The CCPA Applies to Businesses With Only a Small Number of Customers
The California Consumer Privacy Act (CCPA) applies to businesses that annually buy, receive, sell or share the personal information of 50,000 consumers, households or devices. Since households and devices are included, a small number of consumers will meet the threshold. Let’s take a closer look.
We start with the definition of “business”:
Definition of Business
CCPA Section 1798.140 (c):
(c) “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which that such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, service mark, or trademark.
The critical part for our discussion here is
CCPA Section 1798.140 (c)(1) (B) “Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” (emphasis added)
The last phrase deserves a closer inspection in each of its pieces:
“alone or in combination”
Because combinations must be considered, the number of consumers must be added to the number of households, and all added to the number of devices to determine if the threshold is met.
“the personal information”
The definition of personal information is extremely broad, and includes messaging and metadata that flows to many different devices and must identify the consumer user to actually function reliably. Importantly, the breadth of the definition of personal information forces the inclusive count of a lot of devices, such as network devices, where the personal information is fleeting, and might only be for routing purposes. A business need only buy, receive, sell, or share personal information of devices”. So metadata used to accurately route a message to a user might be considered enough to include a network device. What is more, since households are included, the individual consumer of many household devices need not be identifiable to make the information personal and include the devices. Identity of the household is enough.
Social media interaction counts.
Personal information of a consumer includes pseudonyms and online identifiers, such as those used by consumers in social media. A consumer who “follows” a business’ account, or visits a business’ social media web page, or “subscribes” to a business’ social media videos, is providing personal information to the business through cookies and online identifiers. Businesses must count the numbers of consumer followers, visitors, subscribers, etc.
Online advertising counts.
In order to place an advertisement in front of a targeted customer, a business might bid on, and win an online, real-time-bidding (RTB) auction to obtain the profiled identity of a consumer, and deliver the ad. Businesses must count not only the number of consumers who are receiving their advertisements, but also all the consumers whose profiles they have received in order to make bids, even if the bids fail and the data is not available after a few seconds.
“of 50,000 or more consumers,”
This is the threshold number of California residents because a consumer is defined as a CA citizen. It might be tempting to stop the analysis there, with consumers, perhaps because other laws, such as the GDPR, do not include households or devices as part of a threshold. As we shall see, counting for the threshold does not stop with consumers. Consumers do not have to be customers, but can include potential customers at whom marketing campaigns have been aimed – those on email marketing lists or rewards programs, those who put their business cards in the bowls at trade shows, and those who might be caught on surveillance cameras while shopping at retail stores.
Household “means a person or group of people occupying a single dwelling.” Assuming most Californians occupy a dwelling, for each consumer there is a household. If so, then the 50,000 threshold number becomes 25,000 consumers.
‘“Device” means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.’ Note, that the objects need not belong to a California resident nor be located within California. So satellites, cell phone towers and servers in far off data centers are included. Note also that devices need only have the capability of connecting and need not actually connect.
Many Possible Devices Must be Counted
Importantly, a device need not connect with the internet, but merely to another device. Devices might connect with other devices physically, or digitally through a variety of protocols such as IPv6, LPWAN, ZigBee, Bluetooth Low Energy, Z-Wave, RFID, NFC, cellular, satellite, WIFI and Ethernet. WIFI alone is ubiquitous and many thousands of devices connect through WIFI.
Devices do not include virtual devices. They must be physical. Nevertheless, there are a lot of potential physical objects capable of connecting with either the internet or another device: modems, routers, gateways, repeaters, bridges, switches, wireless access points, cell phones, watches, health bands, slates, lap tops, desk tops, e-readers, storage devices like flash drives, USB drives, printers, televisions, set-top boxes, game consoles, game headsets, streaming devices, cameras, cars, doorbells, digital toys, security cameras, thermostats, satellites, cell towers, security badges, credit cards. Think broadly. Every day we see new objects with the digital capability of connection to the internet or other objects – lamps, lightbulbs, wall switches and buttons, smoke detectors, CO2 detectors, air quality monitors, alarm clocks, key fobs, toothbrushes, thermometers, blood pressure monitors, heart rate monitors, baby monitors, garage door openers, bicycles, bike locks, kitchen appliances, ovens, pressure cookers, refrigerators, coffee makers, tea kettles, bottles, sprinklers, vents, air conditioners, air purifiers, clothing, socks, diapers, yoga mats, garden sensors, grill thermometers, GPS tracking devices, pet feeders, plant monitors, vacuums, etc. Of course devices are not counted toward the threshold if a business does not buy, receive, sell or share personal information from them. However, the reality is that an increasing number of businesses are connecting to an increasing number of devices because devices have data and data is where the money is at.
Consider Radio-Frequency Identification (RFID).
An RFID reader uses electromagnetic fields to automatically identify and track RFID tags attached to other objects. The reader (one device) connects to the tag (another device). The tags contain electronically stored information, commonly including identification information. In fact, RFID is a method of automatic identification and data capture (AIDC). Some retails stores use tags on products to enable customers to purchase products by simply selecting items and walking out of the store, without having to go through checkout lines or pay a cashier. If a business uses RFID tags in this way, each product becomes another device associated with a purchasing consumer. Some package delivery companies use RFID tags to track package delivery. RFID tags are applied to the packages and used to monitor delivery from the store or warehouse to the customer. Businesses receive personal information via shipping and tracking reports. If a business ships products to customers, each product delivered would be another device to count toward the threshold.
What about Bar Codes?
Any customer of a modern grocery store is used to self-check out, scanning the bar codes of every product at check out. The bar code is on the packaging or label of the product. A device is defined as a “any physical object that is capable of connecting to … another device.” The connection need not be digital, but can be physical. A label is a physical object. A package is a physical object. The package or label with a bar code connects to the bar code scanner (another device) the instant it is scanned. Labels and packaging are devices. Even a small retail store might be filled with hundreds or thousands of devices (labeled, packaged products). The product, label and packaging (personal information) is associated to the identity of the consumer through the transaction.
What about Shipping Labels?
A shipping label containing the name and address of a recipient consumer (personal information) is physically connected to a package, and the package connected passively (indirectly) to the label by way of a sticky substance on the label. Arguably, both the label and the package are devices. Barcodes are commonly put on shipping labels and scanned to enable a tracked delivery. The business receives personal information to verify on-time package delivery. Effectively, product labeling and packaging are disposable devices. Each label and package shipped would count toward the threshold.
Consider Credit Cards.
Credit cards with chips use the EMV standard, which stands for “Europay, Mastercard, and Visa”. It is a global standard that allows chip cards to interoperate at point-of-sale systems and automated banking machines. The chip is a small computer chip which, when inserted into a payment terminal creates a one-time transaction code, storing details of the payment. Personal information identifying the consumer is received by the business for the transaction to take place. Even the older magnetic strip credit cards connect to another device (the readers), and therefore are devices. Credit cards used to purchase products or services on line (where information is entered manually) are also devices because devices need not actually connect, but only have the capability of connecting with another device. If a credit card is used to purchase a product or service of a business, the business must count each credit card used toward the threshold. Of course the same logic would apply to debit cards.
Work Computers Might Count.
Work computers might count also, if used outside the role of the employee, for personal purposes. While there is an employee exemption under the CCPA until 2021, it applies to personal information collected solely within the context of the natural person’s role or former role as an employee or job applicant. If an employee is using devices for person use, such as visiting a business’ web site for a personal purchase, then the title applies, and the devices are counted.
Of course, for a device to count toward the threshold, a business must be buying, receiving, selling, or sharing the personal information of the device. Let’s take a closer look by way of scenario.
How Many Devices in this Consumer Scenario?
A consumer wakes in the morning to an alarm on the consumer’s cell phone. The consumer exercises wearing a digital watch that monitor’s the consumer’s heart rate, location, and other exercise related information. The consumer looks at the web site of a business on the consumer’s cell phone. She sees a link for a vacation business video and starts listening to it on the audio system of the consumer’s car. The consumer arrives at work, uses a security badge to enter a work building and continues to watch the rest of the video on a work desk top computer. Security cameras capture pictures of the consumer exiting the parking garage and entering the building. The business uses a series of network devices to deliver the video to the work devices used by the consumer. The consumer wants to show others the video and uses a streaming device attached to a smart television to stream the video for a group of other consumers. The consumer signs up for a free brochure on the business’s web site using a slate device from work. The consumer uses a digital assistant device to get the address and location of the business. The consumer stops by the business on the way home and makes a purchase with the consumer’s credit card. While at the business location, the consumer uses the WIFI of the business to connect a personal laptop and order tickets for a vacation. The business uses a modem, router and signal booster to deliver WIFI to customers. The business also has 3 security cameras at its store taking pictures of its customer. The security cameras back up data on a local server.
The consumer returns home. The consumer opens the web site of the vacation business on a personal laptop at home to show a child a vacation video on the business’ web site. The consumer’s partner brings up the same video first on the partner’s cellular phone, then on the partner’s laptop. All three people in the household look at the business’ social media pages on Facebook, Instagram, Twitter, and Pinterest. The home computer system runs on a modem, router, a switch and a signal amplifier. The partner uses a credit card with a chip to buy two more tickets for a vacation on the business’ web site.
How many devices did you count? One, three, five, ten, thirty, fifty? The fact is that in our modern life on any given day, hundreds of digital devices might contain or use the personal information of consumers. And any given business can easily be collecting personal information of a given consumer from many devices.
How Many Devices for the Typical Consumer?
The question becomes “From how many devices might a business be buying, receiving, selling, or sharing personal information from a particular consumer or household?” Let’s say that we have only one consumer occupying a dwelling and using a cell phone, laptop, modem, and router to view a business’ web site and social media sites. The consumer pays for a product with a credit card. The product package label barcode is scanned for the transaction and delivered in a package using a barcode label, an address label or an RFID tag. We might count this as eight devices, one household, and one consumer, for a total of ten. So the real consumer threshold might be closer to 5,000 than 50k. 50,000 / 10 = 5,000. Given the growing number of potential devices in use in today’s society, the threshold number is probably much, much smaller than 50,000.
Consider the following common example scenarios.
|Item to Count||Description||Scenario|
|Consumer||Consumer itself||Consumer is a customer|
|Household||Household itself||Consumer occupies a dwelling in CA|
|Cell Phone||Cell Phone||Consumer uses cell phone to browse business web site|
|Lap Top||Lap Top Computer||Consumer uses a personal laptop to browse business web site|
|Desk Top||Desk Top Computer||Consumer uses a desk top computer to browse business web site|
|Modem||Household modem||Consumer connects through household WIFI through household modem to business web site|
|Router||Household router||Consumer connects though household WIFI through household modem and household router to business web site|
|Automobile||Automobile||Consumer listens to podcast or commercial from business in car during commute|
|Digital Speaker||Digital assistant via IoT speaker||Consumer asks Amazon Echo/Alexa, Google Home, Apple Home Pod/Siri, Microsoft Cortana to play the podcast from business website/service|
How many devices does the typical Californian use to access a business? Is it three, six, ten, twenty, more?
The Threshold is NOT 50k Consumers.
You might see other articles that divide the 50,000 regulatory threshold by 365 days in a year to arrive at 137 unique consumers visitors on a business web site per day to put a business under the purview of the CCPA . They say that to meet the threshold a business needs only 137 unique visits to the business web site per day. After more close inspection, however, and accounting for households and devices, we can see that the number of unique visits needed to meet the threshold is much lower than 137 per day. How much lower? It is going to depend on what devices consumers use. If a business were to collect personal information from say 8 devices from consumers within households (8 devices + 1 consumer + 1 household = 10), then it would take only 5,000 consumers (50,000 / 10 = 5,000) or about 13 (5,000 / 365 = 13.6986) consumers a day (not 137) to meet the threshold.
The simplistic “137” calculation fails to account for unique visits to a business’ social networking sites by consumers (completely outside the business’ own web site). It fails to account for unique impressions and bids made in advertising auctions. It fails to account for unique emails received in advertising campaigns to potential customers, let alone current customers. It fails to account for unique employees, households of employees, and devices used by employees (outside their roles as employees). It fails to account for a myriad of devices.
CCPA Consumer/Household/Device Threshold Map.
How will the Attorney General know that a business meets the threshold? The AG will probably simply ask, and a business will have to produce the data. It might take a court order, and most likely will occur in cases where there have been data breaches or a pattern of complaints to the AG about the business. Arguably a business has a duty to at least approximate their threshold number. After all, a business cannot blithely shrug off the application of a regulation to it without even considering the applicability. In the mean time, a broadening of data maps to include social media sites, households and devices might help a business approximate its footprint and know if it meets the threshold. I suggest creating what might be called a CCPA Threshold Map taking into considerations measures such as those in the following table.
CCPA Consumer/Household/Device Threshold Map
|Consumer / Household / Device||Item||Count|
|Consumer||Unique consumers who visit business’ web site||Count|
|Consumer||Unique consumers who visit business’ Facebook web page||Count|
|Consumer||Unique consumers who visit business’ Twitter posts||Count|
|Consumer||Unique consumers who visit business’ Instagram posts||Count|
|Consumer||Unique consumers who visit business’ LinkedIn web page||Count|
|Consumer||Unique consumers who visit business’ Yelp page||Count|
|Consumer||Unique consumers who visit business’ Google business page||Count|
|Consumer||Unique consumers captured via Google analytics||Count|
|Consumer||Unique consumers who visit business’ pages on other social network||Count|
|Consumer||Unique consumers who provide information to business as part of a rewards program||Count|
|Consumer||Unique potential customers who are presented an advertisement from the business on a third party web site (impressions)||Count|
|Consumer||Unique potential customer whose profile is presented to business via a real time bidding auction||Count|
|Consumer||Unique potential customer receiving email marketing from an email campaign||Count|
|Consumer||Unique potential customers that provide personal information in tangible form (e.g., name, phone number, business card, etc. at retail store or trade show)||Count|
|Household||Unique household(s) of each consumer. Potential multiple households if consumer moves or occupies more than one dwelling during the year||Count|
|Device||Unique devices of consumers used to visit business’ website||Count|
|Device||Unique devices of consumers used to visit business’ Facebook web page||Count|
|Device||Unique devices of consumers used to visit business’ Twitter posts||Count|
|Device||Unique devices of consumers used to visit business’ Instagram posts||Count|
|Device||Unique devices of consumers used to visit business’ LinkedIn posts||Count|
|Device||Unique devices of consumers used to visit business’ Yelp page||Count|
|Device||Unique devices of consumers used to visit business’ other social network pages||Count|
|Device||Unique devices used by business to deliver advertising to potential consumer customers (impressions)||Count|
|Device||Unique devices used by business from which PI is collected for purpose of making bids in real-time-bidding advertising auctions||Count|
|Device||Unique devices used for email marketing to consumers||Count|
|Device||Unique devices (e.g., RFID tags and readers) used to sell or deliver products to customer consumers||Count|
|Device||Unique shipping labels of packages shipped to consumers||Count|
|Device||Unique packages shipped to consumers||Count|
|Device||Unique credit cards used to purchase products or services from business||Count|
|Device||Unique devices that collect personal information for purposes of security (e.g., security cameras, personal badges for employees after sunset of exemption)||Count|
|Total||Total consumers, households, devices||Count|
The bottom line is that the CCPA does apply to many more businesses than those who have 50,000 consumers. Businesses who do any business with California consumers should do an assessment that counts consumers, households and devices to determine if they meet the threshold.