Avoiding the California Consumer Privacy Act Litigation Tsunami: What Does it Mean to “Do Business” in California?

Companies that do business in California know that it is a magnet for class action litigation.  The California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California.

The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).  To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA.  BCLP is also working with clients to assess – and mitigate – litigation risks for when the CCPA goes into effect by putting in place the policies, procedures, and protocols needed to comply with the Act.

Q. What does it mean to “do business” in California?

The CCPA purports to apply to any for-profit legal entity that “does business in the State of California” and satisfies one of three thresholds:

1. Has annual gross revenue in excess of $25 million.
2. Purchases, receives for commercial purposes, sells, or shares for commercial purposes, personal information of 50,000 or more consumers, or
3. Derives 50% of its annual revenue from selling consumer personal information.¹

For companies doing substantial business in California, determining whether they must comply is a relatively simple matter, as the Act establishes specific thresholds of economic and operational activity.  However, for companies that have neither a physical presence in California nor significant numbers of employees that reside in California, making an assessment of whether one is “doing business” within the State can be more difficult.  California personal jurisdiction jurisprudence provides some insights.

California’s long-arm statute (Code Civ. Proc., § 410.10) permits the broadest possible exercise of jurisdiction, limited only by Constitutional considerations.  Courts apply a liberal view as to the amount and kind of activities which will meet this standard.  Unfortunately, there is no all-embracing rule governing what constitutes “doing business” in the State, and the question is very largely one of fact.

Until the Attorney General’s office provides guidance, the following factors provide some indication of how a court could determine the issue:

• Intentional - not merely fortuitous - economic activity within the State is likely sufficient to constitute “doing business.”
• One or two isolated transactions is typically not enough to constitute “doing business.”
• Entering into a contract with a California entity does not necessarily constitute “doing business” in California
• An entity’s lack of physical presence in the State is not determinative
• Maintenance of a passive website alone is likely not enough, but in conjunction with something more, like site content specifically targeting California residents, could constitute “doing business” in California.
• Directing solicitation or advertising to California residents could constitute “doing business” in California.
• Repeated and successive transactions in California, remotely and online, could constitute “doing business.”

So what does this mean for businesses trying to determine whether they need  to comply with the CCPA? A thorough examination of the business’ activities and contacts – direct and indirect – with the State will be necessary.  If in doubt, companies should either assume compliance will be required, or anticipate that they may need to be able to document their lack of connections to California if they are named in a suit under the CCPA.  For companies that believe that they are outside of the scope of the CCPA, but attempting to mitigate the risk of future lawsuits, it may be worth creating documentation now which could be leveraged in litigation to explain the lack of California contacts.

For questions or additional information, contact Goli Mahdavi or any member of our Retail or Data Privacy & Security teams.