The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA. 

Q. Does a company need to generate revenue in the United States in order for US privacy laws to apply? 

In general United States data privacy and security laws do not require that a company generate revenue within the United States in order for US privacy and security laws to apply.  That said, some state privacy and security laws apply only to entities that “conduct business” within a state.  While revenue generation may be one factor that a court might consider when determining whether an entity conducts business within a state – it is not the only factor that a court is likely to examine.  For example, some courts may find that an entity has conducted business within a state if it has employees within the state, advertises within the state, or provides free services within a state.

With specific regard to California’s CCPA, the act applies to “businesses” a term that is defined, in part, as requiring that an organization meet one of the following three thresholds:

1. Annual gross revenue in excess of $25 million.
2. Purchase, receives for commercial purposes, sells, or chares for commercial purposes, personal information of 50,000 or more consumers, or
3. Derives 50% of annual revenue from selling consumer personal information.¹

While the three thresholds contained within the definition of a “business” have yet to be interpreted by a court, it is worth noting in connection with the first revenue-oriented threshold that the statute does not specify whether the $25 million must be generated within the state of California.

In comparison, the GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.” ²  While the regulation does not offer a precise definition of what it means to be an “establishment,” in Google v. Spain, the European Court of Justice implied that if an American company has an EU-based subsidiary that it uses to generate revenue (in that case a Spanish subsidiary was selling advertising space) the subsidiary would be considered an "establishment" within the European Union. ³  The European Data Protection Board has also reiterated that “Revenue-raising in the EU by a local establishment, to the extent that such activities can be considered as ‘inextricably linked’ to the processing of personal data taking place outside the EU and individuals in the EU, may be indicative of processing by a non-EU controller or processor being carried out ‘in the context of the activities of the EU establishment’, and may be sufficient to result in the application of EU law to such processing.”⁴

The net result is that in-country revenue generation in both the United States and Europe may be relevant when analyzing whether a specific data privacy or security statute applies as it may inform the decision about whether an entity conducts business within a state (in the context of some US laws) or whether an entity has an establishment within Europe (in the context of the GDPR).  In both jurisdictions, however, revenue generation within the jurisdiction is not a sine qua non for determining jurisdictional reach.