CCPA: Scope and Definitions
Scope and Definitions [§ 1798.140]
Rule: The CCPA applies to for-profit businesses meeting specific thresholds that collect personal information of California residents.
Who Must Comply? [§ 1798.140(d)]
A business is covered if it:
- Is a for-profit legal entity, AND
- Collects California consumers’ personal information, AND
- Determines the purposes and means of processing, AND
- Does business in California, AND
- Meets any one of these thresholds:
| Threshold | Amount |
|---|---|
| Gross annual revenue | > $25 million |
| Data volume | Buys, sells, or shares personal information of ≥ 100,000 consumers or households |
| Revenue from data | Derives ≥ 50% of annual revenue from selling or sharing personal information |
Who Is a Consumer? [§ 1798.140(i)]
A natural person who is a California resident.
Includes employees, job applicants, and B2B contacts (with some exceptions historically, now fully covered).
Key Definitions
| Term | Definition | Citation |
|---|---|---|
| Personal information | Information that identifies, relates to, or could reasonably be linked with a consumer or household | § 1798.140(v) |
| Sale | Selling, renting, releasing, or disclosing PI for monetary or other valuable consideration | § 1798.140(ad) |
| Share | Disclosing PI for cross-context behavioral advertising (even without payment) | § 1798.140(ah) |
| Service provider | Entity processing PI on behalf of business under written contract | § 1798.140(ag) |
| Contractor | Entity given access to PI under written contract with use restrictions | § 1798.140(j) |
| Third party | Entity that is not the business, service provider, or contractor | § 1798.140(ai) |
| Sensitive personal information | SSN, financial accounts, precise geolocation, racial origin, health, sex life, biometrics, etc. | § 1798.140(ae) |
What Is Personal Information? [§ 1798.140(v)]
Broad definition including:
| Category | Examples |
|---|---|
| Identifiers | Name, alias, postal address, email, IP address, account name, SSN, driver’s license, passport |
| Commercial info | Products purchased, purchasing histories, tendencies |
| Internet activity | Browsing history, search history, interaction with websites/apps |
| Geolocation | Physical location data |
| Employment info | Current or past job history, performance evaluations |
| Education info | Non-public education records |
| Inferences | Profiles reflecting preferences, characteristics, behavior |
What Is NOT Personal Information?
- Publicly available information (from government records)
- Deidentified or aggregate consumer information
- Protected health information under HIPAA (separate regime)
- Information covered by GLBA (financial institutions)
- Information covered by FCRA (credit reporting)
Sensitive Personal Information [§ 1798.140(ae)]
Enhanced protections apply to:
| Category | Examples |
|---|---|
| Government IDs | SSN, driver’s license, state ID, passport |
| Financial | Account log-in + credentials, debit/credit card + access code |
| Precise geolocation | Location within 1,850 feet |
| Race/ethnicity | Racial or ethnic origin |
| Religion | Religious or philosophical beliefs |
| Union membership | Trade union membership |
| Genetic data | Genetic data |
| Biometrics | Biometric data for identification |
| Health | Health information |
| Sex life/orientation | Sex life or sexual orientation |
| Mail/email/text content | Unless business is intended recipient |
Territorial Scope
CCPA applies if:
- Business does business in California (no physical presence required)
- Consumer is a California resident
- Thresholds are met
Note: A business outside California serving CA residents may be covered.