Skip to content

Who Must Comply With CCPA Regulations?

Paige Harris Mar 17, 2022 8:00:00 AM

The ongoing clamor swirling around privacy and personal data led to the creation of laws designed to protect consumers from unscrupulous businesses that sell private and sensitive information about their customers to make a profit. One such law is the California Consumer Privacy Act (CCPA), passed in 2018 to give consumers living in California more control over their data.

But when did the CCPA become effective for businesses? Since the passing of the CCPA, some companies that deal with residents of California still don’t clearly understand who must follow the CCPA. This article explains who is subject to the CCPA, offers some CCPA compliance examples, and examines the role of a service provider under CCPA.CTA CCPA Compliance Graphic

Who’s Subject To The CCPA?

Under the CCPA, any entity that does business with the residents of California is subject to the act. Therefore, if you are a business selling goods or services to Californians, you need to comply with the CCPA. This act gives the residents of California several privacy rights, including:

  • The right to know the kind of personal information collected by businesses and how it’s being used or shared.
  • The right to ask companies to delete their data from their database (with some exemptions).
  • The right to opt-out of personalized advertisements and the sale of their data.
  • The right not to be discriminated against by businesses for exercising their CCPA rights.

The CCPA applies to all enterprises doing business with residents of California. The act requires that companies notify customers about their intention to collect their data and for what purpose. They should also explain their data privacy policies before or during information collection. Even if your business is not physically in California, if it transacts with Californians, it’s still subject to the CCPA.

Additionally, the CCPA applies to businesses that meet one or more of the following criteria:

  • Have an annual gross revenue of $25 million or more.
  • Buy, sell or receive personal information of 50,000 or more residents of California.
  • Receive over 50 percent of their annual revenue from the sale of personal information about consumers residing in California.

The act gives California's Attorney General broad powers to prosecute any business that violates this regulation, even businesses outside the state. Any company that fails to comply with this regulation is liable for hefty fines. 

Some people assume that only companies dealing in goods are subject to the CCPA, but this privacy act also applies to service providers offering services to California residents. 

Who is a service provider under CCPA? The CCPA defines a service provider as any company offering services on behalf of a business using the personal information it receives from the business about consumers. An excellent example of a service provider under CCPA is an email marketer, analytics provider or payment processor. Customer relationship management companies are also service providers under CCPA.  

Final Thoughts

If you sell the personal data you collect from your customers in California, you need to consider the percentage of revenue it provides for your business. If it’s fifty percent or more, your business must abide by the CCPA. 

All companies that are subject to the CCPA need to comply with the regulations by responding to the requests made by their customers asking about the categories of personal data they collect and how they intend to use it. This compliance applies to all companies that do business with the residents of California and meet the provided criteria.

Leave a Comment