The California Consumer Privacy Act (CCPA) is a privacy law that protects the rights of California consumers. The CCPA was amended by the California Privacy Rights Act (CPRA), which expanded consumer rights and business responsibilities. The CCPA (CPRA) requires businesses and service providers that meet its specifications to abide by its rules.
This article will go over the types of organizations that are defined as businesses under the CCPA (CPRA), and what they need to do in order to meet its requirements.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What Counts as a Business Under the CCPA (CPRA)?
- 2. Types of Organizations that Count as Businesses under the CCPA (CPRA)
- 2.1. Other Types of Businesses the CCPA (CPRA) May Apply to
- 3. Organizations that are Exempt from the CCPA (CPRA)
- 3.1. Service Providers
- 3.2. Government Entities
- 3.3. Nonprofit Organizations
- 3.4. Businesses that Collect Specific Types of Personal Information
- 4. How to Comply With the CCPA (CPRA)
- 4.1. Notify Consumers of Their Rights Under the CCPA (CPRA)
- 4.2. Have a Compliant Privacy Policy
- 4.2.1. Clauses to Include in Your CCPA (CPRA) Privacy Policy
- 5. Summary
What Counts as a Business Under the CCPA (CPRA)?
Section 1798.40 of the CCPA (CPRA) defines the term "business" as any for-profit legal entity that collects consumers' personal information or has another entity collect consumers' personal information on its behalf and meets at least one of its three thresholds.
Let's take a look at what that can mean, from the CCPA (CPRA) itself:
Let's break this down.
To qualify as a business under the CCPA (CPRA), your business must meet at least one of the following three thresholds:
- Make over $25 million annually,
- Buy, sell, or share personal information from 100,000 or more California consumers or households, or
- Get 50% or more of its annual revenue from selling or sharing personal information belonging to California consumers
Any organization that does business in the state of California, satisfies one of the CCPA's (CPRA) three thresholds, and meets the criteria described below counts as a business under the CCPA (CPRA).
Types of Organizations that Count as Businesses under the CCPA (CPRA)
First of all, any of the following organizations that operate on a for-profit basis may qualify as a business under the CCPA (CPRA) as long as they meet the rest of its criteria:
- Sole proprietorship: A sole proprietorship is a business that has one owner who pays personal income tax on any profits they make from the business. Freelancers, contractors, and consultants often operate as a sole proprietorship.
- Partnership: A partnership is when two (or more) individuals or entities run a business together and share its profits.
- Limited liability company (LLC): An LLC is a business that is designed to protect the owners' from having to personally pay for their business's legal liabilities.
- Corporation: A corporation is a legal entity that has many of the same rights as a person, such as the right to enter contracts, borrow or loan money, take legal action, and hire staff. A corporation is also responsible for paying taxes.
- Association: An association is a group of people that has a written and dated document describing the creation and purpose of the association and signed by at least two members of the association.
- Any other legal entity: A legal entity is an organization that can enter into contracts, borrow money, or take legal action, and that is required to pay taxes on its profits.
Any of the above organizations may be required to follow the CCPA's (CPRA) rules if they:
- Collect personal information from California consumers, or
- Have another entity collect personal information from California consumers and make decisions about how and why to process that information
Processing information is defined by the CCPA (CPRA) as "operations that are performed on personal information," which includes making decisions about how to use consumers' personal information.
Other Types of Businesses the CCPA (CPRA) May Apply to
The text of the CCPA (CPRA) goes on to explain that it also applies to business partnerships where each company has at least 40% interest, and to any individual that does business in the state of California and voluntarily agrees to comply with the CCPA (CPRA):
Even if you don't meet the above criteria, if your business is controlled by, shares branding with, or receives California consumers' personal information from a business that meets the CCPA's (CPRA) criteria, then it is required to comply with the CCPA (CPRA).
Organizations that are Exempt from the CCPA (CPRA)
There are certain organizations that are not recognized as businesses under the CCPA (CPRA). These organizations include service providers, most government and nonprofit organizations, and businesses that collect or process specific types of information, which we will take a deeper look at below.
Service Providers
A service provider as defined by the CCPA (CPRA) is a for-profit legal entity that has a contract with a business to receive and process personal information on behalf of that business. While service providers are not the same thing as businesses, they are still required to comply with the CCPA (CPRA).
If you aren't sure if you're a business or a service provider, check out our article Are You a Business or a Service Provider Under the CCPA (CPRA)?
Government Entities
Government entities, including state, local and federal agencies, are generally exempt from the CCPA (CPRA).
Nonprofit Organizations
Most nonprofit organizations do not need to comply with the CCPA (CPRA).
Businesses that Collect Specific Types of Personal Information
The following are exempt:
- Businesses that only collect personal information from consumers who don't live in California
- New car dealers and buyers and vessel dealers and manufacturers that collect vehicle and vessel ownership information to be used to contact buyers about warranties or recalls
- Covered entities (individuals or entities that transmit protected health information, such as health plans and healthcare providers) and their business associates (individuals or entities that provide services to covered entities) that collect personal health information that is subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Confidentiality of Medical Information Act (CMIA).
- Businesses that only collect financial information that is subject to the California Financial Information Privacy Act (CalFIPA) or the Gramm-Leach-Bliley Act (GLBA)
- Businesses that solely collect or process personal information that is subject to the Fair Credit Reporting Act (FCRA)
- Organizations that use personal information for clinical trials or biomedical research and that comply with the Federal Policy for the Protection of Human Subjects (the Common Rule)
How to Comply With the CCPA (CPRA)
If your business is required to comply with the CCPA (CPRA), then you need to take certain steps to protect the personal information you collect and to inform California consumers of the rights the CCPA (CPRA) grants them.
In order to avoid harsh financial penalties you should make sure that your business is in compliance with the CCPA (CPRA), as CCPA (CPRA) violations can cost up to $7,500 per violation.
Here are some ways you can comply.
Notify Consumers of Their Rights Under the CCPA (CPRA)
You will need to make sure that you understand and make California consumers aware of their rights under the CCPA (CPRA), including:
- The right to delete personal information
- The right to correct inaccurate personal information
- The right to be informed about what personal information is being collected
- The right to access their personal information
- The right to know who their personal information is sold to or shared with
- The right to opt out of the sale or sharing of their personal information
- The right to limit the use and disclosure of their sensitive personal information
- The right to exercise these rights without being discriminated against
Personal information can include things like names, addresses, social security numbers, and biometric information, such as fingerprints and iris scans.
Sensitive personal information includes things like religious beliefs, race and ethnicity, and sexual orientation.
Apple's Privacy Policy informs users of their rights and shares a link to a page that explains how they can exercise their rights:
Have a Compliant Privacy Policy
The CCPA (CPRA) requires applicable businesses to respond when consumers exercise their rights and to notify consumers of their privacy practices.
The best way to comply with the CCPA (CPRA) is to make sure that your business maintains a clearly written, up-to-date Privacy Policy on its website and apps and that you have a process in place for responding to consumer requests to access, correct, or delete their data.
Section 1798.100 of the CCPA (CPRA) describes the responsibilities of applicable businesses:
These responsibilities include informing consumers about:
- The types of personal information they are collecting (before they collect it)
- What they do with the information they collect
- Whether they sell or share sensitive personal information
- How long they keep consumers' personal information
Clauses to Include in Your CCPA (CPRA) Privacy Policy
To comply with the CCPA (CPRA), you should make sure that your Privacy Policy includes clauses describing:
- What kind of personal information you collect
- How you collect consumers' personal information
- Why you collect personal information
- Third parties you sell and/or share personal information with
- How you keep the personal information you collect secure
- Your Privacy Officer's contact info
The table of contents of Google's Privacy Policy lists the sections it contains, including clauses about what kind of information it collects and why, who it shares information with, and how it keeps the information it collects safe:
Get step-by-step instructions and a customizable free template to help you create a compliant Privacy Policy in our article CCPA (CPRA) Privacy Policy Template.
Summary
The CCPA (CPRA) is privacy legislation that protects California consumers' personal information.
The CCPA (CPRA) can apply to any of the following organizations as long as they either collect personal information from California consumers or make decisions about how and why another entity collects personal information from California consumers:
- Sole proprietorships
- Partnerships
- LLCs
- Corporations
- Associations
- Any other legal entities
An applicable organization must meet one of these three thresholds in order to qualify as a business under the CCPA (CPRA):
- Make over $25 million per year,
- Buy, sell, or share personal information belonging to 100,000 or more California consumers, or
- Get 50% or more of its annual revenue from the sale or sharing of California consumers' personal information
Service providers are organizations that process personal information on behalf of businesses, and are also required to comply with the CCPA (CPRA).
Most government entities and nonprofits are not required to comply with the CCPA (CPRA).
There are certain businesses that the CCPA (CPRA) does not apply to, including:
- Businesses that collect personal information belonging to users outside of California
- Car and vessel dealers and manufacturers that collect personal information to be used to contact consumers about warranties or recalls
- Covered entities and business associates that collect personal information that is protected by HIPAA or the CMIA
The CCPA (CPRA) does not apply to information that is protected by CalFIPA, the GLBA, the FCRA, or the Common Rule.
In order to comply with the CCPA (CPRA), you should make sure that you have a Privacy Policy that informs California consumers of their rights under the law, and describes how you collect and process their data, as well as how you keep their personal information safe.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.