The California Consumer Privacy Act (CCPA) gives consumers more control over how their personal data is collected and used. It grants consumers several new privacy rights and obliges businesses to provide transparent information about their practices. Much has been written about which businesses must follow the CCPA, but who exactly are the “consumers”?
The CCPA’s definition of a consumer is “a natural person who is a California resident.” The “natural person” part means that other legal entities such as corporations do not have data privacy rights under the CCPA. What does it mean to be a California resident? To answer that, the law refers to the definition used in California tax regulations, which states that a resident is:
The first category, residency established by physical presence in the state of California, will cover the large majority of cases. Anyone who is actually in the state is presumed to be a resident unless they are only there for a “temporary or transitory purpose.” There is no clear definition for this term, but the regulations provide a few examples: merely passing through the state, visiting on vacation, completing a particular transaction, etc.
The second category is the logical extension of the first category. Just as someone doesn’t become a California resident by temporarily visiting the state, a California resident with a domicile (permanent home) there does not lose that status by temporarily visiting another state.
Early in the CCPA compliance process, businesses must decide if they will distinguish between California residents and everyone else. After all, there is nothing in the law that says only California residents can be afforded these rights. Some large companies, like Microsoft, have voluntarily extended CCPA rights to all residents of the United States. On a smaller scale, companies that do all or most of their business in California may decide it’s not worth maintaining a two-tier system for residents and nonresidents.
Other businesses that do business on a national or global scale may decide that providing a separate consumer experience for California residents is worth the extra work. This strategy has two components: verifying that a consumer who makes a privacy request is a California resident and, optionally, altering parts of the business’s website depending on whether a user is located inside or outside of California.
To verify California residency for a CCPA request, businesses have two options:
What businesses cannot do is restrict CCPA rights to people who are physically located in California (e.g., as determined by IP address). The privacy law makes it very clear that consumers retain their rights even if they have temporarily left the state.
As to changing the business’s website based on the location of the user, the only part that is likely to change is the “Do Not Sell My Personal Information” link on the homepage. Businesses that are required to include a “Do Not Sell Link” may choose to display or not display the link based on the user’s IP address; i.e., if the user is not in California, they will not see the link.
Becoming CCPA compliant can be a complicated and time-consumer task for executives and managers who are already busy with their regular duties. TrueVault Polaris provides automated, step-by-step guidance to take your business all the way to full CCPA compliance, in an experience similar to using personal tax software. You can complete the whole process in as little as a few days without the expense of hiring a law firm or consultant.
Learn more about TrueVault Polaris. Contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.