CCPA does not contain a specific section that explicitly addresses territorial scope.
There are three requirements in the CCPA relevant to territorial scope: (1) establishment of the ‘controller’, (2) residency of the data subject, and (3) location of the ‘commercial conduct’.
(1) A controller is established if it ‘does business’ in California. Factors that may indicate an entity does business in California include: physical presence (for online it may come down to where the servers are located and where the banking is done), having employees in California, and holding special licenses to conduct business within California.
Parent and subsidiary companies that share common branding with an entity ‘doing business’ in California can be under territorial scope of the CCPA, even if they are not established in California themselves.
(2) A California resident under the CCPA is an individual that (i) is in California for other than a temporary or transitory purpose OR (ii) is domiciled in California.
(3) Collection and sale of personal information is excluded from the scope of the CCPA if the location of the ‘commercial conduct’ takes place wholly outside of California, but this is a narrowly tailored exclusion.
The territorial scope of of the California Consumer Privacy Act (CCPA) is broad but it is not without limits. CCPA does not contain a section that explicitly addresses territorial scope, but there are three separate conditions for personal data processing to be within the territorial scope of CCPA, as follows:
- Establishment test: Being a controller established in California OR having a parent or subsidiary that is an established controller in California that also qualifies ‘directly’ as a ‘business’ and operates under the same brand. (See Cal Civ. Code Sec. 1798.140(c)(1) & (2)).
- Residency of the data subject: Data subject is a resident of California. (See Sec. 1798.140(g)).
- Location of the ‘commercial conduct’: Some aspect of the ‘collection or sell’ must take place in California (See Section 1798.145 (a)(6)).
All three conditions must be met for personal data processing to be within the territorial scope of the CCPA.
Requirement (1): Establishment test
CCPA applies to the processing of personal information by an entity that qualifies as a ‘business’. An entity qualifies as a business ‘directly’ if it is established in California (i.e. does ‘business’ in California; see Cal. Civ. Code Sec. 1798.140(c)(1)). An entity also qualifies as a business ‘indirectly’ when it controls, or is under the control and shares common branding with, an entity that qualifies ‘directly’. (See Sec. Cal. Civ. Code Sec. 1798.140(c)(2)). For entities that qualify ‘indirectly’, ‘doing business’ in California is not a requirement (i.e. the fact that a parent or subsidiary operating under the same brand meets the ‘doing business’ suffices).
Entities that qualify as a business ‘directly’:
A controller is established in California when it ‘does business’ in California. Although a final answer will not be available until guidance from the California Attorney General office, a logical interpretation would be that both entities incorporated in California, and entities required to register in California as ‘foreign entities’ under existing California Corporate and Tax law, ‘do business’ in California (i.e. are ‘established‘) for the purposes of CCPA. For an explanation of what ‘doing business’ means under CCPA go here.
Entities that qualify as business ‘indirectly’:
Non-California-established subsidiary or parent company (‘controls or is under control” in the words of CCPA) controllers that qualify ‘directly’ as a business are within the territorial scope of CCPA if they share common branding with the established controller (see Cal. Civ. Code 1798.140(c)(2)). This means that subsidiaries and parent companies of established controllers are considered ‘established’ under CCPA even if they do not ‘do business’ in California themselves (i.e. even if they are not themselves established in California).
Google, LLC. is a controller, established in California, that meets all of the requirements to qualify ‘directly’ as a ‘business’ under Cal. Civ. Code 1798.140(c)(1). All Google, Inc. subsidiaries operating under the Google brand worldwide meet the ‘establishment test’, regardless of whether they do business in California or not (i.e. regardless of whether the subsidiaries are established in California or not themselves).
Telefonica S.A. (a Spanish multinational broadband and telecommunications provider with operations in Europe, Asia, and North, Central and South America) has a subsidiary in California that operates under the ‘Telefonica brand (Telefonica California), and a subsidiary in Mexico (Telefonica Mexico) which is a sister entity to Telefonica California. Telefonica California meets all of the requirements to qualify as a ‘business’ under Cal. Civ. Code Sec. 1798.140(c)(1). Telefonica S.A. meets the ‘establishment test’ because it is the parent company of Telefonica California and operates under the same brand. Telefonica Mexico, on the other hand, does not since it is not a parent or subsidiary of Telefonica California.
A parent or subsidiary of a ‘business’ under CCPA is an entity that controls or is under the control of the ‘business’. Control under CCPA means: ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority if directors or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” under CCPA means a shared name, servicemark, or trademark.
Requirement (2): Residency of the data subject
Under the CCPA, only processing ‘consumers’ data is subject to restrictions, and ‘consumer’ is defined to mean: (see Sec. 1798.140(g))
- a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section reads on September 1, 2017
- “however identified, including by any unique identifier”
For a detailed explanation of what a ‘consumer’ is under the CCPA including examples go here.
Requirement (3): Commercial conduct inside of California
Under section 1798.145(a)(6) the obligations imposed on ‘businesses’ by CCPA ‘shall not restrict a business ability to’:
“Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.”
Collection under CCPA is a broad concept defined as: “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.” (See Cal Civ. Code 1798.140 (e)).
Absent guidelines from the California Attorney General, it is not possible to provide an accurate interpretation of the term “sale,” but you can see an article discussing the possible interpretations here.
Despite the uncertainties, it is clear that the ‘location of the activity’ exemption under CCPA should be narrowly construed as 1798.145(a)(6) of the Cal. Civ. Code further states that:
“For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.”
The cumulative requirements imposed by Section 1798.145(a)(6), for a collection or sale to take place ‘wholly outside of California’, can be broken down into three blocks:
- Collection by the business of the personal information takes place outside of California. The information was collected while the consumer was outside of California. Data stored on a consumer’s device inside California that is later collected when the consumer is outside of California is not considered a collection outside of California.
- Sale takes place outside of California. The ‘sale’ itself must take place outside of the State of California.
- The business is not selling personal information of California resident collected by third parties while the consumer is in California. A logical interpretation of the reference ‘no personal information collected while the consumer was in California is sold” is that this refers to situations where the information is collected by entities other than the ‘business’ (as any personal information collected directly by the ‘business’ while the ‘consumer’ is in California is clearly not exempted from CCPA under condition (1) above). Assuming the California Attorney General Office takes the above position, where an entity other than the business collects information in the State of California and then provides that information to an entity subject to the obligations laid out by CCPA (that is to say, it provides the information to a ‘business’), any downstream sale of such information is subject to CCPA. This provision would capture situations where a ‘business’ intends to sell information about California residents acquired from entities not established in California (that is to say, entities that do not ‘do business’ in California) or otherwise not subject to CCPA (for example, when the entity collecting the information is a non-for-profit or a governmental agency).
What test should entities apply to identify whether they are “doing business” in California under CCPA?
The ability to determine the residency of a data subject will de-facto depend on the amount of information available to the business. The level of ‘effort’ expected is an open question.
Entities that ‘indirectly’ qualify and ‘business’ may have few or no connections themselves with California (as they are not require to ‘do business’ in California to qualify). These entities may be outside of the personal jurisdiction of California and federal courts. How will the California Attorney General enforce CCPA on such entities in practice?