It is less than four months to when the California Consumers Protection Act 2018 comes into force on January 1, 2020. The State of California is the first US state to develop a comprehensive legal framework for the privacy and protection of consumer data. Less than 30% of businesses in the state and also worldwide have made any efforts towards CCPA regulatory compliance. The remaining percentage either do not know what to do or are not even sure if they fall under the CCPA regulatory compliance net.
Before we proceed, it would be great to mention here who a Californian resident is under the laws of the State. Any person who “is in California for other than a temporary or transitory purpose”, and any person who “is domiciled in California, but is outside the state for temporary or transitory purposes” is deemed to be a Californian resident.
First off, the CCPA regulatory compliance is required by virtually all companies worldwide, so long as they are “doing business in California”. Other than stating such a broad concept, the act doesn’t give much detail about what the phrase means exactly. As such, Californians have resorted to definitions of similar concepts as found in similar laws in the state. One is the Californian Franchise Tax Board that defines companies doing business as those that “actively engage in any transactions for financial or pecuniary gain.”
Although the word “controller” is absent from the CCPA, its definition of a “business” is similar to that of the GDPR’s definition. Businesses that are controllers of personal information fall under the CCPA regulatory compliance. According to the 2018 Act, a business is any entity that “determines the purposes and means of the processing of consumers’ personal information”.
For a business to fall under the CCPA regulatory compliance net, it must meet either of the three thresholds below.
- Annual gross revenue is over $25 million.
- Controls the personal information of at least 50,000 or more Californian residents, households or devices per year. This also applies even where the company buys, receives, sells or shares the personal information of Californian residents.
- More than 50% or more of the annual revenue derived by the company is from selling California consumers’ personal information.
Subsidiaries or child companies sharing “common branding” with any business that falls under the thresholds above, will also be caught within the CCPA regulatory compliance net. It is immaterial that the subsidiary or child company itself does not meet the threshold requirements.