Skip to content

For an entity to be considered a “business” under the CCPA, it must meet one of three thresholds. One of those thresholds is whether the entity “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”1 The CPRA modified the threshold such that, as of Jan. 1, 2023, an entity would need to buy, sell, or share personal information of 100,000 or more consumers or households.2

The Office of the Attorney General was asked to clarify how entities should compute the number of households or devices. Specifically, the attorney general was asked whether a California consumer that used multiple devices should be counted once or should be counted multiple times.3 The attorney general declined to clarify whether a consumer should be counted more than one time based upon their quantity of devices or households.4

The Office of the Attorney General was also asked to clarify whether the reference to “device” found within the CCPA (note that as of Jan. 1, 2023, such reference is removed) means a device used by a California resident or a device used by a resident of any state.5 The attorney general took the position that the device must relate to a California resident, stating that “it would be unreasonable to conclude that a household or device subject to the CCPA would not have some nexus to a natural person who is a California resident.” [1]

1 Cal. Civ. Code 1798.149(c)(1)(B) (Oct. 2020).

2 Cal. Civ. Code 1798.140(d)(1)(A).

3 FSOR Appendix A at 2 (Response 6).

4 FSOR Appendix A at 2 (Response 6).

5 FSOR Appendix A at 2 (Response 6).

[1] FSOR Appendix A at 2 (Response 6).