Who gets rights under CCPA?
Who gets consumer rights under the The California Consumer Privacy Act (CCPA) is dependent on a number of questions:
How is a California resident (i.e. consumer) defined?
How broadly will a business honor CCPA rights?
What is the relationship between a consumer and the business?
How is a California resident defined?
The California Consumer Privacy Act (CCPA) grants certain rights to California residents. But what is a California resident?
We think this blog post by Six Fifty provides a nuanced and thorough perspective on this and recommend you take a read-through.
The nutshell version is a California resident is generally someone:
Who resides in California indefinitely or permanently
Who pays (or should pay) income tax in California
Is domiciled in California despite residing elsewhere temporarily
While we’ve defined what a California resident is, this may not be important to some companies because of our next question.
How broadly will a business honor CCPA rights?
In reviewing the privacy policies of hundreds of companies, we've learned that many companies have a section specific to California residents. However, a significant portion of companies have taken a broader approach, and simply provided all US (or even global) residents with these rights as well. One prominent practitioner of this approach is Microsoft.
Providing rights to all consumers, regardless of residency, is a way to show your customers that you value their privacy. Additionally, this approach is simplest because it streamlines the request process and does not require proof of California residence. Additionally, it means less changes when other states come online with privacy legislation which may grant similar rights, depending on the state.
While some companies may choose to grant most CCPA rights to all consumers, it is worth nothing that the right to action is governed by California Civil code and the ability to sue may or may not hold up on in courts in other states or countries.
Beyond questions around where a consumer lives and how broadly a company grants CCPA rights, there is a final and critical piece to determining who can exercise rights.
What is the relationship between a consumer and a business?
Each business has a variety of data subjects. We are borrowing this useful term from GDPR. A data subject is a person whose personal information is being collected directly or indirectly by the business.
One category of data subject all businesses have is one we’ll call ‘Employees’ for shorthand, but is actually much broader. Beyond full-time and part-time employees, this category includes job applicants, owners, directors, medical staff members, and contractors. Personal information collected in the context of these roles is exempt from the right to notice, the right to know and the right to deletion until January 1, 2020 per AB-25
Another type of personal information with similar exemptions by CCPA is captured in AB-1355. Up through January 1, 2021, personal information collected in the course of a business performing diligence on another business or receiving services is exempt from the right to notice, the right to know and the right to deletion. While this covers most business-to-business (B2B) communication and interaction, if a business has the personal information of someone whose company has never been a past customer and has never done any sort of diligence to determine if services are right or appropriate for them, that business must still honor that person's CCPA rights.
A final category of personal information worth mentioning is a mouthful, so we’ll make up a fancy acronym that rolls of the tongue: PIB
Personal Information shared for a Business purpose.
Here are some examples of this information:
Company A sells refurbished mobile phones online. Company A uses Google Mail (GMail) as their email provider. Customer information for Company A that ends up in Gmail is PIB.
Company B provides babysitting and housekeeping services. Company B uses Hubspot for customer relationship management. Prospect and customer information that ends up in Hubspot is PIB.
Company C does designs and constructs home remodels. Company C uses Dropbox to store customer contracts. Customer information that ends up in Dropbox is PIB.
In these examples, Company A, B, and C are able to access and delete information directly. Sometimes, a company might need to work with the third party service or service provider to fulfill consumer access or deletion requests
Depending on your business model, even if your company does not need to comply with CCPA directly, you might receive PIB and need to help your customers fulfill access and deletion requests.
There are many categories of data subjects, beyond employees, B2B customers (or prospects who have performed diligence), and PIB consumers. Other common categories include: B2C (business-to-consumer) customers, B2C prospects, website visitors and in-store customers for businesses with a brick and mortar presence.
When creating your data map, you’ll want to distinguish among the various types of data subjects and read CCPA carefully to understand who has what rights.
Need help figuring this all out?