Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s second blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

California’s new privacy law, the California Consumer Privacy Act (CCPA) grants California residents extensive new privacy rights. One of the more significant aspects of the law however, is the number of business entities to which it applies. Companies around the world must comply with the CCPA if they do business in California, collect consumers’ personal information, and determine the purposes and means of processing that information. Companies must also meet one of three criteria: (a) have annual gross revenue in excess of $25 million; (b) buy, receive, or sell personal information of at least 50,000 California consumers, households, or devices; or (c) derive at least 50% of its annual revenue from selling California consumers’ personal information. Consumer is defined as a natural person who is a California resident. The new rules may also apply to parent companies and subsidiaries that share common branding with the business.

The CCPA applies to a broad number of businesses, covering nearly all commercial entities as long as there is a California nexus. The International Association of Privacy Professionals estimated that the CCPA will affect upwards of 500,000 U.S. businesses, including those that sell goods or services to California residents even if the business is not physically located in California. Further, while the CCPA does not apply to conduct that takes place wholly outside of California, California is estimated to make up about 13% of the U.S. marketplace, which is more than any other individual U.S. state.

A major criticism of the CCPA is that it does not apply to the collection and use of consumers’ personal information by California state and local government agencies. However, there is already some discussion of passing additional legislation to apply similar controls to California government authorities. The CCPA does not apply to non-profit organizations.

See our earlier blog with a summary of CCPA’s major provisions here.

Stay tuned for our next blog article on the expended definition of personal information under the CCPA.