Data Privacy & CCPA — Compliance Scenario

We’re Headquartered in Illinois. Our VP Says California’s Privacy Law Doesn’t Apply to Us. Is He Right?

A real workplace compliance scenario — with three decision options and the right answer.

The Situation

You are the compliance manager at a mid-size B2B software company headquartered in Chicago. You have a sales office in San Francisco, several California-based enterprise clients, and a marketing database that includes contact information for thousands of California residents — leads, prospects, and current client contacts collected over several years.

Your marketing team wants to launch a new targeted email campaign using the full database. A colleague raises the California Consumer Privacy Act. Your VP of Sales pushes back: “We’re an Illinois company. California law doesn’t apply to us — we’re not doing business in California the way a retailer would.” You’re not sure who is right.

Choice AProceed with the campaign. You’re headquartered in Illinois. California’s privacy law applies to California-based businesses — not companies that happen to have some California clients.

Choice BPause and conduct a CCPA threshold analysis before proceeding. The law applies based on where your customers are located and your revenue thresholds — not where your company is headquartered.

Choice CExclude California residents from the campaign as a precaution and proceed with everyone else. That way you avoid any California exposure without stopping the campaign entirely.

The Right Call

Choice B — Pause and conduct a CCPA threshold analysis.

Choice A proceeds on a legal assumption that is almost certainly wrong for this company. Choice C is a reasonable instinct, but it doesn’t resolve the underlying compliance question — if the company is subject to CCPA, its obligations extend to how it handles California resident data across all activities, not just this one campaign. The right answer is to find out whether the company is covered before deciding how to proceed — and if it is covered, to build a compliance program, not just exclude one audience segment.

Threshold 1: Annual gross revenue exceeding $25 million

Threshold 2: Annually buying, selling, or sharing the personal information of 100,000 or more California consumers or households

Threshold 3: Deriving 50% or more of annual revenue from selling or sharing California consumers’ personal information

The VP’s argument sounds reasonable — and it’s wrong.

The mental model that “California law is for California businesses” is intuitive and very common among non-privacy and legal teams. It’s the same assumption that has produced enforcement actions against companies headquartered in New York, Texas, and other states. CCPA is not a business location law. It’s a data subject rights law. It follows California residents wherever their data travels — including into the marketing databases of Illinois companies.

A marketing database of “thousands of California residents” may already cross a threshold.

The 100,000 consumer threshold sounds large until you account for how broadly “personal information” is defined under CCPA — it includes names, email addresses, IP addresses, browsing history, purchase history, and inferences drawn from any of these. A B2B company with a marketing database of prospects and clients collected over several years may be processing far more California resident data than it realizes.

Exclusion addresses the symptom, not the obligation.

Choice C feels like a safe workaround — exclude the California residents and the problem goes away. But CCPA obligations don’t attach to marketing campaigns. They attach to the company’s collection, use, and handling of California resident data across all activities. A company that is subject to CCPA needs a privacy notice, a data subject request process, opt-out mechanisms, and vendor contracts — not a campaign exclusion list.

Does CCPA apply to businesses headquartered outside California?

Yes — if they do business in California and meet one of the three threshold criteria. The law applies to for-profit businesses regardless of where they are incorporated or headquartered. A company based in Illinois, New York, or Texas that collects personal information from California residents and meets a threshold is subject to CCPA obligations.

What does “doing business in California” mean under CCPA?

California regulators interpret this broadly. It can include having employees or a sales office in California, having California-based customers, actively marketing to California residents, maintaining a website accessible to California residents, or having a registered agent in California. The threshold is low — most companies with any California commercial activity satisfy it.

What are the main obligations if CCPA applies to our company?

Core obligations include: providing a privacy notice that discloses what personal information you collect and why; honoring consumer rights to know, delete, correct, and opt out of sale or sharing of their data; responding to verifiable consumer requests within 45 days; updating vendor contracts with required data processing terms; and not discriminating against consumers who exercise their privacy rights.

What are the penalties for CCPA non-compliance?

The California Privacy Protection Agency can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. CCPA also creates a private right of action for data breaches, with statutory damages between $100 and $750 per consumer per incident. For companies with large California resident datasets, even a modest enforcement action or breach can produce significant aggregate liability.

What is the difference between CCPA and CPRA?

The California Privacy Rights Act (CPRA) is an amendment to CCPA that took effect January 1, 2023. It created the California Privacy Protection Agency as an independent enforcement body, added new consumer rights including the right to correct inaccurate data and the right to limit use of sensitive personal information, expanded the definition of “sharing” to include cross-context behavioral advertising, and strengthened data minimization requirements. CPRA did not replace CCPA — it significantly expanded it.

How to Use This Scenario in Training

Data privacy policy training or Code of Conduct training establishes the law. This scenario makes it stick.

Xcelus recommends this scenario for compliance managers, legal teams, marketing, and senior leadership at any company with a California commercial presence. The recognition skill is understanding that CCPA coverage follows the data subject, not the company’s address — and that “we’re not a California company” is a conclusion that requires analysis, not an assumption that ends the conversation.

More Compliance Scenarios

Want the Full Data Privacy & CCPA Training?

Xcelus builds scenario-based data privacy training for organizations navigating CCPA, CPRA, and GDPR — including threshold analysis, data subject rights, vendor management, and the sharing vs. selling distinction that catches most companies off guard.

View Compliance Programs →
Contact Xcelus