In 2018, California passed the California Consumer Privacy Act (CCPA). CCPA is inspired by the European Union’s earlier General Data Protection Regulation (GDPR). Like GDPR, CCPA codified a host of consumer rights with respect to their personal information. And it imposed a host of new legal requirements on applicable businesses (more on that below). In 2020, California voters passed the Prop. 24, a/k/a, the California Privacy Rights Act (CPRA), which amended and supplemented CCPA. And you bet that there are also regulations to deal with.
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
The second million dollar question here is what it means to do business. Of course, CCPA doesn’t clearly define that. But elsewhere in the law, CCPA says “For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.”
What about GDPR? GDPR is even more broad in scope:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
A company that simply offers services, even for free, to residents of the EU, may end up subject to GDPR. To be fair, this won’t be the case for your run of the mill cannabis company. It’s more likely to affect hemp/cannabinoid companies that sell in e-commerce. But even cannabis companies can walk themselves into GDPR territory with marketing and sales efforts.