Who Has Rights Under the CCPA?

The California Consumer Privacy Act (CCPA) gives consumers more control over how their personal data is collected and used. It grants consumers several new privacy rights and obliges businesses to provide transparent information about their practices. Much has been written about which businesses must follow the CCPA, but who exactly are the “consumers”?

The CCPA’s definition of a consumer is “a natural person who is a California resident.” The “natural person” part means that other legal entities such as corporations do not have data privacy rights under the CCPA. What does it mean to be a California resident? To answer that, the law refers to the definition used in California tax regulations, which states that a resident is:

  1. Any individual who is in the state for other than a temporary or transitory purpose, and
  2. Any individual who is domiciled in the state who is outside the state for a temporary or transitory purpose

The first category, residency established by physical presence in the state of California, will cover the large majority of cases. Anyone who is actually in the state is presumed to be a resident unless they are only there for a “temporary or transitory purpose.” There is no clear definition for this term, but the regulations provide a few examples: merely passing through the state, visiting on vacation, completing a particular transaction, etc.

The second category is the logical extension of the first category. Just as someone doesn’t become a California resident by temporarily visiting the state, a California resident with a domicile (permanent home) there does not lose that status by temporarily visiting another state.

Verifying California Residency for CCPA Purposes

Early in the CCPA compliance process, businesses must decide if they will distinguish between California residents and everyone else. After all, there is nothing in the law that says only California residents can be afforded these rights. Some large companies, like Microsoft, have voluntarily extended CCPA rights to all residents of the United States. On a smaller scale, companies that do all or most of their business in California may decide it’s not worth maintaining a two-tier system for residents and nonresidents.

Other businesses that do business on a national or global scale may decide that providing a separate consumer experience for California residents is worth the extra work. This strategy has two components: verifying that a consumer who makes a privacy request is a California resident and, optionally, altering parts of the business’s website depending on whether a user is located inside or outside of California.

To verify California residency for a CCPA request, businesses have two options:

  1. Ask whether they are a California resident – A simple yes or no question is the most efficient way to verify residency. It is possible that some nonresidents will say they are residents, but from a compliance perspective, there is no problem with being over-inclusive.
  2. Request a physical address or other proof of residency – If a business wants to verify the consumer’s California residency more thoroughly, providing a physical address should be sufficient. The business could request other proof, such as a state identification card, but should bear in mind that not all residents will have such identification and that verification should not be overly burdensome for consumers. These businesses should also know that any information collected for verification purposes is new personal information that must be handled according to the CCPA. The best practice would be to delete it immediately.

What businesses cannot do is restrict CCPA rights to people who are physically located in California (e.g., as determined by IP address). The privacy law makes it very clear that consumers retain their rights even if they have temporarily left the state.

As to changing the business’s website based on the location of the user, the only part that is likely to change is the “Do Not Sell My Personal Information” link on the homepage. Businesses that are required to include a “Do Not Sell Link” may choose to display or not display the link based on the user’s IP address; i.e., if the user is not in California, they will not see the link.

CCPA Compliance Made Simple

Becoming CCPA compliant can be a complicated and time-consumer task for executives and managers who are already busy with their regular duties. TrueVault Polaris provides automated, step-by-step guidance to take your business all the way to full CCPA compliance, in an experience similar to using personal tax software. You can complete the whole process in as little as a few days without the expense of hiring a law firm or consultant.

Learn more about TrueVault Polaris. Contact our team today.

Schedule Call