Companies that do business in California know that it is a magnet for class action litigation. The California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California.
The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”). To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA. BCLP is also working with clients to assess – and mitigate – litigation risks for when the CCPA goes into effect by putting in place the policies, procedures, and protocols needed to comply with the Act.
The CCPA purports to apply to any for-profit legal entity that “does business in the State of California” and satisfies one of three thresholds:
For companies doing substantial business in California, determining whether they must comply is a relatively simple matter, as the Act establishes specific thresholds of economic and operational activity. However, for companies that have neither a physical presence in California nor significant numbers of employees that reside in California, making an assessment of whether one is “doing business” within the State can be more difficult. California personal jurisdiction jurisprudence provides some insights.
California’s long-arm statute (Code Civ. Proc., § 410.10) permits the broadest possible exercise of jurisdiction, limited only by Constitutional considerations. Courts apply a liberal view as to the amount and kind of activities which will meet this standard. Unfortunately, there is no all-embracing rule governing what constitutes “doing business” in the State, and the question is very largely one of fact.
Until the Attorney General’s office provides guidance, the following factors provide some indication of how a court could determine the issue:
So what does this mean for businesses trying to determine whether they need to comply with the CCPA? A thorough examination of the business’ activities and contacts – direct and indirect – with the State will be necessary. If in doubt, companies should either assume compliance will be required, or anticipate that they may need to be able to document their lack of connections to California if they are named in a suit under the CCPA. For companies that believe that they are outside of the scope of the CCPA, but attempting to mitigate the risk of future lawsuits, it may be worth creating documentation now which could be leveraged in litigation to explain the lack of California contacts.
1. CPPA, Section 1798.140(c)(1)(A)-(C).