Who does the CCPA apply to?

The California Consumer Privacy Act (CCPA), enacted to protect consumer data privacy, applies to a wide range of businesses both within and outside California. While the law primarily protects California residents, any company meeting specific criteria must comply to ensure consumers have control over their personal information.

What is the CCPA?

The CCPA is a comprehensive data privacy law that grants California residents rights over their personal information, including:

• Right to know: Consumers can know what personal data is collected, used, or shared.
• Right to delete: Consumers can request deletion of their personal information.
• Right to opt-out: Consumers can prevent the sale of their personal data.
• Right to non-discrimination: Businesses must not penalize consumers for exercising their CCPA rights.

Who does the CCPA apply to?

While the CCPA benefits residents of California, it applies to businesses outside of the state as well.

The CCPA applies to for-profit businesses operating in California that meet any of the following criteria:

1. Annual revenue: Businesses with annual gross revenues over $25 million.
2. Data volume: Companies buying, selling, or receiving personal data from 50,000 or more California residents, households, or devices annually.
3. Revenue from data sales: Businesses deriving 50% or more of their annual revenue from selling California residents' personal information.

Given these applications, there is likely a connection between CCPA and advertisers, wherever they may be located.

‍

‍

Does the CCPA apply to companies outside California?

Yes. If a business, regardless of its headquarters, collects data from California residents or targets California consumers with products or marketing, it must comply with CCPA regulations.

Do I have to comply with CCPA?

You must comply with CCPA if your business operates in California and meets one of these criteria: annual revenue over $25 million, collects data from 50,000+ California residents, households, or devices, or earns 50% or more of annual revenue from selling California residents' data.

‍

‍

Does CCPA apply to government agencies?

No, the CCPA generally does not apply to government agencies or nonprofits. It specifically targets for-profit businesses. However, if a government agency engages in data sales or certain other activities, it may voluntarily choose to follow CCPA guidelines to promote data privacy standards.

Quite a few states across the US are already proposing similar bills, and some have even enacted laws regarding the CCPA data subject access request as a way of keeping up with the changing times.

Essential items to note when it comes to privacy laws in the United States

• Local governments all over the United States are currently collecting and maintaining a database of personally identifiable information or PII and selling it to companies in some cases.
• According to various reports, the Los Angeles Department of Transportation obtains geo-data from hundreds or even thousands of dockless scooters available for use all over the city.
• The California Department of Motor Vehicles can drum up close to $50 million in revenue selling drivers personal data.

What local Governments heed to learn from CCPA

With the introduction of CCPA, local governments will have no choice but to prepare for the very likely event of having to change their public records management systems. It becomes likely as more and more constituents find out how their personal information is being gathered and shared. Bills in other states are also expected to take their cues from CCPA, which provides Californian consumers with the right to:

• Ask for all the data a company has collected on them and saved over the last twelve months.
• Ask for the deletion of any data related to them.
• Learn how their data is processed.
• Ask to see a list containing data of all the third parties who may have access to their information.
• Refuse the sale of their data to third parties.
• Seek legal action against companies or organizations that violate the privacy guidelines.

One of the significant issues raised with CCPA is that it excludes California’s local and state governments from the collection and use of personal data. However, this doesn’t mean that such agencies are off the hook.

‍

‍

Key compliance steps for CCPA

1. “Do not sell my personal information” link: Place this opt-out link prominently on your website to allow consumers to opt out of data sales.
2. Privacy policy updates: Outline all consumer rights, data categories collected, and methods for exercising those rights in an accessible privacy policy.
3. Data request processes: Enable channels for consumers to submit data access or deletion requests and ensure timely response.
4. Minor consent: Obtain parental consent for consumers under 13, or direct consent from teens aged 13-16 for data sales.

Read more: Your CCPA compliance checklist

Why CCPA compliance is essential for businesses nationwide

Even if CCPA only applies directly to California, its influence is far-reaching. States like Virginia and Colorado are implementing similar laws, making compliance essential for any business that collects consumer data in the U.S. CCPA-compliant businesses can build trust with privacy-conscious consumers and position themselves for success in a data-driven market.

Go further: Top tips for CCPA compliance software