Doing Business in California? The California Privacy Rights Act is Coming…
If your company is based outside of California and does limited business in California, you may have written off California’s latest data privacy law as only applying to major companies, such as Amazon and Meta. But, if your business collects personal data on California residents, whether as consumers, employees, or business contacts, and does business in California, the California Privacy Rights Act (CPRA) may apply. While there is still ample time to prepare for compliance, the California Attorney General’s recent $1.2m penalty against Sephora[1] means data privacy obligations should be taken seriously.
What is the California Privacy Rights Act?
The CPRA was passed in 2020 and expanded and built on the consumer privacy regulations established under the California Consumer Privacy Act (CCPA). In general, the CPRA allows individuals in California to have more control over how businesses handle their personal data. The CPRA provides several rights for California residents, such as the right to know, correct, and delete their personal data. The law goes into effect on January 1, 2023.
What data does the CPRA apply to?
Many companies mistakenly think data privacy laws are only a concern if they transact in consumer data (e.g., retail or social media), but the CPRA represents a sea change in the United States. Prior to the CPRA’s enactment, the CCPA generally exempted employment-related information and business-to-business information from its requirements. Those exceptions, however, will expire as of January 1, 2023, and the CPRA will apply to those categories of information as well.
For employers, this means the CPRA now applies to data on individuals in their capacity as applicants, employees, independent contractors, and in other work-related roles.
For businesses, this means the CPRA covers personal data collected in a business-to-business context, such as personal contacts at prospective or current clients, vendors, and others.
Does the CPRA apply to your company?
The CPRA generally regulates businesses that collect personal information of California residents. “Business” is defined as an entity organized or operated for profit that:
- collects consumers’ personal information (for itself or others);
- determines the means and purposes of processing such information;
- “does business in California”; and
- satisfies one of the following:
- has gross revenues in excess of $25 million;
- buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- derives 50% or more of its revenue from selling consumers’ personal information.
If your company has gross revenue in excess of $25 million and “does business in California,” the CPRA will apply, even if your company does not deal with more than 50,000 California residents or their devices and is not in the business of selling California consumers’ personal information.
Is your company “do[ing] business in California”?
So, what does it mean to be “do[ing] business in California” under the CPRA? Despite being the key issue for most companies based outside of California, the CPRA does not define who “does business in California.” The proposed regulations interpreting the CPRA shed no light on the definition either. In response to a request for clarity during the rulemaking process, the California Attorney General only stated the term “should be given meaning according to the plain language of the words and other California law.”
The California tax laws provide some general guidance. The California Franchise Tax Board generally considers you to be “doing business” in California if your sales, property, or payroll in California exceeds certain amounts.[2] The definition also includes “actively engaging in any transaction for the purpose of financial or pecuniary gain or profit” in California.
Based on this opaque and arguably broad definition, a company that only has a few remote employees (or maybe independent contractors) who work from California may very well meet the definition. Or, a company that engages in only a few business transactions in California but has over $25 million in revenue outside the state may also meet the CPRA’s definition of “does business” in California.
If the law applies, what are the CPRA’s requirements?
In general, the CPRA provides California residents with certain data rights: the right to know, correct, and delete information held by a business or its service provider. Individuals will be able to opt out of the sale or sharing of their information and will be able to restrict a company’s use of sensitive personal information. Like other data privacy laws, the CPRA will also require companies to update service agreements with vendors that handle covered data because the CPRA requires certain contractual terms. The CPRA contains more specifics on these provisions, and CPRA rulemaking is currently under way to finalize obligations.
The CPRA will take effect on January 1, 2023, but enforcement will not begin until July 2023. For now, companies can start taking a few practical steps to prepare:
- conduct a privacy audit or map relevant data, including identifying vendors who handle such data;
- work on policies to govern administrative processes concerning data rights and how to respond to requests; and
- consider training for individuals who will be responsible for data privacy compliance.
KRCL’s attorneys are ready to assist with any questions your company has about the CPRA or other data privacy issues.
[1] https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement
[2] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=23101&lawCode=RTC