What businesses are subject to the CCPA?

Published by cjp18 on

The CCPA – California’s Consumer Privacy Act of 2018 – has been in the headlines for many reasons. Of particular note, the law grants certain rights to resident-consumers to be forgotten (i.e. to demand that their personal information be deleted from the business’ records) and to file a lawsuit without advance regulatory action. But are all businesses that do business with California residents subject to the CCPA? Thankfully, no.

Generally speaking, according to the CCPA, a business must comply with the law if:

  • The business is for-profit;
  • It directly or indirectly collects consumers’ personal information and determines the purposes and means of processing the personal information;
  • It does business in California and has customers who are natural persons and California residents; and
  • It satisfies any one or more of the following criteria:
  • It has annual gross revenues greater than $25,000,000 (subject to CPI changes);
  • Annually buys, receives for its commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
  • Derives 50% or more of its annual revenues from selling customers’ personal information.

As used in the CCPA, “personal information” is defined broadly. Generally speaking, it includes information that identifies or is capable of being associated with a consumer or household. However, personal information that is collected, processed, sold or disclosed pursuant to certain other laws (e.g., the Gramm-Leach Bliley Act) is exempt to the extent the CCPA conflicts with the other laws. Hence, if a business is the collector, processor, seller, or discloser of the exempt personal information, it may not be subject to the CCPA.

If a business falls within the description above and is not exempt, among other requirements, a disclosure of the consumer’s rights must be made on the business’ website if the business does not have an online privacy policy or within the privacy policy if the business has one online. In an upcoming blog, I will address the myth that every business with a website must post a privacy policy.

The complete text of the CCPA can be found here.

If you’re experiencing deja vu, there is another law sometimes referred to as the CCPA – the Consumer Credit Protection Act of 1968, a federal law. Among other things, U.S. consumers can thank that law for mandated disclosures of finance charges and the Truth in Lending Act.

Do you have concerns about your business’ obligations under the California’s Consumer Privacy Act of 2018? If so, reach out.

Image by skeeze on Pixabay

Categories: Notes