Are You a “Business” Under the California Privacy Laws? It’s Time to Figure It Out.
Published February 9, 2022
The passage of Prop 24 (also known as the California Privacy Rights Act or CPRA) in November 2020 amends the California Consumer Privacy Act (CCPA). Most of the CPRA provisions come into effect on January 1, 2023 but the CPRA also includes a 12 month look-back period so consumers will be able to request access to data collected by a business since January 1, 2022. For this reason, businesses should closely look at whether they trigger compliance with the CPRA and then position themselves to be able to comply with its requirements and respond to consumer requests starting in January 2023 if needed. Additionally, privacy notices provided to consumers and employees will need to be updated to match the CPRA requirements.
Currently, the CCPA applies to for-profit companies that meet any one of the following: (1) annual gross revenue that exceeds $25 million; or (2) annually buys, receives, shares, or sells the personal information of more than 50,000 consumers, households or devices for commercial purposes; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.
The definition of “business” will change slightly under the CPRA. The annual gross revenue threshold ($25 million) is clarified to mean the revenue of the preceding calendar year. The number of consumers will increase from 50,000 to 100,000 per year. And, the last threshold is expanded to cover entities that derive 50% or more of their annual revenue from the sale or sharing of consumer data.
Nonprofit organizations are still not directly subject to the CCPA unless they share common branding with an entity that meets the definition of a “business.” This point is further clarified in the CPRA – if the business shares consumer personal information with the commonly branded entity, then the commonly branded entity is considered a business and subject to the CPRA.
The CPRA also created a new state agency, the California Privacy Protection Agency (CPPA), which will be the enforcement and regulatory agency over the CCPA and CPRA. It is expected that the agency will promulgate additional regulations for the CPRA in the lead-up to January 2023. This just means that California’s privacy framework is going to continue to change, at least for the foreseeable future.