Contact sales Request a demo Request a demo

Who exactly is subject to the CCPA?

The CCPA applies to for-profit businesses that handle and process the personal information of California consumers. 

There are conditional thresholds dealing with the number of activities and annual revenue.

If any of these are met, then your business will need to be compliant with the CCPA. 

The CCPA enhances consumer privacy and protects personal and identifying information.

Although the law was passed as legislation in 2018, it only took effect in 2020.

It is often compared to the European Union’s General Data Protection Regulation (GDPR) but as a “lite” or stripped-down form of privacy protection.

Who is subject to the CCPA, therefore, is an important question as it’s crucial that you determine whether or not the act applies to your business.

Writing a privacy policy is the first step to building compliance and avoiding dire legal consequences.

What are the CCPA thresholds?

The statutes of the CCPA apply to any businesses or organizations that meet all of the following conditions:

  • The company is a for-profit business
  • The business collects personal information from consumers that reside in California and determines the purposes and means of processing those consumers’ personal information
  • Business is conducted in the state of California.

If your business meets all of those criteria, the CCPA will apply if you also meet one of the following:

  • Your business has an annual gross revenue of $25 million or more
  • You buy, sell, receive, or share the personal information of at least 50,000 California residents, households, or devices annually for commercial purposes
  • At least 50% of your annual revenue comes from selling the personal information of California consumers.

Additionally, if your organization has a controlling interest in other companies with a shared brand identity, the CCPA will also apply to those businesses. 

What is considered personal information under the CCPA?

The CCPA definition of “personal information” is that which “identifies, relates to, or could reasonably be linked with [a consumer’s] household.”

Examples of this type of information include but are not limited to the following:

  • Name
  • Social security number
  • Email address
  • Purchase history
  • Payment information
  • Internet browsing history
  • Geolocation data
  • Biometrics.

Plenty of other data types could be ruled to reasonably infer the identity of a consumer.

When it comes to CCPA rules, it’s better to protect all consumer data rather than focus on only those you consider to be “personal information.”

What rights do I have under the CCPA?

If you reside in California, you have certain rights under the CCPA. These rights include:

1. Right to know

You can request that a business disclose all personal information they have collected about you and for what purposes.

2. Right to delete

You can request the business to delete any and all personal information they have collected from you (and make the same request of their service providers).

3. Right to opt-out

You can request from the business to stop selling or sharing your personal information via user-enabled privacy control.

4. Right to correct

You can ask businesses to correct inaccuracies with the personal information they’ve collected.

5. Right to limit use and disclosure of sensitive personal information

You can permit the limited use of your personal information for only the services you’ve requested.

What to do when subject to the CCPA

If you’re now sure of CCPA applicability to your business, there are several measures you can take. 

The first is to write a privacy policy for your organization.

PandaDoc has a great guide on how to write a privacy policy that will have you well on your way!

Your privacy policy will lay out the roadmap of your CCPA compliance strategy.

Upon this foundation, you should cover the following areas of compliance:

  • Provide notices to California residents either in the policy itself or with a separate notice. This notice must cover the types of data collected and their respective purposes. 
  • Outline the steps for processing consumer requests; the right to know and the right to delete any other requests must be met within defined timelines. 
  • Define how to implement the opt-out process for the collecting and sale of personal information
  • CCPA training strategy and educational resources to ensure all employees are compliant
  • Any additional layers of protection both virtually (cybersecurity) and physically (on-premises) for the handling of consumer personal data.

As always, it’s important to consult with consumer privacy legal counsel when writing your privacy policy.

This will ensure you are compliant with regulations that may apply specifically to the nature of your business and its data-collecting practices. 

How PandaDoc can help with CCPA

Businesses like yours can’t afford to be wrong about CCPA applicability or to get compliance wrong on the first try.

Creating a vetted privacy policy and related documents will ensure your organization is up to the highest standards of consumer data protection. 

With PandaDoc, generating documents for important subject requests and opt-outs is a piece of cake!

In addition to a plethora of contract and agreement templates, you will also have access to a range of features that assure your company’s compliance with the CCPA, GDPR, and other regulatory requirements.

Our drag-and-drop editor and eSignatures will have you up and running with your new privacy policy in no time.

Sign up for a free trial with PandaDoc and get started today!