When California voters approved Proposition 24, the California Privacy Rights Act (CPRA), on November 3, 2020, the result was to substantially amend the California Consumer Privacy Act (CCPA) which became effective only 10 months earlier. We outlined the basic rules for determining when the CCPA applies, and summarize here the changes made by the CPRA.
Some of the requirements for the CCPA to apply remain the same, namely that a “business” (i) do business in the State of California, (ii) collect personal information (or on behalf of which such information is collected), and (iii) alone or jointly with others determines the purposes or means of processing of that data. However, a “business” under the CCPA also must satisfy at least one of three additional requirements which were modified by the CPRA as follows:
CCPA as amended by CPRA
The business has annual gross revenue in excess of $25 million.
|The annual revenue requirement is satisfied if, as of January 1 of a calendar year, the business had annual gross revenues in the preceding calendar year in excess of $25 million.
The business “alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices”
The business “alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households”
The business derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The business derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.
In addition to businesses that meet the requirements referenced above, the CCPA also applies to any entity that controls or is controlled by such a business and shares common branding with that business. However, the CPRA clarified when these rules apply. First, it is not enough to share common branding, the business also must share personal information with the entity controlling or under the control of the business. Second, under the CPRA, sharing “common branding” does not mean simply a shared name, servicemark, or trademark, but when doing so would cause the average consumer to understand that the entities are commonly owned.
The CPRA also adds a third category that would be a “business” for purposes of these rules:
A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest.
In this case, the joint venture or partnership itself, and each business that composes the joint venture or partnership will be considered a single business. Notably, personal information in the possession of each business and disclosed to the joint venture or partnership may not be shared with the other business.
Persons to whom a business makes personal information available or who process or receive personal information from or on behalf of a business. The CPRA made substantial changes to the rules that apply to persons that work with covered businesses to receive and process personal information. For instance, the CPRA added a new category, “contractor,” which is a person to whom the business makes available a consumer’s personal information for a business purpose. A discussion of these rules is beyond the scope of this post, but businesses will need to better understand the relationships they have with unrelated “persons” that receive and/or process personal information from or on behalf of the business. This includes making sure such activity is pursuant to a written contract that satisfies certain requirements.
Businesses (and their service providers and contractors) should be reviewing the changes made by the CPRA to determine whether the CCPA, as modified, applies to them. Each of these entities could face administrative fines of not more than $2,500 for each violation, and not more than $7,500 for each intentional violation or violations involving the personal information of consumers whom the business, service provider, contractor, or other person has actual knowledge are under 16 years of age.