Geographic Scope of the CCPA – Beyond California

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 41 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:01
Hello, everyone, and welcome to Lesson 2.2 the geographic scope in the geographic application of the C C p A.
00:10
Our learning goals and objectives for less than 2.2.
00:13
Geography is generally viewed as the second factor to consider when determining whether or not an organization a business. Remember, a business that is making more than $25 million a year and is in the business of making money
00:25
is subject to the C C P. A
00:28
learning goal and objective number two. My favorite.
00:32
We're going to go through some really world examples of businesses that are subject to the law
00:38
some quick golden rules to follow, and I would actually pull out a pen and paper and make a note of these
00:44
golden rule number one to determine whether or not the C C p. A applies to your business.
00:50
The CCP a Onley cares about California residents. That's individuals who live in California.
00:56
It does not protect anyone else in the United States or anyone else in the world.
01:00
Onley the residents of California.
01:04
The location of the business that we are reviewing is completely inconsequential. The location of the data I don't care if it's stored on Prem or in the cloud wherever it doesn't matter where the information is. It has zero bearing on whether or not the C C P. A will apply to that data. Nor will the size of the data set.
01:26
There are some laws out there that actually regulate data privacy on the basis of the volume or size of the data sets, not the C c. P. A.
01:34
I basically could have just
01:37
actually made Rule number one the only golden rule. But I added 23 and four just toe really drive the point home,
01:44
my friends, the CCP, a Onley cares about California residents
01:51
to drive that point completely home. I have created a spreadsheet here where we can review the types of businesses that are in scope versus out of scope of the C C. P A.
01:59
Let's dive in now
02:00
to the first round.
02:02
Suppose is a business with offices in L. A. That makes $26 million a year and collects the personal information of locals.
02:10
In that case,
02:13
yes, the business is subject to the ccps.
02:15
How do I know that
02:17
it's a business? I'm going to assume it's making money because it makes $26 million a year. That's one million mawr than the $25 million threshold we need to hit.
02:28
Included in that sentence is the key phrase
02:30
collects personal information of locals If locals live in L. A. The residents of the state of California
02:38
ding ding the C C P. A. Applies to this business.
02:42
If they were, I have a bad year and make $24 million the next year.
02:46
Then they're no longer subject to the law.
02:52
Row number two.
02:53
Suppose there's a business with offices in San Francisco that makes $100 million a year. But Onley collects personal information from the Nation of India, which is also the only country where it makes money.
03:07
Now.
03:07
I don't think there's many businesses that have this business model, but let's suppose for the sake of argument that there is
03:13
well
03:14
this business is then not subject to the C C. P. A.
03:17
The business owners don't need to worry about the CCP A because it only protects the personal information off California residents.
03:25
Line number two tells us that the Onley individuals are citizens and residents off the nation of India.
03:31
Great,
03:32
they make $100 million a year, but that's still not enough to get us through the threshold
03:39
line. Number three.
03:42
Suppose there's an online retail store with a presence that is Onley in Denver, Colorado,
03:47
but it makes $100 million a year and makes money in all 50 states.
03:53
Then, yes, that business is subject to the C C. P A.
03:57
How do I know that
03:58
because of the phrase makes money in all 50 states?
04:02
I know that California is one of the 50 states. It is therefore collecting the personal information of the individuals who, by what has ever available on this online retail store.
04:14
Okay, they only have an office in Denver. But that doesn't matter.
04:17
Most businesses don't have offices in all 50 states.
04:20
In fact, most businesses on Lee have offices in one state.
04:25
The sheer fact that they're collecting information from California and that they're making more than $25 million a year
04:31
makes them subject to the law.
04:36
Let's get into a little bit more complicated scenarios here.
04:41
Line number four.
04:43
Suppose there's a French wine conglomerate that sends employees to Napa Valley, California to get to investigate. My California wine is so *** tasty
04:51
the employees those air the French employees send emails back and forth while they are in Napa during their visit.
04:58
Is that business subject to the C C p A.
05:00
The answer is no.
05:02
Now
05:02
it's true that the employees are visiting California, but they're not deemed residents.
05:09
This term resident is fluid, but generally you need to hang around for a while.
05:13
You need to avail yourself of all the benefits of being in California. Resident.
05:16
You don't necessarily need to be a citizen of the United States who might happen to live in California,
05:21
but you need to hang around for a while
05:24
just because a company has employees that come through and visit in this instance Napa Valley It's not enough to trigger them being subject to the law.
05:35
Let's take that scenario and play it forward and look at line number five.
05:41
Two months later,
05:42
that very same French wine conglomerate begins selling French wine in California.
05:46
Now that's bizarre, right?
05:48
Why would they sell French wine in California? As the prompt tells us, French wine does not compare to California,
05:55
they actually only make $500,000 in sales,
05:59
but the wine conglomerate nevertheless
06:01
makes $30 million globally, so they must be selling wine elsewhere around the world.
06:06
In that case, the C C P. A. Is going to apply to the wine conglomerate. Because $25 million threshold applies to global sales.
06:15
It does not care where the money is made.
06:16
So long as the company is making more than $25 million a year, it's subject to the C C p A.
06:23
We see here that it made half a million dollars by selling French wine in California.
06:27
Therefore, people had to purchase that wine. We can assume for the purposes of this prompt that personal information is exchanged. And as a consequence,
06:36
the wine conclude merit is now subject to the C C P A. Because it's not just employees passing through.
06:46
In summary,
06:47
we identified the scope of the C C P. A.
06:50
Again. I'll say this 1000 times if I need to. It's exclusively determined by the people it is designed to protect I California residents.
07:00
You could ignore the location of the business. You can ignore the location of the data
07:04
if a resident of the state of New York complaints to you that you violated the C C P a.
07:10
Your decision, but you are legally entitled to ignore them because they do not enjoy the benefits of the C c p. A.
07:16
Unless, of course, they moved there
07:18
that summarizes everything to address in less than 2.2. I will see you in less than 2.3 as we discuss the definition of personal information.
Up Next