As California’s new privacy law goes into effect on January 1, 2020, every company, organization, and person who handles personal information regarding California consumers and employees are going to be impacted.

Given the importance of ensuring CCPA compliance, entities must understand that the CCPA applies to a “business” which:

  • Handles personal information about California residents,
  • Determines the purposes and means of processing that personal information,
  • Does business in California, and meets one or more of the following thresholds:
  • Has annual gross revenues in excess of US$25 million,
  • Annually handles personal information regarding at least 50,000 consumers, households, or devices, or
  • Derives 50% or more of its annual revenue from selling consumers’ personal information.
  • Furthermore, the CCPA will also impact service providers that process personal information on a business’s behalf, as well as third parties that receive or purchase personal information from a business. However, nonprofit organizations fall outside the CCPA’s purview.

While the CCPA’s application and scope seem straightforward at first glance, a closer look reveals the need to address additional questions:

  • How do you determine whether you are a service provider or a third party?
  • Is the US$25 million annual revenue trigger applicable to revenue derived from selling personal information in California alone, or globally?
  • How do businesses keep track of their operations and know when they’ve reached the threshold?


In addition, the CCPA grants California residents, or consumers, specific rights regarding their personal information that businesses maintain. If you’re a California consumer, you have the right to request that a business inform you about its processing activities with respect to your personal information, to delete your personal information, and to opt-out of the sale of your personal information.

All the hoops that businesses need to go through for CCPA compliance are to protect the privacy of California consumers.

In Conclusion 

As companies prepare for the CCPA, they must keep in mind that a privacy program needs to adapt and change according to applicable privacy law, as well as each company’s objectives. Regardless of where you are with your privacy program, it is never too late to start planning for your CCPA compliance readiness. OneTrust for CCPA is a full set of scalable privacy management software solutions and services specifically designed to implement CCPA requirements and workflows to support a global privacy program.

For additional information, or to request a live OneTrust for CCPA software demo, visit or email [email protected].


Check out our CCPA blog series: