The Implications of the California Privacy Rights Act to Non-Californian Companies Part 1
In November 2020 the citizens of California overwhelmingly approved Proposition 24, known as the California Privacy Rights Act (“CPRA”), which will come into force on January 1, 2023. The CPRA is an amendment of the California Consumer Privacy Act (“CCPA”) which came into effect on January 1, 2020. The CPRA amendment enhances protections to California residents and establishes additional burdens upon companies which do enough business in California. The full text of the CCPA can be found here.
Non-Californian companies may not see the need to address the requirements of the CCPA as their businesses are concentrated elsewhere in the United States. However, the CCPA has created a low bar which would force companies to comply with the law as shown below:
- A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information that does business in the State of California, and that satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
California officials view the $25M revenue requirement globally, not just in California. Thus, if a company has $24.5M in sales elsewhere in the United States and only $500K in California the company is still required to abide by the CCPA.
Further, the CCPA has defined “collect” or “sell” broadly. It is likely that most companies with national sales and a website will likely hit the 50,000 California consumer threshold.
Given the low threshold established by the State of California most companies will eventually have to abide by the terms of the CCPA. In upcoming blogs, we will discuss the various issues companies will have to address when dealing with compliance of the CCPA.
Let Us Help
If you are a business owner who needs assistance ensuring that your business complies with the CCPA or other data privacy regulations we welcome the opportunity to help. Please contact one of our data protection attorneys Colin O’Brien at firstname.lastname@example.org, John Ambrogi at email@example.com Brian LeVay firstname.lastname@example.org or Avery Buffa email@example.com if you have any questions or comments.