Understanding the CCPA, part 2

What types of businesses does the law apply to?

Published on

Big tech companies are the clear target of the California Consumer Privacy Act, but its reach is much wider than just Silicon Valley. The threshold question, therefore, for each business looking at CCPA compliance, including auto dealerships, is whether the law applies to them. Not all businesses are covered by the CCPA; understanding whether your is will be key.

The CCPA applies to for-profit businesses that do business in California and meet any of the following criteria: 1) have annual gross revenue of $25 million or more; 2) collect, sell or share the personal information of at least 50,000 consumers, households or devices for commercial purposes; or 3) derive at least 50% of their annual revenue from selling consumers’ personal information.[1] It also applies to businesses that control or are controlled by a company that meets this definition, and share common branding.

All businesses, and especially auto dealers, should note that the annual gross revenue threshold includes both sales of goods and of services. Therefore, for dealerships that do not sell more than $25 million in cars and parts in a year, they may exceed the threshold once repair and other vehicle services are factored in.

Further, the law also applies to co-branded entities of businesses that meet the above criteria if they share common control, even if the affiliate does not do business in California.[2] That means that if you have dealerships in two states that share a trademark and are both owned by the same holding company, the revenue of both dealerships will be counted towards the $25 million threshold.

For the purposes of the CPA, gross revenue includes all revenue from the business, not just revenue from selling or handling consumer data. Further, it appears at this point that it includes revenue earned outside of California or by a related entity that is branded as part of the same company. Therefore, if a dealership group has two roof-tops that together have more than $25 million in gross revenue from sales, service, and parts, and it does business in California, the law applies.

If your business sits just below the revenue threshold of the CCPA, do not take that as a green light to ignore the law. Revenue may be volatile and compliance with the law cannot happen overnight. Your business could experience a data breach shortly after reaching the revenue threshold, and get caught out of compliance with the law. Businesses on the cusp should therefore take the time to implement good data security practices, even if they do not now meet the revenue threshold, in order to be able to decrease their liability in the future in case a data breach does occur.


[1] 1798.140(c)(1).

[2] 1798.140(c)(2).