Does the CCPA Apply to Your Business?

With the CCPA going into effect soon, and the look back period already in place for the current time period, I thought it would be helpful to lay this out, as the CCPA has gone through some amendments and there is some confusion out there about the CCPA’s scope.

If your company falls into either 1 or 2 below (or both), then it is subject to the CCPA and should comply with its requirements:

1. The company (i) is a for profit business, (ii) that does business in the State of California (there is a legal test to determine this), (iii) that collects, or has collected for it, California consumer’s personal information and determines the processing of such information

AND

the company also meets at least one of the following factors: (x) it has at least $25,000,000 in annual gross revenue, (y) it buys, sells, shares or receives the personal information of at least 50,000 California consumers each year, or (z) it receives at least half of its annual revenue from “selling” California consumer’s personal information.

2. The company controls or is controlled by a business that meets the requirements in 1. above.

Updates to the California Consumer Privacy Act of 2018

We introduced the California Consumer Privacy Act of 2018 (CCPA) before, and there has been some updates since then.  While the CCPA was to take effect on January 1, 2020, the date of effectiveness and the date when the California Attorney General has to promulgate the regulations for same has been pushed back to July 1, 2020.  Similarly, the time of enforcement of same is to be that date if the regulations are published then and if not, then six months from the date of publication of the regulations.


There was lobbying in California regarding the private right of action in the CCPA and there was some language added to clarify the limits of consumer suits against companies.

On the federal level, Senator Marco Rubio introduced what he called the American Data Dissemination Act (and used the acronym “ADD Act”), which he presents as a federal data protection bill which would require the FTC to promulgate national regulations on data protection and would explicitly preempt state laws like the CCPA. It is to be based on the antiquated Privacy Act of 1974. Its unclear without specific statutory language or regulations on the ADD Act to determine the reasons for its genesis. If it were to follow the European model, an entirely new statutory scheme would likely be needed. The purpose could also be to halt the rise of 50 different data protection laws, one from each state. In any event, the members of Congress have been getting heavily lobbied by the US Chamber of Commerce and other business groups. It should be interesting to see how it all plays out. Companies should not however, presume that the CCPA will be pre-empted and should begin to prepare for same now.