What Businesses Must Comply with the CCPA?

CCPA Definition of a Business

In statutory terms, it all comes down to whether your company falls within the CCPA’s definition of a “business.” If it does, then the CCPA applies and you are required to be compliant. The definition has three major components a company must meet in order to be considered a business.

  1. A for-profit entity that does business in California

    Whether or not your company is a for-profit entity should be pretty obvious. What may not be obvious is what it means to “do business” in California. The CCPA provides no definition for this term, but the California Attorney General has stated that it “should be given meaning according to the plain language of the words and other California law.” Given the broadness of the term’s wording, it should be interpreted broadly. A one-time-only transaction may not qualify, but any regular and repeated commercial activity within the state is likely to be considered “doing business.”

  2. That collects consumers' personal information

    In the CCPA, “consumer” means a California resident, as defined for tax purposes. “Personal information” is very broadly defined, and can be roughly summarized as any personal data that can be associated with a particular consumer. “Collecting” means receiving or obtaining in any way, actively or passively. Taking all these definitions together, “collecting consumers’ personal information” covers a lot of everyday business activities, especially for businesses with any kind of online presence. For example, a business collects consumers’ personal information when it saves website users’ IP addresses, assuming the users are Californians.

  3. That meets at least one of the following threshold requirements:
    1. Annual gross revenues exceeding $25 million

      This is the most straightforward of the three threshold requirements, but note that the revenue does not have to come from California. All global revenues count toward the $25 million.

    2. Annually buys, sells, shares, or receives the personal information of 50,000 or more consumers, households, or devices

      Because companies tend to collect far more personal information than they are aware of, this threshold covers many businesses that may not realize it. Notice that collecting personal information, including IP addresses, from the computer, tablet, and phone of a single consumer counts three times.

    3. Derives 50% or more of its annual revenues from selling consumers’ personal information

      Before dismissing this one, be sure to read the CCPA’s definition of “selling” consumers’ personal information.

Calculate whether your business meets the 50,000-consumer threshold ›

Calculate whether your business meets the 50%-of-revenue threshold ›

Businesses Outside of California

The most common argument companies make against having to become CCPA compliant is that they are located outside of California, so the law doesn’t apply to them. It’s important to debunk this argument and state clearly that the CCPA can apply to businesses outside of California and even outside the United States

This is because the issue is not about where the business itself is located, but where it is collecting personal information and from whom. The business could be based in Texas or Taiwan, but if it collects personal information from Californians while they are in California, it must comply with the CCPA.

Learn more about the geographical reach of the CCPA.

Common Examples

Many businesses, especially those located outside the state of California, underestimate the reach of the CCPA. Due to the nature of doing business online, the California law can easily apply to companies all over the world. In the following examples, all of the businesses must comply with the CCPA.

Example 1:

Company A is an independent clothing retailer based in Oregon. It ships products nationwide, including to California. It has less than $1 million in gross annual revenues, but over 50,000 people in California subscribe to its monthly promotional emails. It uses an email marketing vendor that tracks the click-through rate and other statistics.

Company A falls within the jurisdiction of the CCPA because it does business in California and annually collects the personal information of more than 50,000 consumers. It meets the “annually” requirement because each time it sends out a promotional email, it collects more personal information by tracking consumers’ behavior.

Example 2:

Company B is an electronics retailer based in Minnesota. It ships products to California and has over $40 million in gross annual revenues. It uses retargeting to place advertisements on other websites for products that consumers browsed but did not purchase on their own website.

The CCPA applies to Company B because it does business in California, collects personal information, and has annual gross revenues exceeding $25 million. It collects personal information to complete transactions, track website visitors, and likely for marketing purposes as well. Not only that, its use of retargeting is considered a sale of personal information under the CCPA.

Example 3:

Company C is an online media company based in New Jersey. It publishes articles online, which are monetized through advertisements. It has about 100,000 unique visitors to its site from California every year. In order to deliver content tailored to each particular consumer, it keeps track of which articles they read and creates a profile based on their interests.

The CCPA applies to Company C. Tracking readers’ browsing history is a collection of personal information, and the number of consumers exceeds 50,000. This is the least concrete example of doing business in California; without an explicit definition for that term, Company C may argue that it is merely making content available online for free, and just because some of the readers are California residents doesn’t mean it is doing business there. However, seeing as readers are seeing and interacting with the articles (and ads) in California, and giving consumers more control over this kind of data collection is at the heart of what the CCPA tries to accomplish, state authorities are likely to see this kind of activity as falling under the jurisdiction of the CCPA.

The Quickest Path to CCPA Compliance

In all the examples above, the businesses should be CCPA compliant. That means making the required disclosures in their privacy policies as well as responding to consumer requests, like requests to know and deletion requests. Company B also must give consumers a way to opt out of the sale of their personal information and include a “Do Not Sell My Personal Information” link on its homepage. The rules for implementing each of these changes are complex, and businesses can easily spend months trying to become CCPA compliant on their own.

TrueVault Polaris is an automation tool that lets your business become fully CCPA compliant in as little as a few days, without the major expense of hiring a law firm or consultant. Contact our team to learn more.

Read more about the California Consumer Privacy Act in our Complete CCPA Guide.

Schedule Call