Skip to content

In order for an entity to be considered a business, and hence regulated by the CCPA, it must satisfy at least one of three thresholds. One such threshold is whether the business has “annual gross revenue in excess of twenty-five million dollars.”[1]

The CCPA does not specify whether the gross revenue threshold refers to revenue generated by a business in the state of California, or revenue generated by a business from any location. The Office of the Attorney General was asked to clarify how businesses should compute their gross revenue and, in response, indicated that the CCPA “does not limit the revenue threshold to revenue generated in California or from California residents.” The Attorney General further refused to consider regulations which would limit the revenue calculation to California stating that “[a]ny proposed change to limit the threshold to revenue generated only in California or from California residents would be inconsistent with the CCPA.”[2]


[1] Cal. Civil Code 1798.140(c)(1)(A) (Oct. 2020).

[2] FSOR Appendix A at 1 (Response 5).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).