Who Must Comply With The CCPA?

July 20, 2020


The CCPA is the California Consumer Privacy Act of 2018, presented as Senate Bill No. 1121, and enacted on January 1, 2020. It was inspired in part by the General Data Protection Regulation passed by the European Union and enacted in all its member states.


The CCPA is geared toward protecting consumer privacy, including the right to access any personal information the business has collected on the consumer in the prior 12 months, the right to delete any personal information about the consumer collected by the business, the right to know that a business will even collect personal information, and the right to request that personal information not be sold.


What Factors Are Considered For CCPA Requirements


"The CCPA applies to for-profit businesses that do business in California and meet any of the following: have a gross annual revenue of over $25 million; buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or derive 50% or more of their annual revenue from selling California residents’ personal information," according to the State of California's Office of the Attorney General.


This Act does not, however, apply to nonprofits or government agencies. Interpret that as you will.


(Editorial note: This is by no means an exhaustive overview of the CCPA, nor is it in any way legal advice for any business.)


In case you were wondering, "'doing business' [in California] means actively engaging in any transaction for the purpose of financial or pecuniary gain or profit," according to California Revenue and Tax Code §23101(a).


"Personal information" means data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, according to the CCPA. If that applies to the data a business is collecting in the state of California, it's a safe bet to assume that the CCPA applies to them.


Do I Have to Delete Customer Data to be CCPA Compliant?


When it comes to deleting that personal information, there are a few loopholes (nine) that cause a business to no longer be required to do so, if it is necessary for a business to:


1. Complete a transaction for which the personal information was collected, provide a good or service requested by the consumer, or otherwise fulfill a contract

2. Detect security incidents and protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity

4. Exercise and ensure the right to free speech

5. Comply with relevant privacy acts

6. Engage in research that adheres to ethics and privacy laws, when the deleted information would seriously impair the achievement of the research, provided the consumer has already given informed consent

7. Enable internal uses of the information that are within reason, based on the relationship between the consumer and the business

8. Comply with legal obligation

9. Otherwise use the information internally in a way that's compatible with the previously listed criteria


See Civil Code section 1798.145 for more exceptions.


Not only are businesses that directly collect personal information impacted by the CCPA, but third parties are also required to adhere to the CCPA.


The CCPA requires that a third party cannot sell personal information sold to them "unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120."


To add to the topic of who must comply with the CCPA, it's important to bring to attention the nature of their compliance — note that there's a non-discrimination clause for Californian residents.


"Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.


"However, if you refuse to provide your personal information to a business or ask it to delete or stop selling your personal information, and that personal information or sale is necessary for the business to provide you with goods or services, the business may not be able to complete that transaction," according to the California state attorney general.


There is certainly much more to the topic of CCPA compliance and adherence, so please do not consider this an exhaustive overview of who does and does not have to follow this act. Do some research of your own and see how you can best serve your consumers.


Learning about CCPA compliance is one thing, becoming CCPA compliant can be a whole other adventure. Get in touch with us to go over your CCPA compliance needs and we'll get you taken care of. Give us a call at 1.888.262.6925!