“Does the CCPA apply to my business?”

This is the first question executives and managers ask when they learn about the California Consumer Privacy Act (CCPA). As with the European Union’s General Data Protection Regulation (GDPR), becoming CCPA compliant can seem very burdensome at first—the law introduces several new rights and privacy protections for consumers, and forces businesses to change their data privacy practices. Because of this, it’s common for business leaders to quickly conclude that the California law doesn’t apply to their company, even when it does.

Here we’ll review in depth the criteria for determining if a business must comply with the CCPA, and apply those criteria to a few examples.

CCPA Definition of a Business

In statutory terms, it all comes down to whether your company falls within the CCPA’s definition of a “business.” If it does, then the CCPA applies and you are required to be compliant. The definition has three major components a company must meet in order to be considered a business.

1. A for-profit entity that does business in California Whether or not your company is a for-profit entity should be pretty obvious. What may not be obvious is what it means to “do business” in California. The CCPA provides no definition for this term, but the California Attorney General has stated that it “should be given meaning according to the plain language of the words and other California law.” Given the broadness of the term’s wording, it should be interpreted broadly. A one-time-only transaction may not qualify, but any regular and repeated commercial activity within the state is likely to be considered “doing business.”
2. That collects consumers' personal information In the CCPA, “consumer” means a California resident, as defined for tax purposes. “Personal information” is very broadly defined, and can be roughly summarized as any personal data that can be associated with a particular consumer. “Collecting” means receiving or obtaining in any way, actively or passively. Taking all these definitions together, “collecting consumers’ personal information” covers a lot of everyday business activities, especially for businesses with any kind of online presence. For example, a business collects consumers’ personal information when it saves website users’ IP addresses, assuming the users are Californians.
3. That meets at least one of the following threshold requirements:some text
   1. Annual gross revenues exceeding $25 million This is the most straightforward of the three threshold requirements, but note that the revenue does not have to come from California. All global revenues count toward the $25 million.
   2. Annually buys, sells, or shares the personal information of 100,000 or more consumers or households Because companies tend to collect far more personal information than they are aware of, this threshold covers many businesses that may not realize it. "Sharing" personal information includes using interest-based advertising, so each unique visitor to your website counts toward this total.
   3. Derives 50% or more of its annual revenues from selling consumers’ personal information
      The use of behavioral or interest-based advertising is considered a sale of personal information (or “sharing,” as it’s called by the CPRA), so any revenue that is connected to interest-based advertising should be included in this calculation. For example, if a retailer makes a sale after a customer clicks on a retargeting ad, that revenue is “derived” from selling or sharing consumers’ personal information.
 

Calculate whether your business meets the 100,000-consumer threshold ›

geographical reach of the CCPA.

Common Examples

Many businesses, especially those located outside the state of California, underestimate the reach of the CCPA. Due to the nature of doing business online, the California law can easily apply to companies all over the world. In the following examples, all of the businesses must comply with the CCPA.

Example 1:

Company A is an independent clothing retailer based in Oregon. It ships products nationwide, including to California. It has less than $25 million in gross annual revenues, but over 100,000 people in California visit its website every year. It uses tracking technology to retarget those visitors on other sites.

Company A falls within the jurisdiction of the CCPA because it does business in California and annually shares the personal information of more than 100,000 consumers. (Its advertising practices are considered sharing.)

Example 2:

Company B is an electronics retailer based in Minnesota. It ships products to California and has over $40 million in gross annual revenues. It uses retargeting to place advertisements on other websites for products that consumers browsed but did not purchase on their own website.

The CCPA applies to Company B because it does business in California, collects personal information, and has annual gross revenues exceeding $25 million. It collects personal information to complete transactions, track website visitors, and likely for marketing purposes as well. Not only that, its use of retargeting is considered a sale of personal information under the CCPA.

‍