USA - California: Doing Business in Jurisdiction

Applicability of Data Protection Law in California to Organizations Doing Business in the Jurisdiction

The factor of "doing business in the jurisdiction" is critical for determining the scope of applicability of the California Consumer Privacy Act (CCPA). This factor ensures that organizations with a commercial presence in California are subject to the state's data protection regulations, regardless of where the data processing occurs.

Text of Relevant Provisions

CCPA Sec.1798.140 (d)(1):

"(d) Business means:(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:(A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.(B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.(C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information."

Analysis of Provisions

The CCPA clearly defines "business" to include entities that "do business in the State of California" and meet certain thresholds. The relevant section, Sec.1798.140(d)(1), outlines the conditions under which businesses are subject to the Act:

Commercial Presence: The definition includes any legal entity that operates for profit and is engaged in collecting or processing consumers' personal information. This ensures that the law applies to both local and out-of-state entities that have significant business activities in California.
Thresholds for Applicability:
- Revenue Threshold: Businesses with annual gross revenues exceeding $25 million.
- Data Processing Volume: Businesses that buy, sell, or share the personal information of 100,000 or more consumers or households annually.
- Revenue from Data: Businesses that derive 50% or more of their annual revenue from selling or sharing personal information.

These thresholds ensure that the CCPA focuses on entities with substantial operations and significant impacts on consumer privacy, thereby excluding small businesses and targeting those with a larger footprint in the state's economy.

The rationale for including this factor in the law is to ensure comprehensive data protection for consumers in California. By extending the applicability to businesses operating within the state, lawmakers aim to protect the personal information of residents from both local and out-of-state entities that benefit from the California market.

Implications

For Businesses and Data Processors:

Extended Compliance: Businesses operating in California must comply with the CCPA if they meet any of the specified thresholds. This includes implementing data protection measures and providing transparency to consumers about data collection and processing practices.
Regulatory Oversight: The California Privacy Protection Agency (CPPA) has the authority to enforce compliance with the CCPA, ensuring that businesses adhere to data protection standards.
Case Examples:
- A tech company based outside California but with significant sales and data collection activities in the state must comply with the CCPA.
- An e-commerce platform targeting California consumers and processing their data must adhere to the CCPA, even if its main operations are outside the state.
Compliance Challenges: Businesses must navigate the complexities of CCPA compliance, including updating privacy policies, implementing opt-out mechanisms for data selling, and ensuring data security measures are in place.

By defining "business" to include entities that do business in California, the CCPA ensures that consumer privacy protections are robust and comprehensive, covering a wide range of commercial activities that impact California residents.

Jurisdiction Overview

USA - California

🗞️ Exception for Publicly Available Information, including Public Records 🔗 Processing in Context of Local Establishment 👮🏼 National Security and Law Enforcement Exemption 🎯 Exemption for Specific Purposes of Processing 📍 Processing by Local Establishment 🛂 Applicability to Citizens and Residents' Data 💼 Processing by Entity Registered or Incorporated in Jurisdiction 🛍️ Offering Goods and Services to Data Subjects in Jurisdiction 🏡 Personal and Domestic Use Exemption Sale of Personal Data Criterion 💵 Revenue-Based Applicability ⚖️ Sectoral Exceptions Regulated by Other Laws 🛃 Exception for Data Processing Outside Jurisdiction 🧮 Number of Data Subjects 🧓🏿 Long-Term Residency Threshold 👇🏿 Statutory Requirement Processing Exception 💼 Doing Business in Jurisdiction