPA. So the law has the potential to cover a wide range of European companies, including those who may incorrectly believe their activities do not rise to “doing business” within the state.
The second category of service provider loosely tracks the role of a data processor under the GDPR, though with key differences. A service provider performs the processing of personal information on behalf of a business, subject to a written contract that, among other things, restricts the processing of the data to one of seven enumerated business purposes, such as audit, fraud/security detection and backend services like payment processing. Service providers may not retain, use or disclose the personal information for any other purpose, though they are generally not required to stop such processing if a consumer opts-out.
Third parties under the CCPA include any person or entity who receives personal information from a business but does not otherwise meet the criteria of either a business or service provider, such as any downstream company processing personal information for its own purposes. Third parties can be restricted from selling such personal information if a consumer opts-out. Businesses may be held liable for CCPA violations by either a service provider or third party, but only if the business has actual knowledge or reason to believe that the other party intends to violate the law at the time of disclosure.
Companies who have recently performed vendor assessments (either as a data controller or data processor) under the GDPR will be familiar with reviewing their role as (or relationships with) service providers or third parties under the CCPA. Changes or addenda to existing data processing agreements may be required due to the new law’s specific requirements for these instruments. Covered businesses should also review coordination with these third parties regarding consumer notices, opt-outs and data rights requests as appropriate.
To summarize, any for-profit European enterprise doing business in California, targeting the state’s users or consumers for its own purposes or processing personal information of Californians on behalf of others, should review its activities to evaluate whether it meets the CCPA’s criteria. Different requirements and associated risk will follow if the company qualifies as a business, service provider or third party, so a readiness assessment should be performed as soon as possible to close any gaps before the law takes effect early next year.
 Due to the law’s current inconsistencies, a number of these elements remain unclear, including the Act’s application to purely non-profit organizations. The state legislature is currently considering a number of amendments to the Act, while the Attorney General is also expected to issue further guidance in the coming months on this and other issues.
 The current law is also unclear whether this section refers to total worldwide income or only California-based income. As a result, any company with global revenues in excess of that amount is wise to conduct a readiness assessment.
Written by Ranjitsinh Mahida
With nearly 20 years’ experience as a media and technology lawyer in the US and Norway, Ranjit has developed a broad range of expertise in US and EU privacy law. He has held senior legal and data protection officer roles for international technology companies where he has advised on privacy compliance, cross border issues, M&A due diligence, digital marketing and related areas. He enjoys working at the intersection of technology and law where he takes a pragmatic and commercially-minded approach to assisting his clients.