Late last year California passed the California Consumer Privacy Act of 2018 (“CCPA”) aimed at granting certain rights and protections to California consumers and also imposing obligations and limitations on businesses in an effort to provide consumers more control over their personal information. The CCPA becomes effective January 1, 2020, and companies across the nation are marking their calendars in anticipation of privacy practice changes reminiscent of those ushered in by the European Union’s GDPR last year. Although the CCPA is often compared to the GDPR, the two privacy laws are different and compliance with one does not ensure compliance with the other. In undertaking compliance measures, the initial inquiry companies should analyze is the question of whether the CCPA applies to the company.
The CCPA applies to “businesses” that collect the personal information of California residents (referred to as “consumers”). A key distinction between the CCPA and other similar state laws (which generally apply to businesses in a given state) is that the CCPA encompasses a broader scope of applicability in that it applies to businesses “doing business in” California. A company may determine if it is a “business” under the CCPA by analyzing the questions below: