With the California Consumer Privacy Act or CCPA, taking effect in January 2020, many business owners, and people in general, have a lot of questions.

• Does CCPA affect me?
• Does CCPA apply to my business?
• Does CCPA apply to me?
• Who is impacted by CCPA?
• Who must comply with CCPA?

These questions, and more, can be answered easily and concisely, and we are here to help you get informative and in-depth answers that will give you a better understanding of whether you and your business meet the CCPA requirements.

CCPA Compliance Criteria

Who does the California Consumer Privacy Act apply to?

The CCPA applies to any businesses that are for-profit. It applies to any entity that collects consumers’ personal data, does business or is operable in the State of California, is accessible to residents of California, and satisfies any of the following thresholds:

• Has an annual gross income in excess of $25 million
• Receives, sells, or shares personal information for 50,000 or more customers and consumers, households, or devices.
• Receives more than half of its annual revenue, whatever that may be, from sales of private consumer data

If your business meets any of the above specifications, CCPA will begin applying to your business on January 1, 2020. 

Even if your business does not, or you believe it does not fall into these categories, it is still important to adhere to the CCPA data privacy compliance regulations. Additionally, it should be imperative to maintain a strict and accurate understanding of the law as it pertains currently or potentially to your business. At any time, the law can be updated or otherwise amended, and your business may become liable for any violations.

CCPA does not apply only to businesses that are based in California. A business does not have to have a physical presence in California or be in the United States at all to fall under this law. Additionally, this law applies to your business even if only a small number of your consumers or users are from California.

It should be noted that an amendment already applied to CCPA that exempts insurance institutions and agents, as well as support organizations, from having to comply with this act. This is because these entities are already subject to similar regulations under the California Insurance Information and Privacy Protection Act, or IIPPA. 

If I am a non-profit do I have to abide by CCPA?

If your business is a non-profit or not-for-profit, you may still be subjected to the regulations of the CCPA.

Under CCPA, a business can be a sole proprietorship, Limited Liability Company, corporation, partnership, association, or any other legal entity that is operated or organized for the profit or other financial benefits of its shareholders or owners. Typically, this would exclude non-profits or not-for-profit entities.

However, CCPA also defines a business as an entity that controls or is otherwise controlled by a business that does meet any of the above parameters. Additionally, any entity that shares common branding with such businesses is also included. For the purpose of identifying and clarifying what “control” means according to the law, it pertains to the following:

• Ownership of, or holding the power to vote on, more than 50 percent of the outstanding shares of the voting security, inclusive of any class, of a business
• Any control of any manner over the election of a majority of the business’ directors, or of individuals that exercise similar functions
• The power and ability to exercise a controlling influence over the management of a company or its interests

Common branding, where CCPA is concerned, refers to any shared names, service marks, or trademarks. This means that even if your business, by itself, does not meet the specifications of the CCPA, it could still be subject to the law due to any controlling entities, or with whom they share common branding.

Even if these specifications do not apply to your non-profit, if you buy or sell 50,000 or more consumer records each year, you will be subject to the CCPA. This includes the collection, purpose determination, and processing of any personal information or data of or about California residents.

What if I am not in California?

Your company does not have to be based in or have any kind of physical presence in the state of California. Your business does not even have to be based in the United States of America or even in the western hemisphere. All that has to be done is for you to conduct any business through, with, or about California or its residents.

In fact, you do not even have to directly conduct business in California or with a California resident. Collecting any personal information from or about a resident of California can make CCPA applicable to you and your business.

This means that if you receive, purchase, rent or access any information, including personal information that is collected passively via cookies as an example, you are subject to the regulations of the CCPA.

Additionally, if the information collected by your company or any controlled third-parties is identified, related to, describes, has the potential to be associated with or could reasonably be linked to, directly or indirectly, with a particular consumer household or device, it will fall under this law.

If the information collected and processed pertains to any individual who is in California for any reason other than a temporary or transitory purpose, or is domiciled in California but is outside of the state for temporary or transitory purposes, this law applies.

CCPA law applies to any business or company that has any customers or users that reside in or are otherwise residents of the State of California. If your company is based in Tokyo but has customers in California, for example, CCPA still applies to you.

Also, in the absence of full informative guidance from the California Attorney General’s office, CCPA includes you and your business if any of the following are true:

• Your headquarters is in the State of California
• You have employees who reside in or are residents of California
• You are a business or corporate entity that is incorporated in California or are an entity that is required to register in California as a “foreign entity” under the existing California corporate and tax law
  • Per a recent amendment made in April of 2019, companies that are not registered in California, which have no physical presence in California, are required to register with the California Department of Tax and Fee Administration (CDTFA). They are required to collect California use tax and pay the tax to the CDTFA based upon the number of sales into California if their sales exceed a certain dollar amount and threshold or if they have more than 200 separate transactions.
• You have ties to the State of California, which in some cases includes repeated sales into the state and ownership of real property within the state

Because anyone in the world can access any website or virtual service request, and subsequently can leave their personally identifiable information on these websites, it is a good idea to abide by CCPA regulations. This will help you to avoid any violations or fines that might otherwise be levied against you or your company.

Is the $25M revenue based on the revenue in California?

The $25 million annual gross revenue requirement is not based solely on revenue made or generated in California or based on California consumers or users.

Thus far, it seems unclear how this revenue requirement will act and operate at the group level for businesses that operate as a group or family of entities. However, it is always a good idea to be over-prepared so that you are not penalized.

The $25 million earned by your business does not need to only apply to revenue generated by residents and consumers of California. In fact, the majority does not even need to be from California residents, sales, or services.

There is no qualifying percentage of sales that has to be applied to a company's overall gross annual revenue to qualify the business to have to abide by and operate under the regulations of CCPA. One qualifying transaction along with any other stipulation or qualifying factor of the legislation could result in your business having to adhere to the CCPA regulations.

Additionally, your business does not even have to be a consumer-facing business or B2C. Despite the name of the California Consumer Privacy Act, as it’s currently drafted, CCPA will apply to any business that meets the listed criteria. This applies even if the business in question does not directly deal with consumers.

Is the buying or selling of the personal information of 50,000 or more consumers or households criteria based on the number of California consumers or households?

No. The criteria are inclusive of all consumer data that the company or business collects, not just what is directly sourced from California. Even if only a small number of your customer base resides in or is a resident of California, you must apply by the rules and regulations of CCPA.

For clarification, if your company or business collects personal data and information on 50,001 users, but only 371 of those users are residents of the State of California, you must still abide by CCPA.

However, a business may not even need to actually collect personal information from consumers to have CCPA apply to and affect them.

Businesses that do not personally collect or process their users’ personal information and data are not necessarily immune to CCPA’s regulations. If the personal information of consumers is collected by a third-party on behalf of a business, the business could still need to legally abide by CCPA regulations, depending on if other criteria of the law are met or otherwise satisfied.

Some businesses mistakenly believe that, since they do not directly partake in the transactions of individual consumers, either as traditional consumers or as individuals purchasing services or goods for their personal, family, or household use, and therefore do not directly collect the personal information of these consumers, that CCPA will not apply to them. This is not the case. Whether your business’s consumers are other businesses or individual consumers makes no difference to the CCPA’s framework.

In this way, it has similarities to the General Data Protection Regulation, or GDPR. If your business does any of the following, it may be subject to the regulations and subsequent non-compliance violations of the CCPA:

• The business decides to collect or process users’ personal data and information
• The business decides what the purpose or outcome of the processing is or will be
• The business decides what data and information should be collected
• The business decides which individuals to collect data and information about
• The business obtains any commercial or financial gain or any other benefit from the collection and processing of the data collected
• The business processes the personal data of a consumer as a result of a contract between the business and the data subject
• The business uses professional judgment in the processing of the personal data
• The business has any direct relationship with the data subjects

Under the language of the CCPA, a consumer is broadly defined and is meant as a natural person who is a resident of the State of California. In accordance with that, when businesses conduct business amongst one another, as affiliates or other, they likely collect and exchange personal information. On a similar note, nearly all modern businesses collect information regarding their employees.

Many employers hoped that there would be amendments put into place to exclude information gathered in the employment context from the CCPA. However, the California Senate Judiciary Committee, in July  2019, clarified that the exception would not be made.

The Privacy and Consumer Protection Committee unanimously approved AB 25, which modified the definition of a consumer under the CCPA to exclude “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business.”

This caused concerns that the exemptions went too far in terms of eroding the rights of employees in light of current and future workplace monitoring practices.

CCPA was then amended to clarify that, while employee data would be excluded from many of the CCPA’s requirements, employers that were subject to the CCPA would still be required to inform consumers, including their employees, as to the categories of personal information that they collect and the purposes for which such personal information was or shall be used.

The personally identifiable data, as defined under CCPA, is any information that can be related to or otherwise identifies, describes, can be associated with, or reasonably linked, directly or indirectly, with a particular consumer, household, or device. Exceptions to this are covered by other regulatory acts and laws, including HIPAA, and any content that is made publicly available.

Major categories of what constitutes any personal information of an individual consumer or user household include, but are not limited to:

• Identifies that include names, aliases, physical addresses, IP addresses, Social Security Numbers, driver’s license numbers, passport numbers, or similar documents
• Any commercial information including records of property ownership and any projects or services that have been purchased
• Any biometric information
• Any Internet or other electronic network activity information, including any browser history or search history
• Any geolocation data
• Any audio, electronic, visual, thermal, olfactory, or other similar information
• Any professional or employment information that is not publicly available
• Educational information that is not publicly available
• Any inferences that have been made or drawn about an individual based upon any of the above-mentioned information

One thing that does not seem to be covered is de-identified information. De-identified information is similar to the GDPR’s usage of anonymizing information in that it becomes safe, assuming the information cannot be directly linked to any individual, household, or device belonging to or in connection with any relevant, protected residents or consumers.

Contact MatrixPoint for Assistance

Are your business and website compliant with CCPA and ready for the new law to take effect? If not, schedule a consultation with MatrixPoint to learn more about our data privacy management solutions. We can help you understand and prepare for CCPA so that you are in full compliance with the law for 2020.