Skip links
ccpa threshold

CCPA threshold: Are you subject to the California’s privacy law

A new era of compliance began in January 2020 with the passage of the California Consumer Privacy Act (CCPA), also known as “California’s GDPR,” which required businesses to go beyond simply updating their privacy policies.  

On June 28, 2019, the California Consumer Privacy Act (“CCPA”) was enacted into law, and it went into effect on January 1, 2020. 

The new California law impacted thousands of companies that use a variety of personal data that belonged to the almost 40 million citizens of California, their homes, and their devices.  

The CCPA is the strictest privacy law in the US, and for several reasons, its implementation can reach far beyond the state’s boundaries.  

CCPA’s goal is to provide consumers with specific rights for protecting the information about themselves that businesses can collect, store, and use for commercial purposes.  

It resembles the General Data Protection Regulation (GDPR), which the European Union implemented in 2018 in that respect. 

Voters enacted the California Privacy Rights Act (CPRA) in November 2020, an amendment that builds upon the CCPA.   

On January 1, 2023, the CPRA went into force, giving Californians even more control over the personal information that businesses may have on individuals. 

The CCPA also establishes a private right of action that makes companies liable in civil court for data breaches involving specific categories of personal data.

CCPA Applicability: Who is subject to the CCPA? 

Whether the customers are California residents or not, the CCPA application is for any business operating in California that collects customer personal information and data, processes it, or shares it with other third parties for commercial gain. 

Additionally, a business must fit into at least one of these three CCPA thresholds to be subject to it:  

  • Talking about the CCPA revenue threshold, any business that generates more than $25 million in gross annual revenues.  
  • The business collects data from over 100,000 Californians, households, or computing devices yearly and sells, purchases, or shares it.  
  • More than half of the business’s annual revenue comes from the sale of the personal data of California citizens.  

The CCPA/CPRA covers your business if it uses personal data from California residents and satisfies any of the above three stated CCPA thresholds, subject to the effective date.  

Even though neither the CCPA nor the CPRA defines “doing business in California,” related legal principles imply that this is a simple requirement to satisfy and does not necessitate having operations or employees in California.  

The scope is further expanded by CCPA’s application to any entity that owns, is owned by, or uses the same branding as a covered business.  

The CPRA broadens this CCPA definition: the covered businesses must exchange personal data with the entity, and using similar branding would make it clear to the average consumer that the entities are owned jointly. 

A joint venture or partnership of firms in which each business has at least a 40% interest is included as a third category of applicable entities under the CPRA. 

Each business that is a part of the joint venture or partnership and the joint venture or partnership itself shall be treated individually as a single business. 

Each company will keep all personal information it has that was disclosed to the joint venture or partnership to itself only.  

Although the CCPA/CPRA provides several exemptions to avoid conflict with other data privacy laws, including the Gramm-Leach-Bliley Act (GLBA), which focuses on financial services, and the Health Insurance Portability and Accountability Act (HIPAA), such exemptions are not absolute.   

The CCPA/CPRA may also influence financial services companies, health and life sciences providers, etc.  

What data is subject to CCPA? 

According to the CCPA definition, information must meet four requirements to be termed personal.

  1. Identification Data  

Information that allows for identifying a customer or a family. The real name of the individual, their Social Security Number, or even a picture of them might be included in this data; these are examples of personal data defined under the CCPA.  
 

  1. Information Related To  

This criterion applies to information that can identify people or households based on their intended use rather than their actual content.  

For instance, data collected through cookies or other monitoring tools may be categorized as personal data identifying customers and forming a part of their data. 

  1. Data that Describe 

Pharmaceutical prescriptions, dosages, medicine identification numbers, contact details, and other details potentially defining a customer are all considered personal data under the CCPA. 

  1. Information That Can Possibly Be Related  

Internal systems might incorporate tracking in business databases and software to maintain data structure.  

The CCPA counts any information acquired about an individual as personal data, even though this monitoring equipment was not explicitly created to track people. 

How do CCPA and GDPR differ? 

The CCPA seeks to promote transparency and consumer rights in California’s vast data economy.

In contrast, the GDPR aims to establish a “privacy by default” legal framework for the European Union.  

The CCPA gives a window for California customers to open, allowing them to see which of their data has been previously obtained by a business or sold to a third party.   

The GDPR offers a door that EU users can close before data processing.  

Legal Basis vs. Opt-Out  

Websites, organizations, and businesses are required under the GDPR to establish a legal basis for processing data in the EU; for instance, the first basis is the user’s permission.  

There is no such framework in the CCPA. 

According to the CCPA, neither a business nor a website needs the user’s permission before processing the user’s data or transferring that data to third parties.   

Instead, the consumer can refuse such data processing, but if the consumer does not take this positive action, data processing may still occur.

Fundamental Rights: CCPA vs GDPR  

Several fundamental rights, such as the right to information, access, and data portability, are covered by both the CCPA and the GDPR. 

The right to deletion (CCPA) and the right to erasure (GDPR), as well as the right to opt-out (CCPA) and the right of prior permission (GDPR), are likewise provisions of both laws, although with minor variations.  

The latter two are incomparable because the right to opt out (CCPA) is best compared to the right to withdraw permission (GDPR), while the CCPA has no similarity to the fundamental right of prior consent (GDPR). 

What are the penalties under CCPA?  

Failure to follow the rules established by the CCPA may result in regulatory penalties or legal action from disappointed customers, particularly if the complaining parties demonstrate that the company failed to maintain adequate data security or privacy protection.  

Sanctions are mainly mentioned in the CCPA for companies that need to comply.   

For standard violations, businesses risk paying fines of up to $2,500 per violation.  

These penalties might quickly cost hundreds of thousands of dollars since firms regularly collect personal information from large numbers of customers.  

Businesses can be fined up to $7,500 for intentional violations.   

Although “deliberate noncompliance” isn’t explicitly defined by the law, the most common instance is when a business consistently violates the privacy law despite prior penalties or customer complaints.

Who is exempt from CCPA? 

It’s essential to distinguish between a business that complies with the CCPA, and types of data or personal information not covered by the law.  

Businesses that are exempt from the CCPA include: 

  • A business is exempt from the CCPA if it never collects data from California citizens.  
  • A medical service provider who already complies with the Confidentiality of Medical Information Act (CMIA) or the Health Insurance Portability and Accountability Act (HIPAA) is exempt from the CCPA.
      

Even though the CCPA applies to the business collecting this data, the following data types are exempt:  

  • Personal information was collected while the customer was out of California.  
     
    Be aware that if IP addresses or geolocation data are collected when customers seek services or make transactions, it can be simpler to pinpoint the customer’s location. 
      
  • Personal data was collected from job candidates, employees, and independent contractors throughout the hiring process.  
     
  • If a company that already complies with HIPAA or the CMIA collects personal health information, it is exempt from these laws. 
      
  • The data collected for clinical trials is exempt.  
     
  • Credit scores and credit ratings are also exempt from consumer reporting data. 
     

CCPA compliance with PrivacyPillar’s Automated solutions  

Regardless of whether a firm is subject to regulation by the CCPA, it is still responsible for ensuring adequate security measures and preventing unauthorized access to customer data.  

PrivacyPillar is a must-have automated compliance solution for CCPA and other global privacy regulations, delivering an all-encompassing data management solution.  

Its revolutionary features, such as Discovery-in-Depth, thoroughly identify sensitive information throughout the organization.  

With Next-Gen Data Classification, precise categorization is guaranteed in the ever-changing data landscape.  

PrivacyPillar simplifies complex consent and preferences across your tech stack, providing a deeper understanding of your data and building better customer relationships. 

The metadata-driven data catalog offers clarity by including technical, operational, and business metadata.  

Effortlessly manage consent processes while automating data subject access requests (DSAR) with PrivacyPillar’s streamlined CCPA compliance solutions.  

Furthermore, businesses that adopt PrivacyPillar experience improved data privacy management, increased efficiency, and reduced risks.  

Regarding addressing challenges, PrivacyPillar excels at providing robust solutions, making it the go-to partner for privacy and compliance endeavors. 

Conclusion  

The difficulties with data privacy compliance are increasing, and it’s essential to understand the importance of obtaining permission from customers before collecting, storing, and using their data for any business purposes.  

In addition to California, other states with comprehensive consumer data privacy laws include Colorado (CPA), Connecticut (CTDPA), Utah, and Virginia (VCDPA).    

Additionally, these rules provide consumers more freedom and control over their data, including the right to access and delete it and the choice not to share it with third parties.  

Managing data privacy risk is getting more complex as more rules are implemented and automated solutions like PrivacyPillar’s Privacy-by-Design solutions are a must for businesses in an unpredictable digital landscape. 

Modernizing your organization’s system of agreements will help you get ready for privacy laws more than ever.