“Does the CCPA apply to my business?”
This is the first question executives and managers ask when they learn about the California Consumer Privacy Act (CCPA). As with the European Union’s General Data Protection Regulation (GDPR), becoming CCPA compliant can seem very burdensome at first—the law introduces several new rights and privacy protections for consumers, and forces businesses to change their data privacy practices. Because of this, it’s common for business leaders to quickly conclude that the California law doesn’t apply to their company, even when it does.
Here we’ll review in depth the criteria for determining if a business must comply with the CCPA, and apply those criteria to a few examples.
In statutory terms, it all comes down to whether your company falls within the CCPA’s definition of a “business.” If it does, then the CCPA applies and you are required to be compliant. The definition has three major components a company must meet in order to be considered a business.
Whether or not your company is a for-profit entity should be pretty obvious. What may not be obvious is what it means to “do business” in California. The CCPA provides no definition for this term, but the California Attorney General has stated that it “should be given meaning according to the plain language of the words and other California law.” Given the broadness of the term’s wording, it should be interpreted broadly. A one-time-only transaction may not qualify, but any regular and repeated commercial activity within the state is likely to be considered “doing business.”
In the CCPA, “consumer” means a California resident, as defined for tax purposes. “Personal information” is very broadly defined, and can be roughly summarized as any personal data that can be associated with a particular consumer. “Collecting” means receiving or obtaining in any way, actively or passively. Taking all these definitions together, “collecting consumers’ personal information” covers a lot of everyday business activities, especially for businesses with any kind of online presence. For example, a business collects consumers’ personal information when it saves website users’ IP addresses, assuming the users are Californians.
This is the most straightforward of the three threshold requirements, but note that the revenue does not have to come from California. All global revenues count toward the $25 million.
Because companies tend to collect far more personal information than they are aware of, this threshold covers many businesses that may not realize it. Notice that collecting personal information, including IP addresses, from the computer, tablet, and phone of a single consumer counts three times.
The use of behavioral or interest-based advertising is considered a sale of personal information (or “sharing,” as it’s called by the CPRA), so any revenue that is connected to interest-based advertising should be included in this calculation. For example, if a retailer makes a sale after a customer clicks on a retargeting ad, that revenue is “derived” from selling or sharing consumers’ personal information.
The most common argument companies make against having to become CCPA compliant is that they are located outside of California, so the law doesn’t apply to them. It’s important to debunk this argument and state clearly that the CCPA can apply to businesses outside of California and even outside the United States.
This is because the issue is not about where the business itself is located, but where it is collecting personal information and from whom. The business could be based in Texas or Taiwan, but if it collects personal information from Californians while they are in California, it must comply with the CCPA.
Learn more about the geographical reach of the CCPA.
Many businesses, especially those located outside the state of California, underestimate the reach of the CCPA. Due to the nature of doing business online, the California law can easily apply to companies all over the world. In the following examples, all of the businesses must comply with the CCPA.
Company A is an independent clothing retailer based in Oregon. It ships products nationwide, including to California. It has less than $1 million in gross annual revenues, but over 50,000 people in California subscribe to its monthly promotional emails. It uses an email marketing vendor that tracks the click-through rate and other statistics.
Company A falls within the jurisdiction of the CCPA because it does business in California and annually collects the personal information of more than 50,000 consumers. It meets the “annually” requirement because each time it sends out a promotional email, it collects more personal information by tracking consumers’ behavior.
Company B is an electronics retailer based in Minnesota. It ships products to California and has over $40 million in gross annual revenues. It uses retargeting to place advertisements on other websites for products that consumers browsed but did not purchase on their own website.
The CCPA applies to Company B because it does business in California, collects personal information, and has annual gross revenues exceeding $25 million. It collects personal information to complete transactions, track website visitors, and likely for marketing purposes as well. Not only that, its use of retargeting is considered a sale of personal information under the CCPA.
Company C is an online media company based in New Jersey. It publishes articles online, which are monetized through advertisements. It has about 100,000 unique visitors to its site from California every year. In order to deliver content tailored to each particular consumer, it keeps track of which articles they read and creates a profile based on their interests.
The CCPA applies to Company C. Tracking readers’ browsing history is a collection of personal information, and the number of consumers exceeds 50,000. This is the least concrete example of doing business in California; without an explicit definition for that term, Company C may argue that it is merely making content available online for free, and just because some of the readers are California residents doesn’t mean it is doing business there. However, seeing as readers are seeing and interacting with the articles (and ads) in California, and giving consumers more control over this kind of data collection is at the heart of what the CCPA tries to accomplish, state authorities are likely to see this kind of activity as falling under the jurisdiction of the CCPA.
In all the examples above, the businesses should be CCPA compliant. That means making the required disclosures in their privacy policies as well as responding to consumer requests, like requests to know and deletion requests. Company B also must give consumers a way to opt out of the sale of their personal information and include a “Do Not Sell My Personal Information” link on its homepage. The rules for implementing each of these changes are complex, and businesses can easily spend months trying to become CCPA compliant on their own.
TrueVault Polaris is an automation tool that lets your business become fully CCPA compliant in as little as a few days, without the major expense of hiring a law firm or consultant. Contact our team to learn more.
Read more about the California Consumer Privacy Act in our Complete CCPA Guide.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.