The California Consumer Privacy Act (CCPA) takes effect January 1, 2020.[1]  Broadcasters who have a presence in California should consider whether the law applies to them, and if the answer is yes, should start compliance efforts now.

Does the CCPA Apply To Your Station?

The CCPA applies to any for-profit business that collects a California resident’s personal information, does business in California, and meets at least one of the following criteria: (1) has annual gross revenues in excess of $25 million; (2) receives or discloses the personal information of 50,000 or more consumers, households, or devices per year; or (3) derives 50% or more of its annual revenues from selling the personal information of California residents.  There is no exception for broadcasters.

Accordingly, if your station or station group operates in California, there is a good chance the CCPA applies to you.  The key question—after determining whether your company is for-profit and meets one of the thresholds, for example, the annual gross revenue threshold (,—is whether your station or station group collects the personal information of California residents.  Under the CCPA, the definitions of “collect” and “personal information” are sweepingly broad—making the answer to the question of whether stations collect personal information likely to be a “yes.”

  • Collecting personal information includes: “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.”
  • Personal Information includes traditional information such as name and address, as well as other information including audio, electronic, visual, thermal, and olfactory information; commercial records (personal property, products, services purchased); biometric information; unique personal identifiers (IP addresses, cookies, beacons, etc.); internet information, such as browsing history and search history; geolocation information; professional or employment information; and inferences drawn from any of that information to create a profile of the consumer. Basically, if you can directly or indirectly connect the information to a natural person who is a California resident, it is likely personal information.

Does your station have a loyal listener club?  Does it run contests and promotions?  Do you have a website that uses cookies to deliver targeted advertising?  Does your station accept user-generated content?  These are just a few examples of how a station could be collecting personal information.

What Would the CCPA Require Your Station To Do?

The CCPA requires that you clearly communicate with consumers about what personal information you are gathering, what you are doing with it, and who you are sharing it with or selling it to.  This information is typically communicated to a consumer in the station’s privacy policy.  Your public-facing privacy policy should be updated to ensure it includes all the disclosures required by the CCPA.

The CCPA also establishes a set of consumer rights associated with the personal information, including the right to access and the right to deletion.  And if your station or station group is selling personal information, consumers also have the right to opt-out from sale (or in the case of minors, the right to opt-in).

Just like the terms “collect” and “personal information” are defined broadly, so too is “sale,” meaning that your station could be “selling” personal information under the CCPA even though the commonsense definition of “selling” would not apply.  Specifically, the CCPA defines “sell” to include “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information . . . for monetary or other valuable consideration.”  For example, you could be selling personal information if you are sharing information about promotion participants with the sponsor.   Determining whether your station “sells” data is crucial for compliance with the CCPA, as the law requires that businesses that sell data place a button on their website with the words “DO NOT SELL MY PERSONAL INFORMATION” to allow consumers to easily exercise their right to opt-out.

If the CCPA Applies to Your Station, What Are Your Next Steps?

Understanding that there are portions of the CCPA that still may be changed or clarified (the legislature is still considering amendments to the law and the California Attorney General is currently drafting implementing regulations), there are a number of steps that broadcasters can take now to ensure that they can be in compliance with the law when it comes into effect January 1, 2020.

  • Know your data. Take this opportunity to audit your data and create a data map. What data are you collecting, what purpose are you collecting it for, who are you sharing it with?
  • Review your privacy policy. Does it accurately reflect what data you are collecting and what you are doing with that data? Does it clearly communicate who you are sharing the data with and for what purpose?
  • How are you sharing information? Review your agreements with any third party. Make sure you understand how data is flowing between you and your service providers or vendors, and that your agreement reflects what data is being shared and for what purpose.
  • Determine whether you can comply with the consumer rights obligations. Could you quickly and accurately respond to an opt-out request or a request for deletion?  What systems do you need in place to be able to do this?

If your station or station group does business in California, you cannot afford to ignore the CCPA.  Take the time now to evaluate whether it applies to your business and establish compliance mechanisms.

[1] Note that while the law will be effective on January 1, 2020, Attorney General enforcement will be delayed until July 1, 2020, or until six months after the final implementing regulations are published, whichever comes first.

Related Posts: