California Privacy Law: how to determine if the CCPA applies to your particular business?
We have been discussing the similarities and differences between the CCPA and GDPR. In our first article, we compared the applicability of the regulations and the basis for processing personal data. In the second and third articles, we examined individuals’ rights with respect to their personal data, and the information an organization or business must disclose to individuals about those rights and their personal data. In this article, we examine in more detail how to determine if the CCPA applies to your particular business.
What is a Business under the CCPA?
As noted in our first article, the CCPA seeks to protect the privacy of natural persons who are residents of California. Any company doing business in California (regardless of where it is located) that meets certain thresholds with respect to its gross revenue or revenue from personal information it sells or the amounts of personal information that it buys/receives/sells or shares for commercial purposes must comply with the CCPA.
To qualify as a business under the CCPA, a legal entity must first meet all 3 of the following criteria:
- It operates for a profit or the financial benefit of its owners;
- It collects consumers’ personal information or such information is collected on its behalf and it determines the purposes and means for processing that personal information either by itself or jointly with other entities; and
- It does business in California [Note that although the CCPA does not define “doing business in California”, other California laws and governmental entities provide guidance on this criterion. For example, under the California Tax Code “doing business in California” is one of the requirements to pay taxes in California; therefore, if your company is required to pay taxes in California under that tax code, it is “doing business in California”. In general, “doing business in California” is viewed broadly to include legal entities incorporated in or operating from California, having employees in California, making sales in California or subject to California taxes].
In addition to meeting all 3 of the above criteria, a legal entity must also meet 1 of the following thresholds to be deemed a business under the CCPA:
- Its annual gross revenue exceeds USD 25 million;
- It buys, sells, and/or receives or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
- It earns 50% or more of its annual revenue from selling consumers’ personal information.
If a legal entity controls or is controlled by another entity that would be deemed a business under the CCPA, and it has a shared name, service mark or trademark (e.g., common branding), then it would also be considered a business under the CCPA.
As noted in our first article, the CCPA defines personal information to include data that identifies or can be linked to a household, as well as a particular consumer. In addition, as we noted in a previous article, the sale of this personal information does not need to involve monetary benefit. If personal information is shared to another business or other third party for other valuable consideration, it is still deemed to be a sale under the CCPA. For further details on the sale of personal information under the CCPA, see our second article.
Other Entities under the CCPA
In addition to establishing criteria to define a “business” the CCPA recognizes two other entities: service providers and third parties. We will address those, and their relationship to businesses, in our next article.