The California Consumer Privacy Act (CCPA), significantly expanded by the CPRA, applies to for-profit businesses operating in California that meet specific operational thresholds.
Your business is legally required to comply if it meets any one of the following criteria:
- it has a gross annual revenue exceeding $26.6 million (adjusted for inflation as of 2025);
- it buys, sells, or shares the personal information of 100,000 or more California residents or households annually;
- or it derives 50% or more of its annual revenue from selling or sharing consumer personal data.
While many local brick-and-mortar small businesses fall below these revenue thresholds, data-heavy startups, digital marketing agencies, and businesses engaging in widespread data sharing must adhere to strict requirements regarding consumer data access, deletion rights, and real-time opt-out mechanisms.
The following table clarifies the specific thresholds that trigger CCPA compliance:
| Qualifying Threshold | CCPA/CPRA Statutory Requirement | Impact on SMBs |
| Gross Annual Revenue | Exceeds $26,625,000 (As of Jan 1, 2025) | Excludes most local brick-and-mortar SMBs. |
| Data Volume | Buys, sells, or shares data of 100,000+ CA consumers | High risk for digital agencies, e-commerce, and high-traffic sites. |
| Revenue Source | 50%+ of revenue from selling/sharing personal data | High risk for lead generators and data brokers. |
