The California Consumer Privacy Act: Will It Apply to Your Organization?

Lisa Gumbs, Senior Consultant, Commercial Services, GDPR, Coalfire

In August 2018, California issued a revised version of a new consumer privacy law—the California Consumer Privacy Act (CCPA). This statute goes into effect on January 1, 2020 and provides broad privacy protections to California consumers. This statute will have wide-ranging effects outside of California because it will apply to organizations that conduct business in California.

Many businesses are wondering how this statute will affect their operations. The first question that a business must answer is whether it will have to comply with this law. 

Who must comply?

Companies that receive personal information from California consumers and meet one of these three thresholds:

(a) exceed annual gross revenues of $25 million;

(b) obtain personal information of 50,000 or more California residents, households, or devices annually; or

(c) obtain 50 percent or more of their annual revenue from selling California residents’ personal information.1

Let’s examine more closely each part of these questions. 

What is “personal information” for purposes of the statute? Does your organization collect it?

All personal information collected from California consumers is covered by the CCPA with a few limited exceptions. The definition of “personal information” is quite broad.   

“Personal information” is information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”2 This includes both persons and non-persons when an actual household is identified by the personal information.

Personal information includes such items as:

The consumer’s identifying criteria: Personal identifiers includes such items as real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, or passport number. But, it can also include such identifiers as race, religion, gender, age, or other protected characteristic. It can include biometric data including fingerprints or voice recognition.

The consumer’s actual, potential, or abandoned purchases: Records of personal property owned, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. This would cover such information as what type of car a consumer purchased to the items a person had placed in their online cart but did not purchase.

The consumer’s search on the Internet: The statute protects any Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement. In other words, if any internet search and a consumer’s click on a result is recorded and collected, it would be subject to this statute.

The consumer’s location: Geolocation data including that collected via mobile device or application. It can also include any device that identifies a household such as a connected refrigerator. 

Monitoring or observing the consumer’s physical characteristics: Voice recording, electronic, visual through video, heat-sensing, olfactory, or similar information about a consumer. This would include data gathered from a fitness device, video surveillance, medical implants, or similar items.

The consumer’s role in society: Professional or employment-related information or education information about a consumer. 

The consumer’s profile: Inferences drawn from such personal information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. This would be any profile about a person including marketing profile used to predict future purchases.

A household: This is information collected about a household located in California. This is a new concept in privacy law and would include information such as the home’s physical address or IP address, electric power usage and billing, deliveries to the home, or security company monitoring data. 

These categories of data include a wide range of business activities. If an organization collects any of these types of data, then the next step is to determine whether the business meets one of the three thresholds that trigger the application of the CCPA. 

Does your business meet a threshold, either by sales or number of consumers, to require compliance with the CCPA?

If an organization collects personal information and meets any of the below, then the CCPA will apply:

(a) exceed annual gross revenues of $25 million: Currently, the statute has not identified whether the annual gross revenues are for earnings only earned in California or all earnings worldwide. If it is worldwide, then many businesses with a presence in California will be subject to the CCPA. 

(b) obtain personal information of 50,000 or more California residents, households, or devices annually: This includes data that is collected, bought, received for the business’s commercial purposes and sold or shared for commercial purposes. It includes data collected from a consumer, household, or devices, either alone or in combination. A business-purpose includes use of personal information for any of the business’s operations, including not only customer transactions, but for employees too. So, customers and employees can quickly add up to meet the threshold.

It will also be easy to collect data from 50,000 devices. Businesses can collect data from devices by gathering IP addresses from visits to a company website, the tracking of automobiles, or connected devices, such as a smart refrigerator found in a household. 

(c) obtain 50 percent or more of annual revenue from selling California residents’ personal information: If a business sells data and earns 50% or more of its annual revenue from those sales, then it is subject to the CCPA. Selling data includes any selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating in writing, electronic means, or orally for money or other valuable consideration. 

Given the complexity of the CCPA, if a business has not yet started preparing, now is the time to determine if your business needs to comply with the law. Many businesses have been preparing and adjusting practices to comply with the General Data Protection Regulation, which went into effect in May 2018. Compliance with GDPR may help but will not ensure compliance with the CCPA because there are significant differences between the two. Companies will need to assess their privacy practices for the new CCPA, GDPR, and other privacy rules.  

Stay tuned—the Coalfire Privacy Team will continue to provide updates on the implementation of CCPA. 


1 Cal. Civ. Code Section 1798.140(c)(1).
2 Cal. Civ. Code Section 1798.140(o)(1).

Lisa Gumbs


Lisa Gumbs — Senior Consultant, Commercial Services, GDPR, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS