A business must comply with the CCPA if it:
Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
It sounds straightforward: If you buy, sell, or collect for a commercial purpose the information of at least 50,000 California consumers, the CCPA applies to you.But how should a business specifically calculate if this threshold applies to them?
We’ll start by digging into some of the terms of this key threshold to make sure we understand what it means.
First of all, what is personal information? We explained in our resource article What is Personal Information that the CCPA defines personal information very broadly. One of the biggest collection points of personal information for a business is its website.
Even if a website visitor doesn’t provide a name or e-mail address, you may be collecting personal information if you can tie the information you collect to a specific device or household. If you can see that someone has visited your website 3 times on the same device, there’s a good chance you have collected identifiable device information.
Next let’s discuss what it might mean to buy, receive, sell, or share this information. When you think about your business’s various points of collection of personal information from California consumers, be sure to consider these common scenarios:
The final piece of the equation is to understand: what does it mean to receive or share personal information for the business’s commercial purposes?
Most information that businesses collect and use is "for a commercial purpose." A commercial purpose simply means to advance a business's economic interests, such as by trying to convince consumers to buy goods or services, or to complete a transaction with a consumer.
Include any consumers whose information - such as name, email address, payment information - your business collects for its economic interests toward the 50,000 consumer threshold. Consumers whose information your business collects only for non- commercial purposes (for example, collecting a consumer’s driver’s license number to verify their identity only), can be excluded.
Many businesses find that it isn’t straightforward to determine whether they meet the 50,000 consumers threshold under the CCPA. Does every collection of information count toward the threshold? How do I determine who is a California consumer versus a non-California consumer? Do I count a consumer twice if I collect information from them while they are using different devices? How can I ensure I am calculating the “right” number? Below we walk through an example of how a business might answer these questions to determine if it meets the 50,000 consumers threshold.
Let’s say Haute Loaf, a business selling bread-themed clothing, earned $2.1 M in revenue in the past 12 months and has an online store only. Haute Loaf uses Facebook Pixel on all pages of their website, and they use the information tracked via Pixel for a commercial purpose. Haute Loaf had 300,000 unique web visitors in the past 12 months. It uses Google Analytics to establish that in the past 12 months, 16% of its web visitors were associated with California-based IP addresses.
In addition to website visitors, Haute Loaf collected the information of 1,000 new marketing newsletter subscribers in the past 12 months. It also tracked internet activity, like email open and click-through rates, on its existing list of 50,000 newsletter subscribers.
Haute Loaf added 1,000 new registered account-holders on its website in the last 12 months. It doesn’t collect geographical information from account-holders so it's not sure how many are from California.
In the past 12 months, Haute Loaf collected information from 10,000 customers who purchased products on its website. Because Haute Loaf collects billing address information from its customers, it can see that for all the purchases made in the past year, 18% of customers provided a billing address located in California.
Website Visitors. Haute Loaf can estimate that approximately 16% of its 300,000 unique website visitors could be from California, for a total of 48,000 California visitors.
Newsletter Subscribers and Account-Holders. It’s not possible for Haute Loaf to determine which of its newsletter subscribers or account-holders are from California. But let’s say that at least 16% of each could be from California, similar to Haute Loaf’s website visitors. Taking 16% of each of 1,000 new newsletter subscribers and 1,000 new account-holders, that yields 320 potential California-based consumers in these groups.
Customers. With 18% of Haute Loaf’s customers who purchased products on its website in the past 12 months entering a California billing address, Haute Loaf can estimate that about 1,800 of its customers may be from California.
Adding up the numbers above, 48,000 + 320 + 1,800 = 50,120, which exceeds the 50,000 consumer threshold.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.