California is a remarkable jurisdiction by any measure. It has the largest economy in the United States, represents the third largest state in the United States in terms of total area at 163,696 square miles, and stands as the fifth largest economy in the world with a gross domestic product at more than $2.7 trillion. And, now, thanks to its recently enacted California Consumer Privacy Act of 2018 (CCPA), it also has the most far-reaching privacy law in the United States.

CCPA is an unfamiliar type of law for the United States due, in large part, to its broad scope. It establishes a new privacy framework for businesses that fall within its jurisdiction by:

• Creating an expanded definition of “personal information”;
• Creating new data privacy rights for California consumers, including rights to know, access, delete, and opt out of the “sale” of their personal information;
• Imposing special rules for the collection and sale of personal information directly from minors; and
• Creating a new statutory damages framework for violators that fail to implement and maintain reasonable security procedures and practices to prevent data security breaches.

As a result, CCPA has significant implications for almost every commercial enterprise. But it is important to reach a firm understanding on the law's scope, key terms, and exceptions before deciding on an plan of action for implementation.

In an effort to help companies organize how to prepare for CCPA readiness, we prepared a two-part series describing various legal and operational steps for organizations to consider when implementing CCPA's requirements. In this first part, we outline CCPA's scope and potential retroactive provisions. We ask and answer three important questions:

1. Does CCPA apply to me?
2. What are the exceptions to CCPA?
3. When will CCPA go into effect?

Does CCPA Apply to Me?

The first important question to answer is whether CCPA applies to your organization. CCPA only applies to organizations that conduct business in California, and satisfy one of the following three conditions:

• Has annual gross revenue in excess of $25 million;
• Annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, alone or in combination; or
• Derives 50 percent or more of its annual revenue from selling consumers' personal information (each, a covered business).

CCPA also applies to any entity that “controls or is controlled by” any covered business.

CCPA applies to the sale of personal information. “Sale” is a broad term defined as, “the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration.” The following circumstances, however, do not constitute sale of personal information:

• Consumer-directed disclosure or use that was intended by the consumer;
• Use of personal information for the purposes of identifying a consumer who has opted out under the opt-out provision;
• Sharing personal information with a service provider that is necessary for the performance of a business purpose, if the business has provided notice to its consumers, the service provider is acting on the business's behalf, and the service provider does not sell the personal information; and finally,
• The business transfers Personal Information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction where the third party “assumes control of all or part of the business,” subject to certain condition

What is personal information? CCPA applies to all personal information collected by a covered business from consumers. “Consumers” means any natural person who is a California resident. Personal information is broadly defined to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” CCPA excludes “aggregate consumer information” from the definition of personal information. “Aggregate consumer information” means data that is, “not linked or reasonably linkable to any consumer or household, including via a device.” Also, information that is publicly available from federal, state, or local government records is similarly excluded.

What Are the Exceptions to the Law?

CCPA creates several exceptions. By its terms, CCPA will not restrict a business's ability to:

• Comply with federal, state, or local laws.
• Comply with civil, criminal, or regulatory inquiries or investigations.
• Cooperate with law enforcement agencies.
• Exercise or defend legal claims.
• Collect, use, retain, sell or disclose consumer information that is “de-identified” or “aggregate consumer information.” “Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed and is not reasonably likable to a consumer or device. “Deidentified” means information that, “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” To fall within this exception, businesses must implement technical safeguards that prohibit re-identification, business processes that specifically prohibit re-identification, business processes to prevent inadvertent release of de-identified information, and finally, they must make no attempt to re-identify information.
• Collect or sell consumer information so long as every aspect of the commercial conduct takes place outside of California—meaning that the data was collected while the consumer was outside the state and no part of the sale occurred within the state.

CCPA also does not apply where:

• Compliance would interfere with or violate evidentiary privileges;
• The information is medical information governed by the Confidentiality of Medical Information Act or protected health information governed by the Health Insurance Portability and Accountability Act of 1996;
• The sale of information is to or from a consumer reporting agency that is to be reported in or used to generate a consumer report;
• The information is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (Public Law 106–102) or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code); and finally,
• The information is collected, processed, sold, or disclosed pursuant to the Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.).

Based on the above, it is important for covered businesses to perform appropriate internal diligence to determine if an exception applies, and to what extent. Doing so will likely help refine the scope and cost of implementation and solidify overall readiness efforts.

When Will CCPA Go Into Effect?

CCPA is set to become effective on Jan. 1, 2019, but “operative” on Jan. 1, 2020, unless it is amended by the state of California, or pre-empted by federal privacy law. CCPA also directs the California Attorney General to adopt regulations on various provisions within CCPA. The Attorney General may not bring an enforcement action under CCPA until six months after adoption of those regulations, or July 1, 2020, whichever is sooner.

In our next article, we will discuss specific steps companies should take to achieve CCPA readiness. There is little doubt that we are in the midst of a regulatory transformation in data use, and in-house counsel must continue to strategically assess the privacy and security risks associated with collecting, using, and sharing personal information, and manage the business expectations in light of the regulatory enforcement trends.

Harry A. Valetk is a member of Baker McKenzie's global privacy and security practice group based in New York, where he focuses on advising clients on global privacy compliance and cyber security practices. He can be reached at [email protected].

Brian Hengesbaugh is a partner and chair of the firm's global privacy and security practice group based in Chicago. He focuses on global data privacy and data security issues in business transformations, compliance activities, and incident response/ regulatory inquiries. He can be reached at [email protected].