Welcome to 2020 … and a whole new set of internet privacy regulations.

The California Consumer Privacy Act is here, and you’re probably wondering what it means for you. So, is your company covered by CCPA?

The short answer: Probably not.

(But you shouldn’t stop reading quite yet.)

Golden Gate Bridge: Who's Covered by CCPA?

Who’s Covered by CCPA?

California’s new privacy rules are less draconian than the European Union’s GDPR. The European legislation applies to any company that deals with EU citizens. By contrast, only a subset of companies are covered by CCPA.

Your business must comply with CCPA rules if you:

  • Have gross annual revenues of $25 million or more,
  • OR have data on 50,000 or more individuals, households or devices,
  • OR earn more than half your revenue from selling consumers’ personal information

It doesn’t matter if you’re based in California or not. If you do business there and meet at least one of the three above criteria, you’re subject to the Golden State’s GDPR-lite.

Who’s Exempt from CCPA?

For the most part, SMBs aren’t subject to CCPA rules. They very rarely have revenues greater than $25 million, and 50,000 individuals is a huge database.

Likewise, CCPA only covers for-profit entities. So 501(c)(3) organizations and other nonprofits need not worry.

Are B2B Companies Covered by CCPA?

B2B communications that “occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from” are exempt from CCPA penalties until 2021.

But the hype around business-to-business companies not being covered by the CCPA isn’t quite accurate.

B2B firms must still:

  • Allow individuals to request their information not be sold
  • Not discriminate against individuals who opt out of communications or data sales
  • Promptly inform individuals about data breaches

(Look: If you’re not doing any of those things, you’re doing something wrong.)

I’m Covered. How Do I Comply?

Fortunately, CCPA compliance appears to be pretty straightforward. A lot of the requirements have been best practices for years.

The biggest change for most affected companies is to their internet privacy policy. It needs to be explicit about what’s collected and how to opt out of data sales or communications.

(No, your “GDPR-compliant” privacy policy won’t cut it. The EU rules don’t touch much on PII sale.)

The best bet, as with many rules, is to contact your legal counsel. They’ll be able to set you straight and ensure CCPA compliance.