The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
In general, United States data privacy and security laws are not tied to the physical location of an organization or its country of incorporation. That said, some, but not all, state privacy and security laws apply only to entities that “conduct business” within the state.1 Such requirements are likely designed to make the scope of the state statutes harmonize with the ability of state courts to obtain personal jurisdiction over defendants.
California’s CCPA is a good example of a state statute that applies to organizations that conduct business within the state, regardless of where the organization is ultimately located. Specifically the CCPA states that it applies to “businesses,” a terms which is defined as including only an organization that “does business in the State of California.”2 In practice, courts have exercised a great deal of flexibility when determine what activities constitute “doing business.”
In comparison, the European GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.” 3 Although the regulation does not offer a precise definition of what it means to be an “establishment,” it offers the following hints:
The Article 29 Working Party - an influential, independent advisory body to the European Commission on data protection matters that was chiefly comprised of representatives from each Member State’s supervisory authority - provided little additional context other than to advise companies to look to judicial interpretation stating that ultimately "[t]he place, at which a controller is established, . . . has to be determined in conformity with the case law of the Court of Justice of the European Communities."9 The European Court of Justice in turn has provided two additional indications of what factors may be relevant when determining whether an entity has an establishment in the European Union.
The net result is that it’s unclear what, if any, difference exists between how European courts interpret what it means to be “established” within the EEA and how United States courts interpret what it means to be “doing business” within the United States.
1. See, e.g., Wisconsin Data Breach Notification Statute, Wisconsin Section 134.95(1)(a)(1).
2. CCPA, Section 1798.140(c)(1).
3. GDPR, Article 3(1) (emphasis added).
4. GDPR, Recital 22 (emphasis added).
5. GDPR, Recital 22; See also Article 29 Working Party, WP 56: Working Document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites at 8 (30 May 2002); Verein fur Konsumenteninformation v. Amazon, ECJ Case C-191/15 at ¶ 75 (28 July 2016).
6. GDPR, Recital 36 (emphasis added).
7. GDPR, Recital 36 (emphasis added).
8. GDPR, Recital 36 (emphasis added).
9. Article 29 Working Party, WP 56: Working Document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites at 8 (30 May 2002).