CCPA Compliance

This is one in a series of topics to help Magento merchants and developers understand the implications of the California Consumer Privacy Act. The information is based on the text of the statute. Consult with your attorney to confirm if CCPA applies to your business before taking action on compliance.

The California Consumer Privacy Act (CCPA) expands the rights of consumers in California to determine how their personal information is collected, stored, and used, with an emphasis on protecting consumers from the unauthorized sale or exchange or their personal information. The CCPA was enacted in 2018 and went into effect January 1, 2020.

The CCPA grants the following new rights to consumers:

  • Right to know the categories of personal information about them that is collected, used, shared, or sold in the past 12 months.
  • Right to delete certain types of personal information that is held by a business and/or their service provider(s).
  • Right to opt out of the sale of their personal information.
  • Right to non-discrimination in terms of price or service for having exercised a privacy right under CCPA.

For CCPA purposes, personal information in this context is defined as:

“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Section 1798.140)

In this regard, it covers certain data elements that may not be considered personal data in the context of other laws or regulations. Magento merchants should keep this in mind when determining whether and how they should comply with the law.

The CCPA also requires businesses to provide “reasonable security”, and includes expanded data protection provisions for consumers, including the right to pursue legal action in the event of a data breach.

Please consult with your legal counsel to determine whether and how you should comply with any CCPA requirements that may be applicable to you and your business, including the new notice, opt-out, and record-keeping requirements that businesses must implement in accordance with the law.

Business Requirements

The CCPA applies to the following businesses — regardless of where the business is registered — that do business in California and collect, share, or sell California consumers’ personal data:

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

  • A gross annual revenue in excess of $25 million;
  • Or that buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices;
  • Or that derive 50% or more of their annual revenue from the sale of consumer personal information.
  • Businesses that handle the personal information of more than 4 million consumers have additional obligations under the CCPA.

(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.

If your business is subject to CCPA requirements, please consult our CCPA Compliance Guide.