When the California Consumer Privacy Act took effect on Jan. 1, 2020, many businesses scrambled to determine whether the law applied to them. The CCPA is the most stringent privacy law enacted in the United States, and for various reasons, its reach can extend well beyond the state’s borders. 

The objective of the CCPA is to give consumers certain rights to protect their personal data that companies might collect, store, and process for commercial purposes. To that extent, it’s similar to the General Data Protection Regulation (GDPR), which the European Union put into effect in 2018. 

Who Is Subject to the CCPA

The CCPA applies to any company that does business in the state of California and collects personal information and data from its customers—regardless of whether those individuals are California residents or not—and processes or shares this information with other third parties for commercial purposes.

More specifically, to be covered by the CCPA, a business must also fall within at least one of these three categories:

  • The company has annual gross revenues of more than $25 million.
  • The company sells, buys, or otherwise shares for commercial purposes data that has been collected from more than 50,000 California residents, households, or computer devices each year.
  • The company gets more than half of its annual revenue from selling California residents’ personal information.

Are Nonprofits Subject to the CCPA?

That question is harder to answer than it first seems. 

The text of the statute does say the law applies specifically to “businesses,” and defines a business as any legal entity “organized or operated for the profit or financial benefit of its shareholders or other owners.” 

That means the CCPA doesn’t apply to many nonprofits, since they don’t meet that statutory definition. 

The complexity, however, is that some nonprofits do operate for the profit and financial benefit of shareholders or other owners, and therefore are subject to the CCPA. Credit unions, for example, are nonprofit mutual benefit corporations and are expected to comply with the CCPA. 

Any nonprofit that owns or operates a for-profit division, or is owned by a for-profit organization, may also be subject to CCPA regulations (depending on its business volume, as mentioned in the bullet points above).

Even without CCPA compliance obligations, traditional donor-funded nonprofit charities should still make certain they update their privacy notices and privacy statements on webpages, and explain how they manage donors’ personal data (such as credit card numbers and addresses) and what the organization does to prevent a data breach or theft of personal information.

Which Businesses Aren’t Subject to the CCPA?

It’s important to distinguish between the company being in compliance with CCPA, versus certain types of data or personal information that aren’t subject to the CCPA. 

Businesses that are not subject to the CCPA: 

  • If a business never collects data from California residents, it is exempt from the CCPA.
  • A medical service provider that already complies with the Health Insurance Portability and Accountability Act (HIPAA) or the Confidentiality of Medical Information Act (CMIA) is not subject to the CCPA. 

The following data types are also exempt, even if the CCPA applies to the company collecting this data:

  • Personal information that was collected when the consumer was outside of the state of California. Be aware that it may be difficult to determine the location of the consumer unless IP addresses or geolocation data are collected during consumer requests for services or purchases. 
  • Personal information that has been collected from job applicants, employees, and independent contractors as part of a hiring process. 
  • Personal health information is exempt if it is collected by a business that already complies with HIPAA or the CMIA.
  • Information collected during clinical trials is exempt. 
  • Consumer reporting information such as credit scores and credibility ratings are also exempt.

Regardless of whether a business is subject to the CCPA, the business is always responsible for maintaining reasonable security procedures and to do its best to prevent unauthorized access to consumer information. 

Failure to comply with the CCPA can result in regulatory fines or lawsuits from unhappy consumers, especially if the aggrieved parties can show that the company didn’t maintain proper data security or privacy protection.