A Closer Look at the CPRA – Part III: The Scope of the Law
On Election Day, California voters approved the California Privacy Rights Act of 2020 (the “CPRA”) through a ballot measure. The CPRA amends the California Consumer Privacy Act (“CCPA”), which the California legislature passed in 2018, significantly broadening the control that California residents have over their personal information and imposing new obligations on businesses subject to the law.
This is our last of three installments examining the CPRA in more depth. Last month we looked into the new enforcement agency created by the CPRA and previously we examined the individual rights afforded to California residents under the CPRA. This month we will focus on the scope of the CPRA, as the requirements that trigger a company’s need to comply with the law has changed from the CCPA.
As with the CCPA, the provision triggering a company’s obligations to comply with the CRPA is found in the definition of a “business.” The definition of business has been modified to both narrow and also expand the requirements that trigger compliance obligations under the privacy law. Following the CCPA’s definitional structure, under the CPRA a “business” is a legal entity that does business in California, operates for financial benefit, which collects, or has collected on its behalf, consumers’ personal information, and meets one of the following prongs:
- As of January 1, had a gross revenue of $25 million in the preceding calendar year;
- Alone or in combination annually buys, sells, or shares the personal information of 100,000 or more consumers; or
- Derives 50% or more of its annual revenue from selling or sharing consumer’s personal information.
These prongs differ from the CCPA in two primary ways. First, the second and third prongs expand their scope by including the activity of sharing personal information. This scope now makes explicit that companies that have a focus on exchanging personal information, whether for monetary value or not, are within the scope of the CPRA. This expanded activity scope is offset in the second prong by increasing the number of consumers from 50,000 to 100,000, such that more exchange of personal information is permitted before compliance under that prong is triggered.
Further, the scope of entities that must comply with the CPRA is arguably expanded by clarifying how commonly controlled organizations qualify as a “business” by providing a definition of common branding. Under both the CPRA and the CCPA, the sharing of information from a business to a commonly controlled and commonly branded company, brings the latter under purview of the law. However, the CPRA defines common branding as the use of trademarks or service marks in a manner that the average consumer would believe that the businesses are commonly owned, arguably expanding the reach of common branding.
To round out these definitional changes, the CPRA adds two additional mechanisms for a company to qualify as a “business” under the CPRA. First, a joint venture or partnership that is composed of businesses, where each business has at least a 40% interest in the joint venture, will lead to the joint venture itself being considered a “business” subject to the CPRA. Finally, any entity may self-certify that it complies with the CPRA, agreeing to be bound by the law.
Overall, the definitional changes may appear small, but they are impactful in a business’ assessment of its compliance obligations under the CRPA. We will continue to monitor the CPRA as it proceeds through the rulemaking process and becomes effective.