Businesses That Are Subject to the CCPA

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
4 hours 41 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:01
Hello, everyone. And welcome to Module two of 10.
00:04
We're going to discuss in this module the scope of the C C p A.
00:08
We are well on our way to to getting through all the materials in the CCP. A course.
00:13
A quick programming note.
00:14
Again, this is where we are in our course outline. We just completed a history of the CCP A. We're now going to discuss the scope of the CCP A the businesses that are subject to the law and then once we knock out the scope, will then dive into all of the subsequent obligations that the CCP has established in the future. Modules
00:33
Lesson 2.1.
00:35
We're going to discuss in this lesson the businesses that are subject to the C c p A.
00:42
Our learning goals and objectives for less than 2.1 will be to review the types of organizations that are subject to the law. Things like geography and a definition of personal information. All that fun stuff will actually be discussed in future lessons.
00:56
Then toe help really drive the point home objective Number two,
01:00
we will give you a really world example of businesses that are subject to the C c. P. A.
01:04
That's the way I learned
01:07
giving actual examples so I can follow which businesses are subject to the law versus those that aren't
01:11
We will actually be giving examples the whole way through the lessons that occupy this module.
01:19
The CCP A defines businesses as those organizations that are subject to the C c. P. A.
01:23
If an organization is not a business,
01:26
it's not subject to the law.
01:29
Now,
01:30
On paper, you might think, OK, well, isn't that just every organization?
01:37
Well, no. There's actually a variety of organizations that are not considered businesses but still exist.
01:44
Things like nonprofits, municipalities. If you work for a union or a charity and you're actually turning into our lesson now, please stay with us because I want you to learn all there is to know about the CCP A. But you technically could stop now because the CCP A doesn't actually apply to your employer.
02:01
It only applies to an entity that is operated for profit
02:06
mental asterisk.
02:08
That's not the case under the GDP are another privacy laws that exist around the world.
02:13
The CCP, a Onley exists and protects individuals whose information is collected by an entity that makes money.
02:22
Now it's not just any business.
02:23
You need to fall into a certain category
02:25
so long as your business or your employer falls into one of these three categories. It's also subject to the C C p A.
02:32
There is a small business carve out under the CCPS.
02:36
Your business or your employer must enjoy gross revenues that exceed $25 million a year. This is actually something that the California Legislature insisted on during the June 2018 privacy debates.
02:47
There are advocates in Sacramento that advocate fiercely for small businesses,
02:53
and they were worried how the CCP a might impact the startup community or mom and pop shops.
02:59
If that's the company, you work for weight
03:00
so long as they have not hit $25 million in revenue.
03:05
The C C P. A. Will not apply to them
03:07
now. There actually are some companies that make less than $25 million a year but still might be subject to the C c. P A.
03:14
Those are the companies that are in the 2nd and 3rd categories here on your screen.
03:19
If a company buys or sells personal information off more than 50,000 individuals again in a year.
03:24
Then they're subject to the C C P A.
03:28
Alternatively, if they're not buying or selling more than 50,000 individuals personal information. But they're still making more than 50% of their annual revenues from the act of selling consumers personal information,
03:40
then they are also subject to the C C P A.
03:46
Now.
03:46
When I first read that, my head was scratching
03:49
and I imagine yours is, too.
03:51
What kind of organization would make less than $25 million a year
03:54
but still make more than 50% of its revenue on this act of selling consumer information?
04:00
How would a company be able to buy and sell 50,000 records, but yet still not make $25 million a year?
04:10
There actually are a variety of organizations that exist out there,
04:13
the biggest ones and the ones that Alistair McTaggart and Mary Stone Ross for most concerned about. That's again the CCP authors.
04:19
They were worried about data brokers, groups like marketing data brokers or fraud detection data brokers or risk mitigation data brokers.
04:29
They consume and collect massive amounts of customers personal information and then do things with that information
04:34
risk mitigation. For example. There are groups out there that collectors driving history
04:40
or your credit card history or your payment history to collect your credit score and then pass that information on to insurance companies.
04:46
That was an activity that the CCP A drafters wanted to ensure would fall within the scope of the c c p. A.
04:53
Even though most of those companies actually don't make $25 million a year, the data brokers, not the insurance companies,
05:00
also a big player, and we've actually dedicated an entire module to this
05:05
ad. Tech companies,
05:08
digital marketers and other marketers that deployed cookies on websites.
05:12
They in many instances do not actually make $25 million a year. But their impact on privacy is viewed as so substantial that it should fall within the scope of the C C p A.
05:23
Keep an eye out for data brokers and ad tech companies, especially if you're ever supporting your marketing team at your place of work.
05:30
In summary, let's understand that the CCP a Onley, applies to businesses that are designed to make money
05:35
nonprofits, other organizations, municipalities, if you work for the government doesn't matter if it's federal, state or local. Your organization is not subject to the c C. P. A.
05:47
Also recognized that if your business is not making $25 million a year, then you are also not subject to the C c. P. A.
05:55
Please do not sleep on those smaller players in the ad tech or data broker arena. They are absolutely subject to the law and are in fact one of the main reasons why the law itself past.
06:06
I will see you in less than 2.2 as we discussed the geography and the geographic application of the C C P A
06:14
I'll see you there.
Up Next
California Consumer Privacy Act (CCPA)

This course examines the privacy obligations that are established by the California Consumer Privacy Act (CCPA) and how students can help their employers implement changes to their organizations to remain compliant with this new law.

Instructed By