How to Calculate the CCPA’s 50,000 Consumers Threshold

colorful-folders-popping-out-of-laptop-screen

The 50,000-Record Requirement

A business must comply with the CCPA if it:

Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

It sounds straightforward: If you buy, sell, or collect for a commercial purpose the information of at least 50,000 California consumers, the CCPA applies to you.But how should a business specifically calculate if this threshold applies to them?

We’ll start by digging into some of the terms of this key threshold to make sure we understand what it means.

Personal Information

First of all, what is personal information? We explained in our resource article What is Personal Information that the CCPA defines personal information very broadly. One of the biggest collection points of personal information for a business is its website.

Even if a website visitor doesn’t provide a name or e-mail address, you may be collecting personal information if you can tie the information you collect to a specific device or household. If you can see that someone has visited your website 3 times on the same device, there’s a good chance you have collected identifiable device information.

Buy, Receive, Sell, or Share

Next let’s discuss what it might mean to buy, receive, sell, or share this information. When you think about your business’s various points of collection of personal information from California consumers, be sure to consider these common scenarios:

  • Number of records of personal information (usually sales leads) your business has purchased from a data broker like ZoomInfo
  • Number of website visitors you had in the past year:
    • Did you have cookies or other tracking devices that collect information that can be associated with a specific device?
    • Did you have third-party cookies or other tracking devices that collect information for Ad Networks such as Facebook, Google, and Twitter?
  • Number of contacts in your CRM (customer relationship management) tool, if you have one
  • Number of emails subscribed to your marketing newsletter (if not already counted in your CRM)

Commercial Purpose

The final piece of the equation is to understand: what does it mean to receive or share personal information for the business’s commercial purposes?

Most information that businesses collect and use is "for a commercial purpose." A commercial purpose simply means to advance a business's economic interests, such as by trying to convince consumers to buy goods or services, or to complete a transaction with a consumer.

Include any consumers whose information - such as name, email address, payment information - your business collects for its economic interests toward the 50,000 consumer threshold. Consumers whose information your business collects only for non- commercial purposes (for example, collecting a consumer’s driver’s license number to verify their identity only), can be excluded.

How to Calculate if the CCPA Applies to You

Many businesses find that it isn’t straightforward to determine whether they meet the 50,000 consumers threshold under the CCPA. Does every collection of information count toward the threshold? How do I determine who is a California consumer versus a non-California consumer? Do I count a consumer twice if I collect information from them while they are using different devices? How can I ensure I am calculating the “right” number? Below we walk through an example of how a business might answer these questions to determine if it meets the 50,000 consumers threshold.

Website Visitors

Let’s say Haute Loaf, a business selling bread-themed clothing, earned $2.1 M in revenue in the past 12 months and has an online store only. Haute Loaf uses Facebook Pixel on all pages of their website, and they use the information tracked via Pixel for a commercial purpose. Haute Loaf had 300,000 unique web visitors in the past 12 months. It uses Google Analytics to establish that in the past 12 months, 16% of its web visitors were associated with California-based IP addresses.

Newsletter Subscribers

In addition to website visitors, Haute Loaf collected the information of 1,000 new marketing newsletter subscribers in the past 12 months. It also tracked internet activity, like email open and click-through rates, on its existing list of 50,000 newsletter subscribers.

Empty Accounts

Haute Loaf added 1,000 new registered account-holders on its website in the last 12 months. It doesn’t collect geographical information from account-holders so it's not sure how many are from California.

Customers

In the past 12 months, Haute Loaf collected information from 10,000 customers who purchased products on its website. Because Haute Loaf collects billing address information from its customers, it can see that for all the purchases made in the past year, 18% of customers provided a billing address located in California.

Does the CCPA Apply to Haute Loaf?

Website Visitors. Haute Loaf can estimate that approximately 16% of its 300,000 unique website visitors could be from California, for a total of 48,000 California visitors.

Newsletter Subscribers and Account-Holders. It’s not possible for Haute Loaf to determine which of its newsletter subscribers or account-holders are from California. But let’s say that at least 16% of each could be from California, similar to Haute Loaf’s website visitors. Taking 16% of each of 1,000 new newsletter subscribers and 1,000 new account-holders, that yields 320 potential California-based consumers in these groups.

Customers. With 18% of Haute Loaf’s customers who purchased products on its website in the past 12 months entering a California billing address, Haute Loaf can estimate that about 1,800 of its customers may be from California.

Adding up the numbers above, 48,000 + 320 + 1,800 = 50,120, which exceeds the 50,000 consumer threshold.

Need any help? Talk to us.

Schedule Call