Extraterritorial Application of the California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) protects California residents and applies to organizations that are doing business in California. The International Association of Privacy Professionals estimates that 500,000 organizations based around the United States are going to need to achieve CCPA compliance due in part to its extraterritorial application.
Does the new California privacy law apply to your organization even though you are not located in CA?
The current answer is yes if you are doing business in California. CCPA does not currently require organizations to have a physical presence in California in order to be covered by the state’s new privacy law, which goes into effect in 2020. It merely requires that they are doing business in the state and meet one of the three threshold requirements ($25 million in annual revenue; data collection on 50,000; or 50% of revenue from data sales).
The only limit placed in the law on territoriality (besides the consumer’s residency) is that it does not apply to consumer information if the commercial conduct takes place wholly outside of California. In other words, the information is collected while the consumer is outside of California, no part occurred in California, and no personal information collected while the consumer is in California.
Extraterritoriality is not a new concept in privacy. The European Union (EU) General Data Protection Regulation (GDPR) applies broadly beyond the territory of Europe pursuant to Article 3 of the GDPR. One of the first GDPR fines issued by the United Kingdom Information Commissioner’s Office (ICO) was against a Canadian company. However, the extraterritorial breadth of the law may ultimately create enforcement challenges for regulators and the extent of enforcement beyond their borders is unclear. Perhaps recognizing this challenge, the European Data Protection Board signaled about a month ago that they would issue guidance on GDPR’s extraterritorial application. Many are currently waiting for the final guidance to be posted online to determine whether they need to alter their approach.
The California Attorney General has been given authority to issue regulations governing the new California privacy law following public consultation. These regulations may ultimately impact how the law is enforced on businesses located outside of California and without a physical presence there. In the interim, if your organization does not have a mature privacy program that could quickly scale up compliance obligations, it is best to begin planning for its effects.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.