The CCPA applies to any for-profit entity that conducts business in California and meets one or more of the following thresholds:
(1) Has annual gross revenue in excess of $25,000,000.
(2) Annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, alone, or in combination.
(3) Derives 50% or more of its annual revenue from selling consumers’ personal information. §1798.140(c).
An open question is whether the $25,000,000 threshold represents the business’s gross revenue or is limited to those amounts generated by the business in California. Whether the statute applies extraterritorially is also an open question. Both of these questions are expected to be answered by the California Attorney General at some point. Note that for the second threshold, the 50,000 consumers/households/devices mark will be relatively easy to reach. A business could, e.g., receive the personal information of 20,000 individuals and their respective devices, requiring only 10,000 more instances of receipt to reach the overall threshold. Finally, start-up companies that publish mobile applications (“apps”) and that collect and sell personal information as part of their business model will likely meet the third threshold relatively easily.
The Regulations do not change the jurisdictional scope of the statute or clarify it. They do give a definition of a “household,” something missing from the statute: “’Household’ means a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.” §999.301(k). The Regulations also address the particulars for requests to access or delete
household information. §999.318.