Under the newly enacted California Consumer Privacy Act (“CCPA”), businesses are only required to comply with the CCPA if they, among other potential qualifiers, annually receive, for commercial purposes, the “personal information of 50,000 or more [California] consumers, households, or devices.” Most businesses, assuming that “Personal Information” only encompasses the standard name, email address, and other such information, may be quick to dismiss this threshold as being inapplicable to them. These businesses may consider thinking again or risk potentially not complying with the CCPA requirements.
The CCPA defines “Personal Information” very broadly to include (but is not limited to):
When considering that “Personal Information” can include not only information collected from California consumers – such as name, email address, etc. – but can also potentially encompass information collected from California households and devices (defined as “any physical object that is capable of connecting to the internet, directly or indirectly, or to another device”), such as IP addresses and browsing history. This could quickly become a slippery slope of Personal Information collected in a year and take businesses over the 50,000 marker. As one article explains: “In the case of the threshold for collecting personal data of at least 50,000 consumers each year, many businesses may not realize how easily this number could be reached. One reason is these businesses are not yet familiar with how broadly ‘personal information’ is defined.”
The Personal Information from 50,000 California consumers, households, or devices must be used for “commercial purposes” to have the CCPA apply. This includes such uses that entice a person to buy, rent, lease, join, subscribe to, provide or exchange products, goods, property, information or services, or enabling or effecting, directly or indirectly, a commercial transaction. So, think any sort of newsletter or targeted advertisement that may use Personal Information collected from users to entice them to make a purchase from your business.
The California Attorney General (“AG”) is tasked with developing and enacting regulations under the CCPA. As of right now, the most recently modified regulations were posted on February 10, 2020 with the 15-day comment period ending on February 25th. While these regulations provide some additional context into the CCPA – including clarifying that IP addresses to not count as “Personal Data” if it does not link to any particular consumer or household and could not reasonably link the IP address with a particular consumer or household – they are not yet finalized. Notably, the California AG cannot take enforcement measures until July 1, 2020.
Overall, a lot of questions still remain unanswered as to the CCPA’s applicability, especially as it relates to what constitutes “Personal Information” and how this is determined when collecting Personal Information from California consumers, households, or devices.