CCPA: Common Scenarios
Common Scenarios
Practical guidance for applying the CCPA to real-world situations.
Scenario 1: Are We Covered?
Question: We’re a startup with $5M revenue, 50K website visitors from California, but no CA office. Does CCPA apply?
Answer: Probably not yet. You must meet at least one threshold:
- $25M+ gross revenue — No
- 100K+ consumers/households data — No (50K < 100K)
- 50%+ revenue from selling data — Depends on business model
But monitor: If you hit 100K CA consumers or $25M revenue, you’re covered.
Citation: § 1798.140(d)
Scenario 2: Employee Data
Question: Does CCPA apply to our California employee data?
Answer: Yes, fully. CPRA removed the employee data exemption. Employee personal information is covered:
- Must provide privacy notice to employees
- Employees have access/delete/correct rights
- Must honor opt-out for sale/sharing (rare in employment context)
Citation: § 1798.145 (exemption expired)
Scenario 3: B2B Contacts
Question: Does CCPA cover our business contacts at client companies?
Answer: Yes, fully. CPRA removed the B2B exemption. Business contact information is covered:
- Sales lead databases = personal information
- Business cards collected at conferences = covered
- Must provide notice and honor rights
Citation: § 1798.145 (exemption expired)
Scenario 4: Honoring Global Privacy Control
Question: A visitor’s browser sends a GPC signal. What must we do?
Answer: Honor it as a valid opt-out of sale AND sharing.
- Stop selling their PI immediately
- Stop sharing for cross-context behavioral advertising
- Apply across your entire site
- Cannot require them to also click your opt-out link
Citation: § 1798.135(b)
Scenario 5: Deletion Request
Question: A customer requests deletion. We need their data for warranty purposes. Can we keep it?
Answer: Possibly. You may retain PI if needed to:
- Complete a transaction (warranty is part of transaction)
- Comply with legal obligations
- Exercise/defend legal claims
But: Inform the customer what you’re retaining and why. Delete everything you don’t need for the exception.
Citation: § 1798.105(d)
Scenario 6: Selling to Ad Networks
Question: We share customer data with ad networks for targeted ads. Is this “selling”?
Answer: Yes, almost certainly. If you receive any benefit (even free ad platform access), it’s a “sale.” Even if no money changes hands, sharing for cross-context behavioral advertising is “sharing.”
You must:
- Add “Do Not Sell/Share” link
- Honor opt-out requests
- Honor GPC signals
- Stop sharing opted-out consumers’ data
Citation: § 1798.140(ad), (ah)
Scenario 7: Request Response Time
Question: We received a deletion request 40 days ago and need more time. What now?
Answer: You can extend but must act now:
- Within 45 days of original request, notify consumer you need more time
- Explain the reason for the delay
- Get up to 45 additional days (90 total)
- Complete deletion within extended period
If you missed the 45-day window: You’re already non-compliant. Complete the request ASAP and review your processes.
Citation: § 1798.130(a)(2)
Scenario 8: Verifying Consumer Identity
Question: How do we verify someone making a request is actually the consumer?
Answer: Verification must be reasonable based on:
- Type of PI you hold
- Risk of harm from unauthorized access
- Request type (access vs. delete)
| PI Sensitivity | Verification Level |
|---|---|
| Low (email preferences) | Match 2-3 data points |
| Medium (purchase history) | Match 3+ data points, security questions |
| High (SSN, financial) | Government ID, notarization, in-person |
Cannot: Require new data collection just for verification.
Citation: CPPA Regulations § 7062
Scenario 9: Minor’s Data
Question: We know a user is 14. Can we sell their data if they haven’t opted out?
Answer: No. For consumers 13-15, you need affirmative opt-IN before selling or sharing.
- Default = no sale/share
- Must get minor’s explicit consent
- Parents can consent for under-13
Citation: § 1798.120(c)
Scenario 10: Service Provider vs. Third Party
Question: Our analytics vendor processes customer data. Are they a service provider or third party?
Answer: Depends on the contract and actual practices.
Service provider if:
- Written contract prohibits selling/sharing
- Uses data only for your specified purposes
- Doesn’t retain/use data for own purposes
- Certifies compliance
Third party if:
- Uses data for own purposes
- Sells or shares data
- No compliant contract in place
If third party: Sharing data with them may be a “sale” requiring opt-out mechanism.
Citation: § 1798.140(ag), (ai)
Quick Reference Table
| Scenario | Key Rule | Citation |
|---|---|---|
| Revenue threshold | $25M+ | § 1798.140(d) |
| Consumer threshold | 100K+ | § 1798.140(d) |
| Employee data | Fully covered | § 1798.145 |
| GPC signals | Must honor | § 1798.135(b) |
| Response time | 45 days (+45 extension) | § 1798.130 |
| Minor opt-in | Under 16 needs opt-in | § 1798.120(c) |
| Data breach suits | Private right of action | § 1798.150 |
| Other violations | CPPA/AG only | § 1798.155 |