The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Does the CCPA apply to non-profits?

No.

The CCPA applies to “businesses.”  The Act defines that term to include any legal entity (e.g., corporations, associations, partnerships, etc.) that is “organized or operated for the profit or financial benefit of its shareholders or other owners.”¹  This accords with the fact that non-profits are exempt from many of the data privacy and security regulations within the United States – in particular they are largely exempt from enforcement by the Federal Trade Commission, and, therefore, are exempt from compliance with the rules, regulations, and guidance of the Federal Trade Commission to the extent that such rules, regulations, or guidance are not incorporated in state laws that do apply to the non-profit.

In comparison, the European GDPR does not contain any exemptions for non-profit organizations. 

1. CCPA, Section 1978.140(c)(1).