Much has been said about the scope of the California Consumer Privacy Act (CCPA) and the far-reaching implications the law will have on businesses throughout the United States. Although it is true that the territorial reach of the law is broad, it is not without limits. The CCPA explicitly includes a geographic exception that may be important in determining the applicability of the law to personal information processed by businesses that do not have a physical presence (including employees) in California.
CCPA Section 1798.145(a)(6) states that the obligations imposed by the law “shall not restrict a business’s ability to … [c]ollect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.” The statute provides that commercial conduct will be considered “wholly outside of California” where:
- The business collects information while the consumer is outside of California;
- No part of the sale of the consumer’s “personal information” occurs in California; and
- No “personal information” collected while the consumer is in California is sold.
The exception includes a provision to prevent a potential “traveling Californian” loophole: Businesses may not store personal information about a California resident while the consumer is in California (such as on their mobile device), and then later “collect” that personal information when the consumer and stored personal information are outside of California.
From a practical perspective, it is unclear how helpful this exception will be for businesses that do not have a physical presence in California. Under Section 1798.140(e), the term “collection” is defined as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.”
Essentially, any “business” that has a website or other digital property that is visited by California residents likely will fall under the purview of the CCPA, at least with respect to those individuals. For example, because an IP address is considered “personal information,” cookies and other tracking technologies can be said to be passively collecting personal information from website users even if the user does not actively submit any other personal details.
A hypothetical scenario where the exception likely would apply might concern, say, a Michigan company that takes an online order from a Florida resident and then has goods produced in Michigan sent from an Ohio facility to the Floridian shopper. If the Michigan company also has California customers ordering from its website, then personal information about those individuals would be subject to the CCPA. The Florida resident’s information would not. If the Michigan company then wishes to sell its database of customer personal information to a data broker in South Carolina (bearing in mind the sweeping definition of “sell” under the CCPA, which includes “disclosing,” “disseminating” and “making available”), it may be able to do so outside the scope of the CCPA’s restrictions, provided any personal information collected from California residents in California is not included in the sale. For some companies, the logistical challenges associated with this type of segregation may prove daunting.
In an offline setting, this exception may be more useful – to a point. To revisit the scenario above, if a California resident visited the Michigan company’s retail location in Ann Arbor and gave her email address to a clerk at the register, then the sale of her personal information to the South Carolina broker would not be covered by the CCPA. This would be true even if the individual visited the store’s website from her hotel, and personal information obtained by the company while she was online in Michigan was included in the sale. This is assuming, of course, that the Michigan-harvested personal information to be sold is not combined with any personal information the company may have obtained about the consumer while she was back home in San Francisco, using the website to view the items she wanted to purchase ahead of her trip east.
The complexity of analyzing this relatively straightforward scenario highlights the challenges faced by companies working to implement CCPA compliance programs. And, of course, there are a number of other CCPA exceptions that may apply to the collection and sale of a California resident’s personal information under different circumstances. Each must be evaluated with respect to the particular activity at issue and with due regard to the interplay with other CCPA restrictions and the CCPA’s definitions. As a result, the CCPA may serve as a default baseline for companies seeking the lawful path of least resistance – as has been the case with many California laws that have come before it.