The California Consumer Privacy Act (CCPA) refers to organizations covered as a business. Who is covered by the definition of a company? In short, it applies to for-profit organizations doing business in California that meet one of three thresholds. It also applies to certain affiliated organizations with a covered business. Accordingly, covered companies should carefully review their existing agreements with third party service providers who are likely to collect or process California consumer information to ensure that they include the required language.
If personal information is collected on behalf of a company (for example, through a third party service provider), the company may be covered by the CCPA as long as the other criteria are met. While the CCPA is not clear on this point, a company can be considered “doing business in California” if it transacts online with people who reside in California, has employees who work in California, or has other connections to the state and does not have a physical location in the state. That is, personal information about individuals who are not acting as “consumers” in the general sense, but are interacting with a company to carry out certain communications or transactions with the covered company. The term “company” also applies to entities that are controlled by or control a company and that share a common brand with the company.
Nor does it appear that a company must be located in California to be subject to the CCPA. The CCPA definition of business requires that the company, alone or jointly with others, “determine the purposes or means of processing that data. A recent ESET survey found that more than 44% of the 625 business owners and business executives surveyed had never heard of the CCPA, and only 11.8% knew if the law applied to their businesses. Consumer personal information may be part of business assets transferred to a third party in the course of a merger, acquisition, or bankruptcy when the third party assumes control of all or part of the business.
Companies might think that this is because their “consumers” are other companies and not individuals. While the CCPA does not expressly address this, a company can “do business in California” if it transacts online with people who reside in California, have employees who work in California, or have other connections to the state, even if there is no physical location in the state. While neither the CCPA nor the CPRA provides a definition of “doing business in California,” related legal standards suggest that this is an easy threshold to meet and does not require having operations or employees in California. That may be correct, but if you have business partners subject to the CCPA, you can contract out the CCPA obligations of your business partners.
As long as personal information is collected on behalf of a company (for example, through a third party), the company may be covered by the CCPA, provided that the other requirements are met. Fortunately, most financial services entities doing business in California will not meet any of these requirements. The CCPA establishes that its obligations are a matter of state interest in California and supersede and prevail over all rules, regulations, codes, ordinances and other laws adopted by a city, county, municipality, or local agency with respect to the collection and sale of a consumer's personal information by a company.