The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the collection, access to, deletion of, sale, and sharing of personal information collected and processed by businesses. The CCPA became effective January 1, 2020 and will have sweeping ramifications for businesses in California and globally that collect or handle personal information about Californians. This new law aims to protect the privacy of California residents by requiring many for-profit businesses to disclose to residents how their personal information is being handled, what data is being collected, and the option to refuse the sale of their personal information. Importantly, the CCPA also establishes the consumer’s right to directly sue a business for damages in the event the business breaches its data security obligations.

Exemplar Companies has been working closely with clients in 2020 to help them prepare for the CCPA. Understanding the key points of the statute and its regulations is essential to complying with the new law. The Attorney General is authorized to bring enforcement actions under the CCPA.

Does CCPA Apply to My Business?

The California Consumer Privacy Act applies to every for-profit person/company/association (a “CCPA Business”) which—1) does business in (see below) the State of California 2) collects consumer personal information (or on behalf of which such information is collected), 3) alone or jointly with others determines the purpose and means of processing the data, and 4) satisfies one or more of the following—

  • has annual gross revenue in excess of $25 million,
  • annually buys, receives, sells, or shares the personal information of more than 50,000 California consumers, households, or devices for commercial purposes, or
  • derives 50 percent or more of its annual revenues from selling consumers’ personal information.


Businesses and non-profits that service CCPA Businesses.

The definitional criteria for a CCPA Business requires that the business must alone or jointly with others determine “the purposes and means of processing” of that data. The new law generally also applies to other persons and organizations, including—

  • businesses and not-for-profit persons or entities that work with or on behalf of CCPA-Businessesif they receive personal information from a CCPA Business for a business purpose,
  • entitiesthat share branding with a CCPA Business and are part of its control group,
  • service providers that process personalinformation on behalf of a CCPA Business, and
  • third partiesthat service the CCPA Business, regardless of their not-for-profit nature, with limited exceptions.

However, an organization in receipt of personal information from a CCPA Business, which merely processes personal information for its CCPA Business client (or provides other services) might take the position that it isn’t subject to the CCPA. That organization may be correct in a limited sense; however, its CCPA Business-client is strongly incentivized to contractually restrict the service provider’s (or third party’s) handling of the personal information for various reasons, which include avoiding the obligations tied to the sale of personal information, and securing immunity from liability for the mishandling of personal information by service providers and third parties.


Businesses that do not collect consumer” personal information: the B2B and Employment Contexts.

Your business may still be subject to the law (in the very near future) even if your “consumers” are other businesses and not individuals. A consumer under the CCPA generally means a natural person who is a California resident; nonetheless, the CCPA recognizes that consumer personal information is routinely shared in the course of seeking or obtaining goods or services between businesses. For the present, these kinds of exchanges are generally exempt from the majority of CCPA rights and obligations, but some are not, including the do-not-sell/opt-out right, the non-discrimination/financial incentives provisions, and the consumer right to seek damages for breach of the data security provisions. The presently exempt matters in the “business-to-business” exemption expire at the end of 2020.

The CCPA obligations and rights also do not apply in the employment context, with some limited exceptions: CCPA covered persons and entities must still comply with provisions regarding certain point-of-collection disclosures, and the consumer right to seek damages for breach of the data security provisions does apply to employees (and others in the employment context, such as officers, directors, contractors, owners, etc.). Like the B2B exemption, the employment exemption expires at the end of 2020. Notably, the California legislature has suggested that 2021 will bring new privacy laws that are specific to employees. Those developments may resolve or restructure the data privacy law respecting employees’ personal information in 2021.


Out-of-State Businesses.

As indicated above, doing business in California is a necessary characteristic for a company to be subject to the CCPA. Although the legal concept of doing business in California is not unique to the CCPA, in many cases it requires an assessment of several factors which altogether don’t yield a definitive answer. Having said that, there’s ample guidance about the doing business in criterion with respect to the corporate law, revenue and taxation, etc. The following principles should be noted, as they’re likely to be instructive in the context of the CCPA:

  • A business does NOT need to be registered or domiciled in California in order to be subject to the CCPA.
  • A business does NOT need to have a physical presence in California to be subject to the CCPA.


The following indicates (or strongly suggests) a given company IS doing business in California:

  • The company is organized or commercially domiciled in California.
  • The company engages in any transaction for the purpose of financial gain within California.
  • The company conducts online transactions with persons who reside in California.
  • The company has employees working in California.
  • The company holds special licenses to conduct business within California.
  • The company’s California sales, property or payroll exceed certain amounts designated by the California tax authority and/or tax law.
  • The company is required to register in California as a ‘foreign entity’ under existing California corporate and/or tax law to “do business in”

Key Differences between CCPA and GDPR

Many clients are asking how the California Consumer Privacy Act differs from the General Data Protection Regulation (GDPR), the European Union’s sweeping data protection and privacy law. The two data privacy laws have some key differences; however, if you are compliant with the GDPR, you’re in a better place to become compliant with the CCPA. The GDPR establishes a “privacy by default” legal framework for the entire EU in all sectors, for-profit and non-profit, public and private, whereas the CCPA is almost entirely business-focused, emphasizing consumer protection by means of transparency and rights and obligations pointed at shifting control over monetization of personal information to the consumer.

Another essential difference is that the GDPR embodies a two-tiered system—a top level (i.e., the European Union) set of rules that govern the EU as a whole, with certain allowances for derogations and exemptions granted to—as well as certain obligations imposed upon— the EU Member States. In contrast, the California law is a single-story structure, so to speak; there are no provisions allowing smaller governmental bodies within the state to embellish or diverge from the statute, and there are no delegations of responsibility to counties or local governments.

  1. Who they affect

The GDPR’s laws apply to businesses and not-for-profit entities (and their websites) of almost every kind. The CCPA is sharply targeted towards (and largely) affects only for-profit entities doing business in California with California consumers, provided certain thresholds (regarding revenue, volume, and sale of data) are met.

  1. The penalties involved

The GDPR and CCPA differ noticeably in penalties for noncompliance. GDPR financial penalties for non-compliance and/or data breaches, can range as high as €20 million (roughly U.S. $22 million), or 4% of the violating company’s annual global turnover from the previous fiscal year—whichever’s higher. EU data subjects (analogous to California consumers) can complain directly to EU Member State supervisory authorities and are guaranteed a judicial remedy where their GDPR rights are infringed. The CCPA differs from the GDPR noticeably in its weaker enforcement rights and more lax approach to compliance in three key ways.

First, a business’ (or service provider’s or third party’s) non-compliance alone isn’t considered enough cause for fining; instead, an actual violation (except for data security breach related violations) doesn’t occur unless the business (or other alleged infringer) fails to cure the infringement after a thirty day notice period. Second, civil actions for such violations cannot be brought directly by consumers but must be brought by the AG’s office in the name of the State. Financial penalties are $2500 per violation (if not deemed “intentional”), and $7500 for each intentional violation. Last, the proceeds of such penalties (or settlements) aren’t payable to the aggrieved consumers, but instead are deposited into a “consumer privacy fund” established to fund the AG’s enforcement efforts.

So even though the GDPR and CCPA approaches to infringement penalties and enforcement are quite different, neither law should be casually dismissed and both hold the potential to do catastrophic financial damage to all but the largest of companies. Additionally, the consequences of a fine or publicly announced violation of either law can have extremely detrimental reputational and public relations impacts, as well as other adverse unforeseeable consequences.

  1. What actions constitute data collecting, selling, and processing

“Personal data” or “personal information” generally mean any information that can directly or indirectly represent an identifiable person, under both the GDPR and the CCPA.

The GDPR considers the “processing” of personal data to be any operation or set of operations performed on a data subject’s personal data. This includes everything from the initial act of collecting user or visitor data, to structuring and storing that information, making it available for others to access, and to its eventual removal and erasure.

The CCPA splits its data-relevant terminology into multiple separate definitions:

  • “Collecting” refers to the gathering of personal information through any method, but unlike the GDPR, it isn’t expressly included in the definition of
  • ”Processing” (arguably) only occurs once data that has already been collected is acted upon further.
  • Selling” is referred to as another separate event which includes any transference, disclosure, or other kinds of communication regarding the contents of a consumer’s personalKey to understanding the CCPA is the notion that selling doesn’t necessarily mean a payment is involved; a CCPA sale merely requires an exchange, communication, transfer or release of consumer personal information for something of value.

The CCPA might be viewed as “less strict” or weaker than the GDPR, but that may be a distorted viewpoint. The CCPA doesn’t focus heavily on processing and how and why it’s justifiable or lawful, as the GDPR does. Instead, the CCPA’s more concerned with access, disclosure and notice regarding the collection of information and the purposes of the collection. Of particular emphasis is the concept of the sale or disclosure of personal information for a business purpose.

  1. Types of data collected

While the GDPR broadly covers the processing of virtually any and all personal data, the CCPA’s more particular about what kinds of data are protected under different circumstances. For example, while the GDPR requires companies to clearly gain user consent with “opt-in” options (where consent relied upon as the lawful basis for processing), the CCPA only requires businesses to supply the option to “opt-out” when (adult) consumer personal information is going to be sold as defined in the CCPA.

Under the CCPA, the sale of personal information of minor consumers requires an affirmative opt-in by the minor or the minor’s parent or guardian. Similarly, the GDPR requires most companies collecting or processing minors’ personal data to obtain the affirmative (opt-in) consent of the minor (or minor’s guardian) if consent is relied upon as the lawful basis for the processing.

Additionally, the CCPA does not provide protection to a wide range of personal information/data types covered by the GDPR, such as—

  • any informationalready legally available to the public,
  • information collected by non-profit/not-for-profit companies/entities (excluding CCPA third parties), in some cases,
  • medical/health care information protected under the CMIA, HIPAA, and/or HITEC,
  • consumer credit & credit reporting agencies information,
  • information subject to certain financial acts/regulations (incl. Gramm-Leach-Bliley Act and the California Financial Information Privacy Act),
  • information protected by the California Driver’s Privacy Protection Act, and
  • certain California Vehicle Code information.

Interestingly, while the GDPR exempts the personal data of deceased persons from the law, the CCPA does not. And to be clear, while the GDPR doesn’t expressly exempt the above classes of information, it generally relies upon EU Member States to craft exemptions in accordance with their own laws.

This area—the intersection of the CCPA with various state and federal laws that deal with personal information—is a challenging area to navigate for California servicing companies.

A business’ safest best is to consult with a professional CCPA expert to ensure that their operations and processes align with the CCPA’s specific regulations.

Consequences of Non-Compliance

As provided above, the CCPA is enforced primarily by the California Attorney General, who may seek civil penalties of up to $2,500 per violation or up to $7,500 per intentional violation. Companies have 30 days to comply with the law once regulators notify them of a violation.

Although there’s far less incentive for consumers to pressure the AG’s office to take enforcement action (given there’s no financial reward), the dollar amount of the violation penalties could meet or even exceed the very substantial GDPR penalties in cases where the infringement is high-volume and deemed “intentional.”

A separate potential financial risk companies face is a consumer’s right to sue directly for breaches of the data security provisions. The CCPA provides a private right of action for certain data breaches arising from violations of the duty to implement and maintain reasonable security procedures and practices. Affected California residents can seek $100 to $750 in statutory damages per individual per incident or actual damages, whichever’s greater.

It is Critical Your Business is Prepared 

The California Attorney General is now authorized to bring CCPA enforcement actions and has signaled that the OAG’s office favors a more expansive private right of action in favor of consumers. Additionally, in a February 25, 2020 letter to the U.S. Congress, California AG Becerra urged federal legislators to use the CCPA as a “working model for [federal] data privacy” legislation. Given this pro-consumer stance, California businesses are wise to begin the compliance process immediately; the compliance process is not instantaneous, and generally requires several weeks or more to complete. Understanding they key points of the statute and its regulations, and consulting with a professional is the best way to ensure your business is compliant. If you want to get started right away, the Exemplar experts have noted some key actions below your business should take as soon as possible:

  • Create or update your End User License Agreement, Terms of Use, and Privacy Policy: Essentially, the new legislation requires CCPA-covered companies to have an online privacy policy. In general, if your company is subject to the CCPA and it sellspersonal information, your company must include a link on its website homepage (or download or landing page of a mobile application) that allows a consumer to instruct the company not to sell his or her personal
  • Contracts with company vendors: Does your business work with vendors that handle personal information on behalf of your company? The CCPA will now require a contract for that, except in very limited circumstances. Vendors are essentially required to make certain agreements and representations regarding their handling of personal information as a matter of self-protection, and for the protection of their clients.
  • CCPA training: Any employee handling consumer inquiries about a company’s privacy practices and compliance with CCPA MUST receive training. Employees are required to know how to direct consumers to exercise their CCPA rights and how to respond to consumer requests.
Katherine Brand

Katherine Brand

Managing Director, Exemplar Consulting, LLC


Submit a Comment

You May Also Like

2022: The Tax Tornado is Coming

2022: The Tax Tornado is Coming

2022: The Tax Tornado Is Coming From a financial/estate planner’s and estate attorneys’ point of view, Happy New Year and glad 2021 is behind us. While 2021 was a great year for consulting revenue, it left everybody paralyzed by the wealth destroying proposed...

4 Blockchain Trends for 2022

4 Blockchain Trends for 2022

Few technologies have attracted more buzz and controversy than blockchain. The past year proved to transformative and booming with new trends and inventions in the blockchain world. Blockchain has taken over many industries and will likely continue to transform...