The California Consumer Protection Act has been in effect since Jan. 1, 2020 and the California Privacy Rights Act, which modified the CCPA, went into effect Jan. 1, 2023.
Now that the CPRA is in effect, one of the questions businesses are concerned about is the modification of the CCPA threshold test of "what is a business," and the implications this modification for small businesses, e.g., those under USD25 million in annual revenue, in light of the new compliance requirements for business-to-business and employee personal information.
Unlike the EU or U.K. General Data Protection Regulations, not all businesses must comply with the CCPA. Nonprofits are carved out of the CCPA, where they are covered under the GDPR. The line defining small businesses is less clear. The CCPA was structured with a three-part threshold test for determining whether compliance was required. If a business qualifies under any of the three parts, then it must comply with the statute.
The seemingly easier parts to solve are the revenue and data broker thresholds. If a business has more than USD25 million in annual revenue or receives 50% or more of its revenue from the sale of personal information, usually these are referred to as data brokers, then it is covered by the CCPA.
The third threshold concerns the number, or "count," of personal information records related to the business. This is where the analysis is more complex.
Below are the two versions of this threshold:
The original CCPA version, effective before Jan. 1, read: "(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices" per California Civil Code 1798.140.
The CPRA-modified version of the CCPA, effective Jan. 1, reads: "(B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households" per Cal. Civ. Code 1798.140.
In October 2019, I coauthored the article, CCPA myth buster: Not all records count, which analyzed the original CCPA threshold and questioned whether commercial purposes were coextensive with business purposes. Commentators had conflated "business" and "commercial" purpose such that most for-profit websites were considered covered by the CCPA. My coauthor and I took a narrower view of this definition than most commentators.
The CPRA-modified version of the CCPA has deleted any reference to commercial or business purpose, as well as the reference to "receive" in the threshold test of a business based on personal information record count. The revised test is whether the business buys, sells or shares personal information.
This new definition of "what is a business" invites the question: Could a small business that does not meet the USD25 million revenue threshold, is not a data broker as defined in the statute and not engaged in targeted advertising as defined in the statute, take the position that the CPRA-modified version of the CCPA does not apply to their business?
As of Jan. 1, business-to-business and employee personal information are included as part of the CPRA-modified version of the CCPA creating a significant increase in compliance requirements, especially for small companies.
California is an outlier in the U.S., as these types of personal information are exempted from the four new privacy laws in Virginia, Colorado, Connecticut and Utah.
For small businesses with less than USD25 million in annual revenue, this interpretation could mean a significant reduction in costs and resources. Of course, a business must conduct the appropriate analysis to determine it does not meet any of three thresholds of "what is a business" under the CPRA before deciding the CCPA, as modified by CPRA, does not apply to their business.