The California Consumer Privacy Act (CCPA) grants rights to California residents. But many businesses have decided to honor CCPA rights for consumers outside of California.
The CCPA grants certain privacy rights to "consumers," which is defined in the law as California residents.
Despite the CCPA's enforcement limitation focusing on California businesses, many companies have taken a broader approach and simply provided all US (or even global) consumers with CCPA privacy rights as well. One prominent practitioner of this approach is Microsoft.
Providing rights to all consumers, regardless of residency, is a way to show the consuming public that you value their privacy. Additionally, this approach is simplest because it streamlines the request process and does not require proof of California residence. Additionally, it means fewer changes when other states pass similar privacy legislation.
While some companies may choose to grant CCPA rights to all consumers, it is worth noting that the California Office of the Attorney General's enforcement authority will extend only as far the law reaches - to California businesses respecting the rights of California residents.
Beyond questions around where a consumer lives and how broadly a company grants CCPA rights, there is a final and critical piece to determining who can exercise rights.
Each business has a variety of consumer groups. A consumer group is grouping of consumers whose personal information is being collected by a business in a relatively similar way for the group.
One category of consumer group all businesses have is one we’ll call ‘Employees’ for shorthand, but is actually much broader. Beyond full-time and part-time employees, this category includes job applicants, owners, directors, medical staff members, and contractors in California. Personal information collected in the context of these roles is exempt from CCPA consumer rights (Right to Know and Right to Delete) until January 1, 2021. Note that employees are not exempt from the notice at collection requirement for businesses, meaning that requirement is in force for employees.
Another type of personal information with a similar exemption until January 1, 2021 is personal information collected in the course of a business performing diligence on, or providing or receiving goods or services to/from, another business. While this covers most business-to-business (B2B) communication and interaction, if a business collects the personal information of someone whose company has never been a past customer and has never done any sort of diligence to determine if services are right or appropriate for them, that business must still honor that person's CCPA rights. An example could be business contact information obtained from a data broker.
There are many other types of consumer groups that have rights under the CCPA. All such groups should be included in a business's information map and evaluated for information collection and sharing practices.
Need help figuring this all out?