The Truth About the California Consumer Privacy Act

Debunking Three Common Misconceptions

The highly-anticipated California Consumer Privacy Act (CCPA) took effect on Jan. 1, 2020, and many businesses are scrambling to understand the applicability of the CCPA’s expansive obligations. The CCPA provides California consumers with the following rights:

• The right to know and access the categories and specific pieces of personal information that a business collects, uses and discloses about a consumer.
• The right to delete the personal information a business collects and maintains about a consumer.
• The right to opt out of the sale of personal information to a third party (or for minors under the age of 16, the right to opt in to such sale).
• The right to nondiscrimination when exercising rights under the CCPA.

Despite the 18-month period between the law’s passage and its effective date, there are a number of misconceptions about the CCPA’s applicability and various exemptions that can reduce compliance obligations.

Common Misconception #1:

The term “consumers” does not include individuals involved in commercial transactions.

The CCPA provides rights to a “consumer.” At first glance, some businesses may assume this term limits application of the CCPA to individuals who obtain goods or services for personal, family or household use. However, the definition of “consumer” is broad and includes more than just information collected in connection with those types of products.

A “consumer” under the CCPA is a natural person who is a “California resident,” as defin
ed elsewhere under California law. That means a natural person involved in business or commercial transactions is a “consumer” under the CCPA. While other exemptions may apply in these transactions (some of which are discussed further below), this may not always be the case. Therefore, when businesses evaluate the applicability of the CCPA, it is important to keep in mind that the CCPA applies to all natural persons who are residents in California, not just those involved in consumer transactions.

Common Misconception #2:

Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) are exempt from the CCPA.

The GLBA exemption to the CCPA has been a source of confusion for many financial institutions because the exemption is based not on the entity involved in the transaction, but on the information involved—specifically, to “personal information collected, processed, sold, or disclosed pursuant to the federal [GLBA], and implementing regulations, or the California Financial Information Privacy Act…” Therefore, a financial institution subject to the GLBA still must comply with the CCPA for any information that is not collected, processed, sold or disclosed pursuant to the GLBA.¹

The exemption applies only to information that GLBA defines as nonpublic personal information (NPI), including personally identifiable financial information (1) provided by a consumer to a financial institution to obtain a financial product or service; (2) about a consumer resulting from any transaction involving a financial product or service between the financial institution and consumer; and (3) that the financial institution otherwise obtained about a consumer in connection with providing a financial product or service to that consumer.

However, the GLBA’s definition of NPI is tied to the definition of “consumer,” which is narrower than the CCPA’s definition. Specifically, “consumer” under the GLBA means an “individual who obtains or has obtained a financial product or service from [a financial institution] that is to be used primarily for personal, family, or household purposes….” Therefore, if the financial product or service will be used for purposes other than personal, family or household, the personal information collected in connection with the transaction would not be considered NPI for purposes of the GLBA exemption—meaning that the personal information may be subject to the CCPA.


Even if the personal information is NPI, the NPI must be “collected, processed, sold or disclosed pursuant to” the GLBA. This exemption is open to a wide array of interpretations, and it is still unclear as to how California will interpret the exemption.

To determine whether the GLBA exemption applies, businesses should review the personal information they collect, use and share and assess which information is collected, processed, sold or disclosed pursuant to the GLBA—and then evaluate the purposes for which the personal information was collected, used or shared. That analysis will help a business establish whether: (1) the NPI is collected, processed, sold or disclosed pursuant to the GLBA, and (2) whether such collection, processing, sale or disclosure of NPI aligns with the business’s GLBA practices and privacy notice.

Common Misconception #3:

The business-to-business exemption applies to all personal information collected in commercial transactions.

Another exemption in the CCPA that has been generating a lot of interest is the “business-to-business exemption” (also known as the “B2B exemption”), which was added to the CCPA through an amendment last fall and has a sunset date of Jan. 1, 2021.

Under this exemption, certain CCPA obligations imposed on businesses (e.g., the right to access, right to delete and certain notice requirements) do not apply to “personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer . . . is acting as an employee, owner, director, officer or contractor of a company, partnership, [etc.,] and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from[,] such [entities].”

At first glance, it would appear that the B2B exemption applies to all commercial transactions. However, the exemption is narrowly worded and appears to cover only personal information the business collects from the natural person who is (1) acting as an employee, director, etc., on behalf of an entity and (2) communicating with the business or transacting with the business in the context of due diligence reviews or providing or receiving a product or service. The B2B exemption does not appear to contemplate that a business may receive personal information from persons other than the natural person it is communicating with on behalf of another entity.

In addition, there has been some debate as to whether the B2B exemption applies to personal information received from individuals providing personal guarantees—e.g., in the sole proprietor context, third-party guarantees, etc. California courts have found that a person making a personal guarantee generally makes the guarantee in his or her individual capacity, rather than as an employee, owner, director, officer or contractor of a company—even if the individual is, in fact, an employee, owner, director, etc., of the company applying for the loan. See, e.g., Sebastian Int’l, Inc. v. Peck, 195 Cal. App. 3d 803, 808 (Ct. App. 1987). Therefore, personal information obtained in connection with a personal guarantee likely will be considered personal information subject to the CCPA.

Conclusion

Although California cannot bring an enforcement action until July 1, 2020, its attorney general’s office has signaled that it will start reviewing a business’s conduct as of Jan. 1. Therefore, it is important for businesses to understand the CCPA and implement compliance programs now that account for all the nuances in the law and in a business’s data. As other states begin to introduce legislation similar to the CCPA, understanding what personal information a business collects, uses, discloses, sells and shares is paramount.


¹Note that all personal information, even that subject to the GLBA exemption, still is subject to the data breach provisions of the CCPA.