One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
“Does the CCPA apply to my business?”
This is the first question executives and managers ask when they learn about the California Consumer Privacy Act (CCPA). As with the European Union’s General Data Protection Regulation (GDPR), becoming CCPA compliant can seem very burdensome at first—the law introduces several new rights and privacy protections for consumers, and forces businesses to change their data privacy practices. Because of this, it’s common for business leaders to quickly conclude that the California law doesn’t apply to their company, even when it does.
Here we’ll review in depth the criteria for determining if a business must comply with the CCPA, and apply those criteria to a few examples.
In statutory terms, it all comes down to whether your company falls within the CCPA’s definition of a “business.” If it does, then the CCPA applies and you are required to be compliant. The definition has three major components a company must meet in order to be considered a business.
Calculate whether your business meets the 100,000-consumer threshold ›
geographical reach of the CCPA.
Many businesses, especially those located outside the state of California, underestimate the reach of the CCPA. Due to the nature of doing business online, the California law can easily apply to companies all over the world. In the following examples, all of the businesses must comply with the CCPA.
Company A is an independent clothing retailer based in Oregon. It ships products nationwide, including to California. It has less than $25 million in gross annual revenues, but over 100,000 people in California visit its website every year. It uses tracking technology to retarget those visitors on other sites.
Company A falls within the jurisdiction of the CCPA because it does business in California and annually shares the personal information of more than 100,000 consumers. (Its advertising practices are considered sharing.)
Company B is an electronics retailer based in Minnesota. It ships products to California and has over $40 million in gross annual revenues. It uses retargeting to place advertisements on other websites for products that consumers browsed but did not purchase on their own website.
The CCPA applies to Company B because it does business in California, collects personal information, and has annual gross revenues exceeding $25 million. It collects personal information to complete transactions, track website visitors, and likely for marketing purposes as well. Not only that, its use of retargeting is considered a sale of personal information under the CCPA.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.