In evaluating the stringent and wide-ranging obligations of the California Consumer Privacy Act (CCPA) and the amendment to the law known as the California Privacy Rights Act (CPRA) that took effect on January 1, 2023, the first threshold question is whether the law applies to your business. This question is especially crucial given that the law’s reach could include companies physically located outside of the State of California. Below is a brief outline of the criteria prepared by the Fisher Phillips’ Consumer Privacy Team to determine whether your business is subject to the CCPA.
How Much Business Do You Conduct?
Any business that (a) “does business” in California, (b) operates for the profit or financial benefit of its shareholders or owners, (c) collects personal information from one or more California residents (including even a single employee or customer), and (d) satisfies at least one of the following thresholds is subject to the CCPA:
- Has gross annual revenue in excess of $25 million in the preceding calendar year (measured on January 1 of the calendar year)
- Annually buys, sells, or shares the personal information of 100,000 California consumers or households
- Derives 50% or more of its annual revenue from selling or sharing personal information
The following is a non-exhaustive list of what may potentially constitute doing business in the State of California:
____ Engagement in any transaction for the purpose of financial gain within the state
____ Domiciled in or maintains a physical location
____ Has one or more employees or independent contractors located in the state (including a remote worker)
____ Recruits potential job applicants from within the state
____ Markets or sells its products or services in the state
Note there is a lack of specific clarity under existing law as to what may qualify as “doing business” within the state, and therefore you should consult with legal counsel if you have questions.
Do You Control or Are Controlled by Another Business?
Any entity that controls or is controlled by a CCPA-covered business, shares common branding with the CCPA-covered business, and with whom the CCPA-covered business shares personal information could be covered by the CCPA. The test for control includes having majority ownership, a controlling majority of the board seats, or the power to exercise a controlling influence over the management of the company. “Common branding” means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned.
Note that, under this test, the CCPA may be applicable to a nonprofit, franchisee and/or subsidiary of a company.
Do You Operate a Joint Venture or Partnership?
Since the CCPA amendment that took effect January 1, 2023, your business could be subject to the CCPA if you operate a joint venture or partnership composed of CCPA-covered businesses in which each business has at least a 40% interest.
Have You Voluntarily Certified Compliance?
Finally, any entity doing business in California that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with and agrees to be bound by the CCPA will be subject to the law.
