Who Does The California Consumer Privacy Act Apply To?

By Michelle Lentz On December 18, 2019

Who Does The California Consumer Privacy Act Apply To?
Starting January 1, 2020, the California Consumer Privacy Act (CCPA) will enhance privacy rights and consumer protection for residents of California, one of the most populated states in the United States. Companies that don't comply can risk consumer backlash, hefty fines, and possible lawsuits. This new policy is a pretty big deal, but luckily we can help you work through it.

What Is the CCPA?

The CCPA allows any California consumer the right to see all the information a company has saved on them. It also gives Californians the power to request a full list of all the third parties that their data is shared with. Additionally, it allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
Consumers also have the freedom to opt-out of the sale of their data and must not be discriminated against for doing so. For example, consumers cannot be charged different prices or rates for exercising their CCPA rights.

Who Does the CCPA apply to??

The CCPA applies to companies that collect personal information of Californian residents, do business in California, and:
  • Have annual revenues of $25 million or more
  • Companies of any size that have personal data on at least 50,000 people
  • Companies that collect 50% or more of their revenues from the sale of personal data
Companies don't have to be based in California or have a physical presence there to fall under the law. Companies don't even have to be based in the United States to affected by this law.

Does the CCPA apply to nonprofits?

In most situations, nonprofits won't be impacted by the new law. However, there are a few stipulations that will force some nonprofits to comply. Here's what you need to know. 

While the CCPA generally does not apply to nonprofit entities, it would apply to a nonprofit that
  • controls or is controlled by a for-profit entity subject to the Act; 
  • operates under a brand name it shares with a for-profit entity (e.g., a co-branded corporate foundation);
  • enters a joint-venture with a for-profit subject to the Act; or
  • contracts with an entity through an agreement that requires compliance with the CCPA.
If your nonprofit falls into any of these categories, you should pay close attention to the requirements of the CCPA. But even if it doesn't, the law systematizes the general privacy principles individuals have come to expect from those collecting and using their data. So to be safe, it would be good practice for all nonprofits to consider processes and policies that reflect these principles.

California consumer privacy act vs. GDPR

The CCPA doesn't have some of the General Data Protection Regulation's (GDPR) most demanding requirements, such as the narrow 72-hour window in which a company must report a breach, however it many ways it goes even farther.

The GDPR grants consumers the rights to object to direct marketing and restrict the processing of their data, and the CCPA provides consumers with the right to object to the sale of their data.

Being GDPR compliant doesn't necessarily mean you are CCPA compliant. However, if you already took steps needed to comply with the GDPR, you might have already met some of the CCPA requirements. 

What Is the Cost of Non-Compliance?

In addition to the PR nightmare that could follow non-compliance, companies can face a civil penalty of up to $2,500 per violation and up to $7,500 per intentional violation. This means that if you violate the CCPA-guaranteed right of just 100 users, you could be fined up to three-quarters of a million dollars.

Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn't resolved, companies will be met with a fine of up to $7,500 per record. The cost of these fines could rack up exceptionally quickly. 

The bill also provides individuals the right to sue for the first time and allows for class action lawsuits, if companies don't comply within the 30-day grace period. 

How BizStream and Kentico Can Help with CCPA Compliance

This can all seem very daunting, but fortunately, Kentico provides functionality that helps clients comply with the CCPA, and our team knows exactly how to implement it. To facilitate compliance with various legislations, you can leverage the Data Protection application. However, the features included still require exact knowledge of how your company gathers, processes, and stores personal data. Our team can help implement the functionality based on the specifics of your website and the legal requirements you want to fulfill. 

Fear not, we're here to help! Contact us here to get started!
Click here to read more Advice posts
Start a Project with Us
Photo of the author, Michelle Lentz

About the author

Michelle has an eye for design and aesthetics and enjoys applying these principles to business. Merging her love of all things artisan with her business experience, Michelle joined BizStream in 2013 to take on our marketing efforts. Michelle is skilled in web admin, digital marketing, design, content creation, event planning, driving our unique BizStream culture, and more. In her free time, you'll find her gardening, doing houseplant chores, or exploring nature with her husband and two daughters.

View other posts by Michelle

Subscribe to Updates

Stay up to date on what BizStream is doing and keep in the loop on the latest with Kentico.