One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
The California Consumer Privacy Act (CCPA) gives consumers more control over how their personal data is collected and used. It grants consumers several new privacy rights and obliges businesses to provide transparent information about their practices. Much has been written about which businesses must follow the CCPA, but who exactly are the “consumers”?
The CCPA’s definition of a consumer is “a natural person who is a California resident.” The “natural person” part means that other legal entities such as corporations do not have data privacy rights under the CCPA. What does it mean to be a California resident? To answer that, the law refers to the definition used in California tax regulations, which states that a resident is:
The first category, residency established by physical presence in the state of California, will cover the large majority of cases. Anyone who is actually in the state is presumed to be a resident unless they are only there for a “temporary or transitory purpose.” There is no clear definition for this term, but the regulations provide a few examples: merely passing through the state, visiting on vacation, completing a particular transaction, etc.
The second category is the logical extension of the first category. Just as someone doesn’t become a California resident by temporarily visiting the state, a California resident with a domicile (permanent home) there does not lose that status by temporarily visiting another state.
Early in the CCPA compliance process, businesses must decide if they will distinguish between California residents and everyone else. After all, there is nothing in the law that says only California residents can be afforded these rights. Some large companies, like Microsoft, have voluntarily extended CCPA rights to all residents of the United States. On a smaller scale, companies that do all or most of their business in California may decide it’s not worth maintaining a two-tier system for residents and nonresidents.
Other businesses that do business on a national or global scale may decide that providing a separate consumer experience for California residents is worth the extra work. This strategy has two components: verifying that a consumer who makes a privacy request is a California resident and, optionally, altering parts of the business’s website depending on whether a user is located inside or outside of California.
To verify California residency for a CCPA request, businesses have two options:
What businesses cannot do is restrict CCPA rights to people who are physically located in California (e.g., as determined by IP address). The privacy law makes it very clear that consumers retain their rights even if they have temporarily left the state.
As to changing the business’s website based on the location of the user, the only part that is likely to change is the “Do Not Sell or Share My Personal Information” link on the homepage. Businesses that are required to include a “Do Not Sell or Share” link may choose to display or not display the link based on the user’s IP address; i.e., if the user is not in California, they will not see the link.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.