The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Does the CCPA have data “controllers” and “processors?
Yes and no.
Attorneys familiar with the European GDPR are well acquainted with the bifurcation of the world into “controllers” and “processors.” For purposes of European data privacy, a “controller” refers to a company that “determines the purposes and means” of how personal data will be processed.1 A “processor” refers to a company (or a person such as an independent contractor) that “processes personal data on behalf of [a] controller.”2
Instead of using the terms “controller” or “processor,” the CCPA refers to “businesses” and “service providers.”3 Despite the different phraseology the terms have similar (but not identical) meanings. For example, in order to qualify as a “business” under the CCPA, an entity must “determine the purposes and means of the processing of consumers' personal information,” – phraseology that mirrors the GDPR’s definition of a controller.4 Similarly, in order to qualify as a “service provider” under the CCPA an entity must, in part, “process information on behalf of a business.”5
In some situations it is relatively straightforward whether a company fits the definition of a business. For example, many companies are “businesses” in relation to their human resources data as they determine what personal data they collect from their California resident employees and how they will process that data.
In other situations determining whether a company is a “business” can be complex. While the analysis is fact driven and can depend upon a variety of factors, if a company makes any of the following decisions in relation to personal data it is possible that a plaintiff may argue that the company is a “business:”
1. GDPR, Article 4(7).
2. GDPR, Article 4(8).
3. CCPA, Section 1798.140(c), (v).
4. CCPA, Section 1798.140(c). Unlike the GDPR, the CCPA only considers an entity to be a “business” if it also satisfies one of three size / volume thresholds (e.g., revenue in excess of $25 million, transacts data relating to 50,000 data subjects, or derives 50 percent or more of its revenue from selling personal information.
5. CCPA, Section 1798.140(v).