California Consumer Privacy Act



By Doug Verge

Are You Ready?

As you may already be aware, more and more data privacy and security laws are being enacted, and some carry with them significant financial and other penalties for noncompliance. The General Data Protection Regulation (GDPR) was the first significant piece of such legislation. In the United States, the California Consumer Privacy Act (CCPA), which becomes effective January 1, 2020, is the first privacy law similar in scope to the GDPR to be enacted, and other states are poised to follow suit.
The California law deals with the protection of personal information of “consumers” (defined to be California residents) and applies to “businesses” as defined under that law.

Under the statute, a business is…

  • (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
    • Has annual gross revenues in excess of twenty-five million dollars ($25,000,000);
    • Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
    • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
  • (2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, service mark, or trademark.

In Simplified Terms…

If you are a for profit business that does business in California and collects the personal information of California residents, either yourself or through someone else, and you meet any one of the three threshold requirements, the CCPA probably applies to you. Also, if you share common branding with a parent or subsidiary that falls within the law, you also fall under the law. The statute does not define what it means to be doing business in California, but a conservative approach is to consider transactions with California residents or businesses to potentially be considered doing business in that state. Given the penalties for noncompliance, if you meet the above criteria, you should be taking immediate action to comply with the law.



Doug Verge is a shareholder at Sheehan Phinney Bass & Green.

This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice.