The CCPA sits somewhere in between consumer law and privacy law. This creates some confusion as to which personal information the law applies to. Does it apply to all businesses? Does it apply to employee data and business-to-business transactions? And what about nonprofits?
- Does the CCPA apply to all businesses?
- Does the CCPA only apply to California businesses?
- Does the CCPA apply to non-residents?
- Does the CCPA apply to employees and business-to-business transactions?
- Does the CCPA apply to nonprofits?
Let’s find out!
Does the CCPA apply to all businesses?
No. The CCPA only applies to large or data-intensive businesses.
More exactly, the CCPA applies to companies if they do business in California and:
- have a gross annual revenue of over $25M
- buy, sell, or share the personal information of 100,000 or more California residents, households, or devices
- make half their revenue or more from selling the personal information of California residents.
This rule is somewhat complex, so let’s break it down.
The requirement to do business in California is mandatory. If you don’t do business in California, then the CCPA does not apply to you.
On the other hand, criteria 1, 2, and 3 are alternative. For instance: if a company does business in California, and half its revenue comes from selling personal information of California residents, then the CCPA applies regardless of the company’s size and annual revenue.
Does the CCPA only apply to California businesses?
No. The CCPA applies to companies that do business in California, as long as any one of the other criteria is met. So, a multinational corporation with a turnover in the billions must comply with the CCPA if it does business in California, whether it is established in California, Delaware, or France.
This is what lawyers refer to as the extra-territorial reach of privacy law. Extra-territorial reach is very common in privacy law, and for good reason. The Internet has no physical boundaries, so personal data often flow between jurisdictions. If the reach of privacy laws were limited, most of its protections would become ineffective.
Just think of how many US Big Tech you provide with your personal data on a daily basis. If Google and Apple could ignore the GDPR entirely, then what would be the point of imposing all sorts of rules and requirements on European organizations?
Does the CCPA apply to non-residents?
No, the CCPA does not apply to the personal information of non-residents. Only California residents have rights under the CCPA. This is a bummer because Silicon Valley giants process enormous amounts of personal information from non-residents all over the world.
This is in sharp contrast with the GDPR because people have rights under the GDPR regardless of where they are and live. If an Italian company processes personal data from California residents, those residents have the exact same rights under the GDPR as Italian or Dutch citizens.
Does the CCPA apply to employees and business-to-business transactions?
Yes, the CCPA applies to both employee information, and personal information reflecting business-to-business (B2B) transactions.
These categories of personal information did not originally fall under the CCPA because the law included temporary exemptions. These exemptions expired in 2022 and were not renewed. As a result, these personal information fall under the CCPA since 2023.
Does the CCPA apply to nonprofits?
As a general rule, the CCPA does not apply to nonprofits.
However, there can be exceptions for nonprofits which are strictly connected to a business. There are precise requirements for this under the CCPA:
- a business owns 50% or more of the voting securities for an entity, or controls at least 50 % of the voting power;
- the entity and the business share common branding;
- the business shares consumer’s personal information with the other entity.
These criteria are actually part of the definition of a business under the CCPA. So, when an entity fits these criteria, is considered to be a business under the CCPA and is subject to the same obligations as a business under the law whether it operates for profit or not.
These criteria are fairly strict overall. In practice, most nonprofits can rest assured that the CCPA does not apply to them- although this is no excuse to be lazy and disregard privacy!
Hopefully this helped you understand the CCPA a little better. We like explaining privacy law because we care about privacy. This is why we built Simple Analytics to provide organizations with all the insights they need, without collecting personal data or tracking visitors! If this sounds good to you, feel free to give us a try!