USA - California: Revenue-Based Applicability

California Jurisdiction: Revenue-Based Applicability in CCPA

The California Consumer Privacy Act (CCPA) establishes thresholds based on revenue that determine the applicability of the law to businesses. This factor is pivotal in extending the CCPA’s scope to entities with significant financial operations, even if those entities are not primarily engaged in data processing activities.

Text of Relevant Provisions

CCPA Sec.1798.140(d)(1)(A):

"(d) 'Business' means: (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds: (A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185."

CCPA Sec.1798.140(d)(1)(C):

"(d) 'Business' means: (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds: (C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information."

Analysis of Provisions

CCPA Sec.1798.140(d)(1)(A) sets a clear revenue threshold by applying the CCPA to businesses that exceed $25 million in annual gross revenue. This threshold is significant as it brings larger entities within the scope of the law, even if their primary business activities are not related to the sale or processing of personal data. The inclusion of this revenue-based threshold ensures that businesses with substantial financial operations are held accountable for their data processing activities, irrespective of whether data handling is their core business.
CCPA Sec.1798.140(d)(1)(C) further extends the applicability by focusing on businesses that derive 50% or more of their revenue from selling or sharing consumers’ personal information. This provision specifically targets entities that monetize personal data as a substantial part of their business model, ensuring that such companies are subject to the CCPA’s regulations.
The rationale for these provisions is to ensure that significant players in the data economy, particularly those with substantial financial resources or a business model reliant on personal data, are regulated under the CCPA. This prevents large companies from evading regulatory oversight due to the nature of their operations or financial scale.

Implications

For businesses operating in California, meeting either of these thresholds means they must comply with the CCPA's stringent requirements, including providing consumers with rights regarding their personal data, such as the right to access, delete, or opt out of the sale of their data.
For example, a large retail chain with over $25 million in revenue must adhere to the CCPA even if its primary operations are not data-related. Similarly, a smaller company that generates most of its revenue through selling consumer data will also fall under the law's jurisdiction, emphasizing the CCPA’s focus on both financial scale and data monetization practices.
These provisions highlight the importance for businesses to assess their revenue sources and data practices to determine their obligations under the CCPA. Failure to comply can result in significant penalties, making it crucial for companies to understand and adhere to these revenue-based applicability factors.

Jurisdiction Overview

USA - California

Gavel Factors: (17)

🗞️ Exception for Publicly Available Information, including Public Records 🔗 Processing in Context of Local Establishment 👮🏼 National Security and Law Enforcement Exemption 🎯 Exemption for Specific Purposes of Processing 📍 Processing by Local Establishment 🛂 Applicability to Citizens and Residents' Data 💼 Processing by Entity Registered or Incorporated in Jurisdiction 🛍️ Offering Goods and Services to Data Subjects in Jurisdiction 🏡 Personal and Domestic Use Exemption Sale of Personal Data Criterion 💵 Revenue-Based Applicability ⚖️ Sectoral Exceptions Regulated by Other Laws 🛃 Exception for Data Processing Outside Jurisdiction 🧮 Number of Data Subjects 🧓🏿 Long-Term Residency Threshold 👇🏿 Statutory Requirement Processing Exception 💼 Doing Business in Jurisdiction