惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
Webroot Blog
Webroot Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
TaoSecurity Blog
TaoSecurity Blog
I
Intezer
Application and Cybersecurity Blog
Application and Cybersecurity Blog
N
News | PayPal Newsroom
S
Security Affairs
T
Tor Project blog
P
Proofpoint News Feed
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Security @ Cisco Blogs
H
Heimdal Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
Help Net Security
Help Net Security
U
Unit 42
云风的 BLOG
云风的 BLOG
The Hacker News
The Hacker News
Cisco Talos Blog
Cisco Talos Blog
量子位
F
Full Disclosure
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 叶小钗
有赞技术团队
有赞技术团队
T
Troy Hunt's Blog
P
Privacy & Cybersecurity Law Blog
Forbes - Security
Forbes - Security
人人都是产品经理
人人都是产品经理
L
Lohrmann on Cybersecurity
Apple Machine Learning Research
Apple Machine Learning Research
Microsoft Security Blog
Microsoft Security Blog
博客园 - Franky
腾讯CDC
AI
AI
Last Week in AI
Last Week in AI
Latest news
Latest news
Google Online Security Blog
Google Online Security Blog
N
Netflix TechBlog - Medium
Engineering at Meta
Engineering at Meta
GbyAI
GbyAI
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
IT之家
IT之家
Martin Fowler
Martin Fowler
Blog — PlanetScale
Blog — PlanetScale
V2EX - 技术
V2EX - 技术
酷 壳 – CoolShell
酷 壳 – CoolShell

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
When does the CCPA apply?
Iron Brands · 2023-08-11 · via Blog of Simple Analytics

The CCPA sits somewhere in between consumer law and privacy law. This creates some confusion as to which personal information the law applies to. Does it apply to all businesses? Does it apply to employee data and business-to-business transactions? And what about nonprofits?

  1. Does the CCPA apply to all businesses?
  2. Does the CCPA only apply to California businesses?
  3. Does the CCPA apply to non-residents?
  4. Does the CCPA apply to employees and business-to-business transactions?
  5. Does the CCPA apply to nonprofits?
  6. Conclusions

The UK Government chose Simple AnalyticsJoin them

Let’s find out!

Does the CCPA apply to all businesses?

No. The CCPA only applies to large or data-intensive businesses.

More exactly, the CCPA applies to companies if they do business in California and:

  1. have a gross annual revenue of over $25M
  2. buy, sell, or share the personal information of 100,000 or more California residents, households, or devices
  3. make half their revenue or more from selling the personal information of California residents.

This rule is somewhat complex, so let’s break it down.

The requirement to do business in California is mandatory. If you don’t do business in California, then the CCPA does not apply to you.

On the other hand, criteria 1, 2, and 3 are alternative. For instance: if a company does business in California, and half its revenue comes from selling personal information of California residents, then the CCPA applies regardless of the company’s size and annual revenue.

Does the CCPA only apply to California businesses?

No. The CCPA applies to companies that do business in California, as long as any one of the other criteria is met. So, a multinational corporation with a turnover in the billions must comply with the CCPA if it does business in California, whether it is established in California, Delaware, or France.

This is what lawyers refer to as the extra-territorial reach of privacy law. Extra-territorial reach is very common in privacy law, and for good reason. The Internet has no physical boundaries, so personal data often flow between jurisdictions. If the reach of privacy laws were limited, most of its protections would become ineffective.

Just think of how many US Big Tech you provide with your personal data on a daily basis. If Google and Apple could ignore the GDPR entirely, then what would be the point of imposing all sorts of rules and requirements on European organizations?

Does the CCPA apply to non-residents?

No, the CCPA does not apply to the personal information of non-residents. Only California residents have rights under the CCPA. This is a bummer because Silicon Valley giants process enormous amounts of personal information from non-residents all over the world.

This is in sharp contrast with the GDPR because people have rights under the GDPR regardless of where they are and live. If an Italian company processes personal data from California residents, those residents have the exact same rights under the GDPR as Italian or Dutch citizens.

Does the CCPA apply to employees and business-to-business transactions?

Yes, the CCPA applies to both employee information, and personal information reflecting business-to-business (B2B) transactions.

These categories of personal information did not originally fall under the CCPA because the law included temporary exemptions. These exemptions expired in 2022 and were not renewed. As a result, these personal information fall under the CCPA since 2023.

Does the CCPA apply to nonprofits?

As a general rule, the CCPA does not apply to nonprofits.

However, there can be exceptions for nonprofits which are strictly connected to a business. There are precise requirements for this under the CCPA:

  • a business owns 50% or more of the voting securities for an entity, or controls at least 50 % of the voting power;
  • the entity and the business share common branding;
  • the business shares consumer’s personal information with the other entity.

These criteria are actually part of the definition of a business under the CCPA. So, when an entity fits these criteria, is considered to be a business under the CCPA and is subject to the same obligations as a business under the law whether it operates for profit or not.

These criteria are fairly strict overall. In practice, most nonprofits can rest assured that the CCPA does not apply to them- although this is no excuse to be lazy and disregard privacy!

Conclusions

Hopefully this helped you understand the CCPA a little better. We like explaining privacy law because we care about privacy. This is why we built Simple Analytics to provide organizations with all the insights they need, without collecting personal data or tracking visitors! If this sounds good to you, feel free to give us a try!