On August 14, 2020, the Office of Administrative Law ("OAL") approved the California Department of Justice's final California Consumer Privacy Act ("CCPA") regulations and filed them with the California Secretary of State. Prior to approval, some businesses were uncertain as to whether the $25 million revenue threshold was related to revenue generated only from California State sales, California residents, or total global revenues. The California Attorney General's Office has since clarified that limiting the threshold to revenue generated only in California or from California State residents would be inconsistent with the intended broad reach of the CCPA regulations. 

What businesses are regulated by CCPA Regulations?

Businesses Subject to CCPA Enforcement

The CCPA applies to businesses that: 1) do business in the State of California; 2) collect California State resident personal information; and 3) satisfy at least one of the following thresholds:

  • Have annual gross revenue of over $25 million;
  • Buy, receive, sell or share the personal information of 50,000 or more consumers (a "consumer" is defined as a California resident), households or devices for commercial purposes each year; or
  • Derive 50% or more of annual revenue from selling consumer personal information.

Clarifying that annual gross revenue of over $25 million is calculated on total global revenue (regardless of where the revenue is derived from) instead of revenue from California state sales or California residents subjects many more businesses to CCPA enforcement than some had hoped. 

Compliance with CCPA Regulations

Despite the fact that approval of the final CCPA regulations did not occur until August 14, 2020, enforcement of the CCPA began back on July 1, 2020. If they have not already, businesses must take appropriate measures to now comply with the CCPA. Civil penalties range from $2,500 for a non-intentional CCPA violation, to $7,500 for an intentional violation. Additionally, California consumers can bring private rights of action against businesses for data breaches that have exposed non-encrypted and non-redacted personal information to unauthorized third parties.

As readers of this blog know, the privacy-right activist group, Californians for Consumer Privacy, has qualified the California Privacy Rights Act ("CPRA") (which some are calling CCPA 2.0) for the November 3, 2020 ballot. If this measure were to be written into law, California would move one step closer to implementing a GDPR-like privacy regime. In the interim, data privacy will continue to be a hot-button issue across the country. As such, businesses must be mindful of the ever-moving compliance target or face the regulatory and financial consequences of enforcement. 

Related Blog Posts:

CCPA Service Provider Agreements: Accounting for the California Consumer Privacy Act (CCPA)

CCPA Record Keeping Requirements

CCPA Forms: The Right to Opt-Out, Request to Know and Request to Delete

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.