The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA. 

Q. Does an organization need to be “established” in the United States for US data privacy and security laws to apply?

In general, United States data privacy and security laws are not tied to the physical location of an organization or its country of incorporation.  That said, some, but not all, state privacy and security laws apply only to entities that “conduct business” within the state.¹  Such requirements are likely designed to make the scope of the state statutes harmonize with the ability of state courts to obtain personal jurisdiction over defendants. 

California’s CCPA is a good example of a state statute that applies to organizations that conduct business within the state, regardless of where the organization is ultimately located.  Specifically the CCPA states that it applies to “businesses,” a terms which is defined as including only an organization that “does business in the State of California.”²  In practice, courts have exercised a great deal of flexibility when determine what activities constitute “doing business.”

In comparison, the European GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.” ³  Although the regulation does not offer a precise definition of what it means to be an “establishment,” it offers the following hints:

• Stable Arrangements According to the GDPR establishment “implies the effective and real exercise of activity through stable arrangements.”⁴

• Legal Form May Be Relevant, But Is Not Determinative.  The GDPR states that if an entity is active in the European Union the legal form of those activities “whether through a branch or a subsidiary with a legal personality, is not the determining factor” when deciding whether the entity is “established.”⁵ Put differently, the fact that a company is not incorporated in the European Union does not necessarily mean that it does not have an “establishment” in the European Union.

• Location of Infrastructure May Be Relevant, But Is Not Determinative.  The GDPR states that “presence and use of technical means and technologies for processing” within the European Union is not the “determining criteria” of whether a company’s “main establishment” is in the European Union, but it implies that it may be one factor of whether an establishment exists.⁶

• Central Administration Is a Factor.  The GDPR refers to the "central administration” of an organization as typically its “main”⁷ The net result is that if an organization coordinates its activities from a European Union Member State the organization is likely to be found to have an establishment in that Member State.

• Decision Making Is a Factor.  The place where “decisions on the purposes and means of the processing of personal data” are made is a factor when determining where a company’s “main establishment” may be located.⁸

The Article 29 Working Party - an influential, independent advisory body to the European Commission on data protection matters that was chiefly comprised of representatives from each Member State’s supervisory authority - provided little additional context other than to advise companies to look to judicial interpretation stating that ultimately "[t]he place, at which a controller is established, . . . has to be determined in conformity with the case law of the Court of Justice of the European Communities."⁹  The European Court of Justice in turn has provided two additional indications of what factors may be relevant when determining whether an entity has an establishment in the European Union. 

The net result is that it’s unclear what, if any, difference exists between how European courts interpret what it means to be “established” within the EEA and how United States courts interpret what it means to be “doing business” within the United States.

1. See, e.g., Wisconsin Data Breach Notification Statute, Wisconsin Section 134.95(1)(a)(1).

2. CCPA, Section 1798.140(c)(1).

3. GDPR, Article 3(1) (emphasis added).

4. GDPR, Recital 22 (emphasis added).

5. GDPR, Recital 22; See also Article 29 Working Party, WP 56: Working Document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites at 8 (30 May 2002); Verein fur Konsumenteninformation v. Amazon, ECJ Case C-191/15 at ¶ 75 (28 July 2016).

6. GDPR, Recital 36 (emphasis added).

7. GDPR, Recital 36 (emphasis added).

8. GDPR, Recital 36 (emphasis added).

9. Article 29 Working Party, WP 56: Working Document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites at 8 (30 May 2002).