CCPA Primer

Lesson 2 | Which companies need to comply with CCPA?

Download Lesson PDF

Does CCPA apply to me?

CCPA lays out several concrete criteria to determine if CCPA applies to your company. The criteria do not explicitly require every company in CA, or every company that collects data on CA residents, to comply with CCPA.

The first two criteria are mandatory.

  1. Your company is a for-profit company. Non-profit organizations and government agencies do not need to comply with CCPA.
  2. Your company must collect and store data on CA residents. CCPA defines “collect” as “buying, renting, gathering, obtaining, receiving, or accessing any personal information.”

Assuming your company answers the top two criteria in the affirmative, your company must meet 1 of the following three criteria. These criteria are designed to disqualify smaller companies.

  • Annual revenue is greater than $25M. The goal with this criterion was to save smaller companies from the burden of complying with CCPA. $25M in annual revenue is a bar that eliminates small businesses but automatically includes all medium to large companies.
  • Collect data on more than 50,000 CA residents, households, or devices. 50,000 records as a criterion feel arbitrary. 50,000 data records, even if just for CA residents, is not a high number for a technology company. 50,000 records represents roughly 0.1% of the population of California. If a technology company sells a product directly to the end-user, this is low penetration. If a company sells to businesses, several large business customers mean the company will hit the threshold of the 50k record.
  • At least 50% of revenue comes from selling data on CA residents. The revenue requirement is the most interesting criterion that penalizes smaller businesses with a large presence and focus on CA. I think this criterion should be any business that collects data on CA residents and has a business model of selling data. Other than the for-profit criteria, this is the only criterion that assesses the business model of companies in determining whether CCPA applies.

That’s it in terms of qualifiers for CCPA. Most technology companies are for-profit and have a presence in CA, meaning they have users / customers in CA, so that leaves the sizing and business model criteria as the determining factor.