Where Does the CCPA Apply?

TrueVault-Where-Does-the-CCPA-Apply

Can the California Consumer Privacy Act (CCPA) apply to businesses in other states and other countries? The clear answer is: Yes, the CCPA can apply to businesses anywhere in the world.

As a first-of-its-kind data privacy law in the United States, the CCPA has affected business practices across the country, and even the world. Because it is a state law, there is some confusion among business leaders as to where the CCPA applies. While there are some jurisdictional limitations, they are not necessarily geographical.

How can a California law apply to businesses in other states and even other countries? It achieves this by way of two key provisions:

  1. It applies to companies that "do business" in California, regardless of where they are based
  2. The "consumers" the CCPA protects are California residents.

As to the first part, "doing business" in California is to be broadly understood. Whatever goods or services a business provides, if it provides them in California on a regular basis then that's probably good enough. For example, if an online media company based in New York makes its content available to readers in California (assuming it is accompanied by a for-profit element such as advertising), that should qualify as doing business in the state. The idea behind this is that by doing so, a business is availing itself of the protections, and therefore also the limitations, of California law. For most companies with any kind of online presence, it is a low bar to meet.

There still needs to be some connection to activity that takes place within California. Otherwise, the law would clearly be overreaching. For example, just because a retailer does business in California doesn't mean the CCPA can apply to its interactions with Minnesota residents that take place entirely inside Minnesota. Because of this, the CCPA is further limited to protecting California residents only. It should be noted, though, that California residents retain their CCPA rights even when temporarily traveling outside of the state.

The result is that, to the extent it does business in California and collects the personal information of California residents, any company in the world can be bound by the CCPA.

Does the CCPA Apply to Your Business?

Not sure if you are required to be CCPA compliant? Use this checklist to determine whether the CCPA applies to your business.

  1. Is it a for-profit business? Except for a few limited circumstances, the CCPA targets for-profit entities.
  2. Do you do business in California? The CCPA does not provide a definition for "doing business", but providing goods or services in the state (even online) on a repeated and ongoing basis would probably meet this requirement.
  3. Do you collect consumers' personal information? "Personal information" covers a wide variety of consumer data.
  4. Does your business meet any one of the following thresholds?
    • Gross annual revenues in excess of $25 million
    • Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.

      Calculate if you meet this threshold ›

    • Derives more than 50% of annual revenues from selling consumers' personal information. This includes any revenue connected to interest-based advertising, such as when a customer makes a purchase after clicking on a retargeting ad.

      Calculate if you meet this threshold ›

If you answered yes to all four of these questions, then the CCPA applies to your business.

Effective January 1, 2023:

The California Privacy Rights Act (CPRA) changes the second threshold requirement to: "Businesses that buy, sell, or share the personal information of 100,000 consumers or households." Besides raising the number to 100,000, the threshold is further relaxed by not counting individual devices or when businesses only "receive" consumers' personal information.

How to Become CCPA Compliant Fast

If the CCPA applies to your business, don't delay on becoming compliant. Enforcement is underway and the California Attorney General is already sending out 30-day cure notices, potentially leading to expensive fines.

Worried about the cost of CCPA compliance and the demands on your staff's time? TrueVault Polaris automates the process of getting fully compliant and makes it easy to stay that way. Designed by attorneys, it provieds a guided experience anyone can follow, letting your business avoid the expense of hiring a law firm or consultant.

Learn more about TrueVault Polaris and contact our team today.

Read our Complete CCPA Guide for a more detailed look at the law.

Schedule Call