California, the 5th largest economy in the world has a significant influence in the global market. This also means data processing on a large scale. Fortunately, the state has enacted the California Consumer Privacy Act (CCPA), to prevent any unauthorised use of consumers’ personal information. For many businesses, determining the scope of data privacy laws can feel like playing a high-stakes game, and the CCPA is no different. However, businesses need to determine if they are subject to the law. This blog helps you effortlessly understand who CCPA applies to.
What is CCPA?
The California Consumer Privacy Act (CCPA) is designed to give consumers greater control over their personal information. The law grants consumer rights, imposes obligations on businesses, and sets data processing standards.
CCPA was signed by the governor in 2018 and came into effect on January 1, 2020. Later in the beginning of 2023, California Privacy Rights Act (CPRA) amendments became effective which expanded and strengthened the CCPA provisions.
The California Attorney General and California Privacy Protection Agency (CPPA) are the enforcement agencies of the law. CCPA also grants a limited private right of action in the case of a data breach.
The fines for violations of CCPA range between $2500 and $7500. Intentional violations are likely to result in higher penalties than unintentional ones.
Who is affected by CCPA? 5 Key criteria
CCPA applies to for-profit entities doing business in the state of California if they meet any of the following thresholds.
- The gross annual revenue is greater than $25 million
- Buy, sell or share the personal information of 100,000 or more Californians annually
- Generate revenue of 50% or above of its annual revenue from the sale/sharing of personal information
Now let us analyse the five key criteria individually.
Businesses profiting from California residents
A for-profit business focuses on generating financial gains primarily by selling goods or services. Therefore, if your business generates profit from collecting, using, selling, or sharing Californian personal data, and meets the threshold, the CPPA applies to you.
The definition of a business includes corporations, limited liability companies, partnerships, sole partnerships, corporations, associations, or any company that shares common branding with covered entities.
Businesses operating in California
The California Consumer Privacy Act clearly states that it applies to any legal entity doing business in California and meets the threshold. This encompasses businesses outside the state collecting personal information from Californian residents.
The CCPA regulation does not explicitly specify the definition of conducting business in California. Nevertheless, the Attorney General has indicated that it should be interpreted in plain language and in relation to other California laws.
According to the California Franchise Tax Board, doing business in California means any of the following:
- If you engage in financial transactions within California
- If your business is organized or commercially domiciled in California
- If your California sales, payrolls, or property exceeds a specific monetary threshold
Annual gross revenue
Businesses making an annual gross revenue exceeding $25 million fall under CCPA’s scope. Gross revenue is the total income an organization earns in a year as of January 1 of the preceding year. This means the global revenue and not just the revenue from California.
Buys, sell, or share personal information
One of the key criteria for determining CCPA’s application is determining whether you buy, sell or share the personal information of 100,000 Californians.
Here are a few activities that come within this scope:
- Shares the personal information of Californians to a third party for cross-context behavioural advertising whether or not for money
- Sells personal information of Californians to a third party for monetary benefits
The law doesn’t clearly state whether a business with a website that receives visitors from California must follow CCPA requirements. However, they likely need to. This is because the law considers online identifiers, such as internet cookies and IP addresses, as personal information. So, if your website uses cookies on visitors’ devices, you must show cookie opt-out banners and a cookie notice/cookie policy.
Look at this example of a cookie banner from Renault’s website .
Move steps forward at
CCPA compliance
Deploy a cookie opt-out banner with CookieYes
Don’t miss your free trial
14-day free trialCancel anytime
Service providers to California-based businesses
CCPA also applies to service providers. A service provider is a person who processes personal information on behalf of a business pursuant to a contract between them. For example, a delivery service that ships the products of an online retailer or a website hosting service that hosts your website to make it accessible to the public.
Does your business need to comply with CCPA?
If you are a covered business that collects consumers’ personal information, you must become CCPA-compliant.
Here are some factors to determine whether you need to comply with CCPA:
- Location: Determine whether your business is based in California or collects personal information from California residents.
- Revenue thresholds: If your business meets the revenue threshold of $25 million, you must comply with the law.
- Data collection: Even if you do not meet the revenue threshold, you should comply if you buy, sell or share the personal data of 100,000 consumers.
- Third-party relationship: If you are a third party who works for a covered business, you are likely bound by the law.
CCPA compliance outside California
The CCPA’s reach extends beyond California’s borders. Although the law mainly affects California-based businesses, out-of-state businesses can also be subject to it if they have a significant presence in California and meet the defined revenue or numerical threshold.
A German e-commerce company with a significant customer base in California, generating global revenue of over $25 million, should ensure CCPA compliance. Another example is a Toronto-based company providing SAAS services to a California-based company.
How to determine if CCPA applies to you? 5 key questions
Answer these questions to determine if CCPA applies to your organisation.
Does your business operate with the primary goal of generating profit?
If the answer is yes, you might be bound by the law. However, if your organisation is not focused on generating revenue but for public benefit, CCPA may not apply.
How much revenue did your business generate in the previous year?
If the annual gross revenue of your organisation as of January 1st of the previous year exceeds $25 million, CCPA applies to you.
Does your organisation do business in California?
It is important to assess whether your business engages in commercial activities with California. This does not necessarily require your business to be domiciled or registered in the state. The law applies to you if you handle a considerable amount of consumer data, have employees from California, or pay Californian taxes.
Is your business subject to any CCPA exemptions?
The California Consumer Privacy Act exempts some entities as well as types of data from its scope. For example, non-profit organisations, and types of personal information covered by federal laws such as HIPAA and the Gramm-Leach-Bliley Act are exempted.
Do you have a third-party or service provider relationship with covered entities?
It is not always necessary to have a direct connection to California to be subject to CCPA. If you’re a service provider or a third party working with a covered entity, you still need to comply with CCPA. Make sure to follow the contract between you and the other party to stay CCPA compliant and avoid penalties.
What should I do if CCPA applies to my business?
Now that you have determined whether CCPA applies to your business, it’s time to understand what actions you need to take. This brief checklist will help you navigate the CCPA requirements and avoid non-compliance penalties.
- Limit the collection and use of personal information of California residents to what is necessary
- Conduct data mapping and keep track of the categories of personal information collected, their purpose, retention period, etc
- Do not use the data for secondary purposes
- Provide a clear and easy-to-understand privacy policy and notice at collection to consumers
- Establish mechanisms for the consumers to exercise their CCPA rights
- Fulfill consumer requests within 45 days, or an additional 45 days if necessary
- Provide links for consumers to opt out of the sale of their personal information and limit the use of their sensitive personal information
- Fortify your cybersecurity measures and avoid data breaches
- Have a contractual relationship with your service providers and third parties
FAQ on CCPA
Personal information is any information that directly or indirectly identifies a natural person such as social security number, biometric information, precise geolocation data, driver’s license number, and online identifiers.
The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are significant data privacy laws, but a closer look at GDPR vs CCPA highlights key differences between them.
One of the significant distinctions is that GDPR has no thresholds and covers almost all businesses. On the other hand, CCPA primarily focuses on businesses with considerable revenue.
Furthermore, the GDPR follows an opt-in model whereas CCPA follows an opt-out approach. Unlike GDPR, CCPA requires businesses to provide “Do not sell my personal information” and “Limit the use of my sensitive personal information” links.