As if AB 5 wasn’t a big enough shock (the one that’s caused chaos for people who freelance in California under the guise of “protecting them”), now there’s CCPA â California’s new privacy law. There’s a lot of confusion as to who exactly is subject to the law, so here is the actual language of the bill which answers many of the questions you may have (bolded text is me highlighting things)â¦
I âBusinessâ means:[/I]
I A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumersâ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumersâ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:[/I]
I Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.[/I]
I Alone or in combination, annually buys, receives for the businessâ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.[/I]
I Derives 50 percent or more of its annual revenues from selling consumersâ personal information.[/I]
I Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. âControlâ or âcontrolledâ means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. âCommon brandingâ means a shared name, servicemark, or trademark.[/I]
So it hangs on the defintion of “receives for the businessâ commercial purposes” and “personal information”. But the law answers those questionsâ¦
I âCollects,â âcollected,â or âcollectionâ means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumerâs behavior.[/I]
But section (B) uses the word “receives”, not “collects”, and “receives” is not defined in the law. So that does create a bit of murkiness.
I âCommercial purposesâ means to advance a personâs commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. âCommercial purposesâ do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.[/I]
That said, look at their definition of "consumer"â¦
I âConsumerâ means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.[/I]
If I’m reading that right you need data on 50,000 CALIFORNIA consumers, or devices to qualify under part (B). People/devices of non-California residents don’t count toward that threshold.
And if you’re wondering what counts as "personal information"â¦
I (1) âPersonal informationâ means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:[/I]
I Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driverâs license number, passport number, or other similar identifiers.[/I]
I Any categories of personal information described in subdivision (e) of Section 1798.80.[/I]
I Characteristics of protected classifications under California or federal law.[/I]
I Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.[/I]
I Biometric information.[/I]
I Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumerâs interaction with an Internet Web site, application, or advertisement.[/I]
I Geolocation data.[/I]
I Audio, electronic, visual, thermal, olfactory, or similar information.[/I]
I Professional or employment-related information.[/I]
I Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).[/I]
I Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumerâs preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.[/I]
I âPersonal informationâ does not include publicly available information. For these purposes, âpublicly availableâ means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. âPublicly availableâ does not mean biometric information collected by a business about a consumer without the consumerâs knowledge. Information is not âpublicly availableâ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. âPublicly availableâ does not include consumer information that is deidentified or aggregate consumer information.[/I]
Notice that IP address is specifically mentioned. So given that you receive an IP address with every web request, that means that all web sites are receiving personal information. I suppose if they’re just in your Apache log, and you never look at the log, you could say there’s no “commercial purpose” to the log. But the moment you use the information for anything other than free speech, journalism, etc. then you’re subject to the law â if 50,000 Californian residents or devices are involved (over the course of a year).
So go into Google Analytics, go to Audience, then Geo, then Location, then United States, then change the date range to cover the past year. Write down the number of “users” for California, then repeat for each of your web sites. If all the numbers add up to something over 50,000 then you’re subject to the law. (Short version, you’re probably subject to the law).
And BTW, this isn’t a law you want to ignore. The fines are enormous if you’re found to be in violationâ¦