A business must comply with the CCPA if it:
Annually buys, sells, or shares the personal information of 100,000 or more consumers or households.
It sounds straightforward: If you buy, sell, or share information of at least 100,000 California consumers, the CCPA applies to you. But how should a business specifically calculate if this threshold applies to them?
We’ll start by digging into some of the terms of this key threshold to make sure we understand what it means.
First of all, what is personal information? We explained in our resource article What is Personal Information that the CCPA defines personal information very broadly. One of the biggest collection points of personal information for a business is its website.
Even if a website visitor doesn’t provide a name or e-mail address, you may be collecting personal information if you can tie the information you collect to a specific device or household. If you can see that someone has visited your website 3 times on the same device, there’s a good chance you have collected identifiable device information.
Next let’s discuss what it might mean to buy, sell, or share this information.
According the CCPA, "selling" means the making personal information available to a third party for monetary or other consideration. It's easy to understanding paying money for data, but the "other valuable consideration" part throws some people off. This term means you receive something valuable in exchange.
For example, making your customers' personal information available to a software company in exchange for a discount or free access to the software is likely considered a sale under the CCPA. Likewise, participating in a "data co-op" where businesses trade access to their customers' data for access to data from other businesses would also be valuable consideration.
Sharing has a specific meaning in the CCPA. It means disclosing personal information to a third party for the purpose of "cross-context behavioral advertising." Cross-context behavioral advertising is another term for retargeting or interest-based advertising, i.e., using a consumer's browsing activity on your website to deliver personalized ads to them on another site.
The CCPA does not provide a definition for "buying," but it stands to reason that it is the opposite of selling: receiving personal information in exchange for monetary or other valuable consideration.
Many businesses purchase contact info and other sales leads from data brokers for cash; this clearly constitutes buying. Likewise, participating in a data co-op as described above likely is considered to be buying personal data.
Many businesses find that it isn’t straightforward to determine whether they meet the 100,000-consumers threshold under the CCPA. Does every collection of information count toward the threshold? How do I determine who is a California consumer versus a non-California consumer? How can I ensure I am calculating the “right” number? Below we walk through an example of how a business might answer these questions to determine if it meets the 100,000 consumers-threshold.
Let’s say Haute Loaf, a business selling bread-themed clothing, earned $2.1 million in revenue in the past 12 months and has an online store only. Haute Loaf uses Facebook Pixel on all pages of their website, and they use the information tracked via Pixel to deliver interest-based advertising on other sites. Haute Loaf had 600,000 unique web visitors in the past 12 months. It uses Google Analytics to establish that in the past 12 months, 16% of its web visitors were associated with California-based IP addresses.
As part of its marketing effort, Haute Loaf participates in a data co-op, meaning it shares access to its customers' contact information and interests in exchange for receiving similar data from other companies. Of Haute Loaf's total number of customers, 12,000 of them have a California address. It received 50,000 sales leads through this arrangement, about 10% of whom live in California.
How does this all add up?
Regarding its website visitors, Haute Loaf's use of Facebook Pixel is considered "sharing" under the CCPA, so each unique visitor from California goes toward the count: 600,000 x 16% = 96,000 consumers. Next, the company's participation in the data co-op is likely considered to be both buying and selling personal information: 12,000 selling (its own customers) + 5,000 buying (the California data it received from other businesses) = 17,000.
96,000 + 17,000 = 113,000 consumers. Haute Loaf is required to comply with the CCPA.
Privacy compliance is only becoming more complicated. Businesses that have to comply with the CCPA often have to deal with privacy laws from other states as well. Without an in-house privacy expert, it can all become overwhelming.
TrueVault US simplifies privacy compliance so that small and medium-sized businesses can take care of it on their own. Similar to online tax software, TrueVault US guides you step by step, from creating a data map to creating privacy-request workflows. Best of all, it covers not just the CCPA, but all the similar data privacy laws from other states as similar.
Learn more about TrueVault US and schedule a demo to see how it works. Contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.