Look into exempt non-profits
Closed this issue · 4 comments
There are a number of organizations emailing back saying they are exempt from the CCPA via the Fair Credit Reporting Act. This is a task to investigate the validity of those responses, and maintain a list of exempt non-profits in the codebase if need be.
👋🏻 Adding my $0.02. Companies in general that are below a number of thresholds are exempt from CCPA across the board, regardless of their non-profit status. If a business doesn't meet any of these requirements, they are exempt:
- Makes at least $25 million in annual gross revenue.
- Buys, receives, sells, or shares the personal information of 50,000 or more California residents or households.
- Makes at least 50% of its annual revenue from selling consumer data.
This is a hard problem to solve because it's impossible to know from the outset the events and customer numbers of a business; that's proprietary information unless they're publicly traded.
Something that crossed my mind in an attempt to solve is this looking for mention of CCPA on the business' web site. If a business has to comply with CCPA, they have to say so by specifically including an opt-out link that reads Do Not Sell or Share My Personal Information (source). For example in the footer of mcdonalds.com:
Thanks so much for chipping in! Hmm, that makes things a little more complicated indeed. Checking for a company's "notice at collection" seems like a path forward, like you suggested.
From the perspective of someone who sends out these data deletion requests, I'm wondering if it's not even worth it to keep track of exempt companies since their exempt status could potentially change at any time.
And frankly I didn't even cover the FCRA-exempt companies 😅. Those would be a lot harder to even identify without having intimate knowledge of what said company does and the Fair Credit Reporting Act in general. I don't imagine there'll be an easy to omit them.
Agreed. Given that the key data points we'd be interested in for this isn't publicly available for a vast majority of companies, I'm going to consider this a "won't do."
Thanks again for chipping in here. I really appreciate it. ✨