Does the California Consumer Privacy Act Apply to Your Business?

Does the California Consumer Privacy Act (CCPA) Apply to Your Business?

In evaluating the stringent and wide-ranging obligations of the California Consumer Privacy Act (CCPA) and the amendment to the law known as the California Privacy Rights Act (CPRA) that takes effect on January 1, 2023, one of the threshold questions is whether the law applies to your business. This question is especially crucial given that the law’s reach could include companies physically located outside of the State of California. Below is a brief outline of the criteria to determine whether your business is subject to the CCPA.

How Much Business Do You Conduct?

Any business that operates for the profit or financial benefit of its shareholders or owners, collects personal information from one or more California residents (including even a single employee or customer), and satisfies at least one of the following business thresholds, could be subject to the CCPA:

  • Has gross annual revenue (from anywhere in the world) in excess of $25 million
  • Annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more California consumers, households, or devices
  • Derives 50% or more of its annual revenue from selling personal information
  • Once the CPRA takes effect on January 1, 2023, these thresholds will be updated as follows:
  • Has gross annual revenue in excess of $25 million in the preceding calendar year (measured on January 1 of the calendar year)
  • Annually buys, sells, or shares the personal information of 100,000 California consumers or households
  • Derives 50% or more of its annual revenue from selling or sharing personal information

This first category only applies to those entities that do business in California. The following is a non-exhaustive list of what may potentially constitute doing business in the State of California:

Young man assessing deadlines for COVID health beenfit appeals.
  • Engagement in any transaction for the purpose of financial gain within the state
  • Domiciled in or maintains a physical location
  • Has one or more employees or independent contractors located in the state

  • Recruits potential job applicants from within the state

  • Markets or sells its products or services in the state

Note there is a lack of specific clarity under existing law as to what may qualify as “doing business” within the state, and therefore you should consult with legal counsel if you have questions.

Do You Control or Are Controlled by Another Business?

Any entity that controls or is controlled by a CCPA-covered business and shares common branding could be covered by the CCPA. The test for control includes analyzing majority ownership, a controlling majority of the board seats, or the power to exercise a controlling influence over the management of the company.

Mid adult Chinese woman in business meeting with multi ethnic colleagues

Once the law’s amendments take effect on January 1, 2023, the sharing of consumers’ personal information by the CCPA-covered for-profit business will added as a criterion. Also, the definition of “common branding” will been expanded.

Note that, under this test, the CCPA may be applicable to a nonprofit, franchisee and/or subsidiary of a company.

Do You Operate a Joint Venture or Partnership?

Starting January 1, 2023, your business could be subject to CCPA applicability if you operate a joint venture or partnership composed of CCPA-covered businesses in which each business has at least a 40% interest.

Have You Voluntarily Certified Compliance?

Finally, any entity doing business in California that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with and agrees to be bound by the CCPA will be subject to the law.


The CCPA rules seem to expand with each go- ’round with the regulators. It is important to stay on top of the changing rules. Contact your GBS Consultant if you need consultation with Fisher Phillips, the GBS + Leavitt Group preferred partner for employment law and all of  your CCPA needs.

Originally published by Fisher Phillips, a GBS + Leavitt Group partner for compliance (Usama Kahf, CIPP/US; Darcey M. Groden, CIPP/US; Anne Yarovoy Khan, Of Counsel; Jenna Rogenski, Associate; Christopher M. Champine, Associate; Anthony Isola, Partner; and, Benjamin M. Ebbink, Partner). Republished with permission. Some content by Leavitt Group.
Get CRITICAL employee benefits information delivered right to your inbox!
Featured Post
Recent posts