Which Companies Are Excluded from California’s California Consumer Privacy Act (CCPA)?

Introduction

The California Consumer Privacy Act (CCPA) of 2018 is a significant piece of legislation that provides California residents with enhanced rights over their personal data. Understanding which companies are covered by the CCPA is crucial for businesses operating in or targeting the state. Conversely, understanding which companies are excluded is also important for compliance and legal purposes. This article delves into companies that are excluded from the CCPA, offering clarity and guidance based on the statutory requirements.

Understanding the Covering Entities

To start, let's look at the companies that are subject to the CCPA. According to Civil Code Section 1798.140c, a Business is defined as follows:

It is a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that collects consumers' personal information or on behalf of which such information is collected. The business alone or jointly with others determines the purposes and means of the processing of consumers' personal information. The business does business in the State of California. The business meets at least one of the following thresholds: Annual gross revenues in excess of twenty-five million dollars ($25,000,000), adjusted as per paragraph 5 of subdivision (a) of Section 1798.185. Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices. Derives 50 percent or more of its annual revenues from selling consumers' personal information.

Additionally, any entity that controls or is controlled by a business as defined above and that shares common branding with the business is also subject to the CCPA.

Companies Excluded from the CCPA

For companies to be excluded from the CCPA, all of the following conditions must be met:

Annual revenue is less than or equal to $25 million The company has personal information about fewer than 50,000 consumers, households, and devices The company derives less than 50 percent of its annual revenue from selling consumers' personal information

Companies that meet all of these criteria do not have to comply with the CCPA. However, it is important to note that merely falling under these criteria does not guarantee absolute exclusion from other potential state or federal regulations.

Key Points for Exclusion

Revenue Threshold: Companies with annual revenues under $25 million are less likely to be subject to the CCPA. Customer Base: Companies handling personal information of fewer than 50,000 consumers, households, or devices are usually not under the CCPA’s purview. Sales of Personal Information: Companies that do not derive 50 percent or more of their revenue from selling personal information are generally excluded.

Important Considerations

It is crucial to remember that compliance with the CCPA is not a one-time task but an ongoing obligation for businesses that fall within the act’s scope. Companies that are not subject to the CCPA should still remain vigilant and ensure they are compliant with other relevant state and federal regulations. Additionally, the legislative landscape is constantly evolving, and businesses must stay updated to avoid potential legal pitfalls.

Note: This article should not be considered legal advice. If you have specific questions about your business's compliance with the CCPA or any other legal issue, it is advisable to consult a licensed attorney in the appropriate jurisdiction.

Conclusion

Understanding the companies excluded from the California Consumer Privacy Act (CCPA) is essential for any business operating or targeting the California market. This article provides a clear outline of the criteria for exclusion and emphasizes the importance of staying informed and compliant, especially as regulatory environments continue to evolve.