US Data Privacy Law High-Water Mark: Applicability
As the world of data privacy grows, it can become more complicated. It’s no longer sufficient to know the ins and outs of the General Data Protection Regulation (GDPR). Companies now have to comply with the California Consumer Privacy Act (CCPA), they may have to comply with the Personal Information Protection Law (PIPL) starting in November, 2021. In 2023, companies will have to comply with the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA).
This article is the first in a series intended to help people understand the contours of specific parts of the data privacy laws in the United States. In particular, this article is an in-depth look at the applicability provisions of US-based data privacy laws: CCPA* [as amended by CPRA], VCDPA, and CPA. At the end of the article, you should have the necessary information regarding applicability to determine whether any of the US-based privacy laws may apply to your company.
Each of the three laws applies to some type of entity that conducts business in its respective state and meets additional criteria. Under VCDPA, that entity can be a person. Under CPA, that entity is the defined term of a controller, which means “a person that … determines the purposes for and means of processing personal data.” Under CCPA, the entity can be a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for … profit or financial benefit.
The CCPA is the least encompassing law. It specifies that the entity must be for-profit for the law to apply against it. The other two are very encompassing, with the VCDPA being the most encompassing, by applying simply to persons. Looking just at the entity types, VCDPA is the most encompassing, which means that all other things being equal, more entities would have to comply with the VCDPA than either CPA or CCPA. So far, the VCDPA is the most encompassing law, meaning that it has the greatest potential to apply to more entities. Therefore, on this limited metric, it is the most protective of privacy. Entity Restriction > VCDPA.
However, there are additional criteria that are used to determine whether each law applies to a given entity. There are 3 different types of additional criteria: Market Presence, Quantity of Personal Information, and Business Model.
The Market Presence criteria is only in the CCPA and provides that as long as the entity had annual gross revenues of $25 million during the preceding calendar year and the entity determines the purposes and means of the processing of consumers’ personal information (“controls”) and is the type of entity specified above, then the CCPA will apply to that entity. As the other laws, do not make specific inclusions of entities that earn a lot of revenue, but don’t necessarily handle a lot of personal information, in regulating these entities, this provision of the CCPA wins the high-water mark. Market Presence > CCPA.
The Quantity of Personal Information criteria regulates entities that interact with a certain amount of personal information annually. Under the CCPA, the interaction is selling or sharing and the amount is 100,000 consumers or households. Under the VCDPA, the interaction is controlling or processing and the amount is 100,000 consumers. Under the CPA, the interaction is controlling or processing and the amount is 100,000 consumers. Identical to the VCDPA. Breaking things down, the quantity is 100,000 either way, but the units that the quantity applies to is different. All other things being equal, it is easier to reach the 100,000 under the CCPA, because the CCPA counts consumers and households and presumably that is additive not separate, the regulated entities can’t be expected to know all of the members of a household so as to exclude them from individual counting and instead count them as a single household. The CCPA is slightly more encompassing than the others in terms of the quantity. Quantity Component of Quantity of Personal Information > CCPA.
The interaction that is counted under the CCPA is limited to the selling or sharing of personal information. Under the VCDPA and the CPA, the interaction is controlling or processing. The term “processing” itself includes selling or sharing, as well as many other interactions with personal information. The VCDPA and the CPA are more encompassing in the interactions that are counted to determine applicability of the laws. Interaction Component of Quantity of Personal Information > VCDPA and CPA. Overall, the greater number of activities that qualify will trump the slightly larger pool about whom the activities can be performed. Overall, Quantity of Personal Information > VCDPA and CPA.
The final criteria used to determine applicability of each law is the Business Model criteria. This criteria allows each respective law to apply the entity based on the company’s reliance on gaining value from interacting with personal information. The CCPA is the most clear-cut. For it to apply to an entity, the entity must derive 50 percent or more of its annual revenues from selling or sharing consumers’ personal information. Under the VCDPA, the entity needs to derive at least 50 percent or more of its revenue from the sale of personal information AND control or process the personal information of 25,000 or more consumers. This is less encompassing than CCPA, as CCPA can apply to small-scale data brokers, entities with a business model focused on selling or sharing data who don’t interact with a significant amount of personal information (the 25,000 threshold within VCDPA). Under the CPA, an entity need only derive some amount of revenue or receive a discount on the price of goods or services from the sale of personal and process or control the personal information of 25,000 consumers or more. Between the VCDPA and the CPA, the CPA is clearly more encompassing than the VCDPA. They both have the 25,000 component, but in terms of the entity’s focus on earning revenue from personal information, the CPA has no percentage requirement, and it also allows receiving a discount on the price of goods or services to treat an entity as if it is a data broker. Between CPA and CCPA, it is tough to evaluate which one would apply to more entities. CCPA will include small-scale data brokers, selling or sharing less than 25,000 consumers’ worth of personal information per year. CPA will include entities with a hybrid business model, where some of their value is generated by selling personal information but the majority of their value is generated from other things. CCPA will apply to entities that share information rather than sell it. Without really being in the thick of things, and knowing how many small data brokers are out there, how many businesses have hybrid data broker models, and how many businesses are sharing information alongside or instead of selling information, its tough to determine which law is more encompassing. Business Model > CPA or CCPA.
Overall, there is no clear winner of one law being more protective than the other two. VCDPA and CPA will tend to apply to more categories of entities, but CCPA makes sure to catch all of the really big entities. The two newer laws (VCDPA and CPA) are more likely to include small and medium sized businesses based on the quantity of personal information they interact with, but it’s not clear which law between CPA and CCPA will apply to more data brokers.
That’s all for now. Next review we’ll compare the applicability exemptions to the laws. Hopefully, you have a better understanding of whether any of the US-based data privacy laws may apply to your organization. If they do, you are in the right place for help. We handle data subject requests, data mapping, data risk intelligence, vendor management, consent management, and much, much more. Visit us at www.clarip.com or call us at 1-888-252-5653 for a demo.