Who Needs CCPA Compliance? Business Applicability Guide
Determining whether your organization falls under CCPA jurisdiction is the critical first step toward compliance. The law applies to for-profit businesses meeting specific thresholds, regardless of where they are physically located.
Key Takeaways
| Point | Summary |
|---|---|
| Geographic scope | Any business with California customers, regardless of company location |
| Revenue threshold | $26.625 million+ in annual gross revenue (2025 adjusted amount) |
| Data volume threshold | 100,000+ California consumers or households |
| Data revenue threshold | 50%+ of revenue from selling/sharing personal information |
| Exemptions | Non-profits, government agencies, and certain regulated industries |
Quick Answer: CCPA applies to for-profit businesses that do business in California AND meet any one of three thresholds: $26.625M+ annual revenue, 100,000+ California consumers' data, or 50%+ revenue from data sales. Location does not matter; California customers trigger applicability.
The Three Applicability Thresholds
A for-profit business must comply with CCPA if it collects California consumers' personal information, does business in California, and meets any one of these thresholds:
Threshold 1: Revenue
| Requirement | Details |
|---|---|
| Amount | $26.625 million or more in annual gross revenue |
| Basis | Preceding calendar year |
| Scope | Worldwide revenue, not just California |
| Adjustment | Inflation-adjusted; was $25 million, increased January 2025 |
Common questions about the revenue threshold:
- Is it California revenue only? No, it's worldwide gross annual revenue.
- Does it include subsidiaries? CCPA considers entities under common ownership or control.
- What about revenue from non-California customers? All revenue counts toward the threshold.
Threshold 2: Data Volume
| Requirement | Details |
|---|---|
| Amount | 100,000 or more California consumers or households |
| Activity | Buy, receive for commercial purposes, sell, or share personal information |
| Note | Changed from 50,000 by CPRA effective January 2023 |
Important considerations:
- This counts California residents specifically, not all users.
- "Households" includes device-level data linked to a residence.
- Both first-party collection and third-party data acquisitions count.
Threshold 3: Data Revenue
| Requirement | Details |
|---|---|
| Percentage | 50% or more of annual revenue |
| Activity | Derived from selling or sharing California consumers' personal information |
| Common industries | Data brokers, advertising networks, lead generation companies |
Does "Doing Business in California" Mean Physical Presence?
No. CCPA does not require physical presence in California. "Doing business" includes:
| Activity | Applies? |
|---|---|
| Selling products online to California residents | Yes |
| Providing services accessible to California residents | Yes |
| Having a California office or employees | Yes |
| Marketing specifically to California residents | Yes |
| Processing data of California residents | Yes |
| Headquartered outside California | Still applies if thresholds met |
| International company with California customers | Still applies |
Who is Exempt from CCPA?
Exempt Entity Types
| Entity Type | Notes |
|---|---|
| Non-profit organizations | Unless controlled by a covered business |
| Government agencies | State and local government entities |
| Businesses below all thresholds | Must meet at least one threshold |
Partial Exemptions and Sector-Specific Rules
| Data Type/Sector | Exemption Details |
|---|---|
| HIPAA-covered health data | Exempt when subject to HIPAA |
| GLBA-covered financial data | Exempt when subject to Gramm-Leach-Bliley |
| FCRA-covered credit data | Exempt when subject to Fair Credit Reporting Act |
| Clinical trial data | Exempt when subject to federal Common Rule |
| FERPA-covered education data | Exempt when subject to Family Educational Rights and Privacy Act |
| DPPA-covered vehicle data | Exempt when subject to Driver's Privacy Protection Act |
Important: These exemptions apply to specific data, not to the business entirely. A healthcare company still must comply with CCPA for non-HIPAA data.
Employee Data Exception
The original CCPA included a temporary exemption for employee and job applicant data. This exemption expired on January 1, 2023, with the CPRA amendments. Businesses must now provide full CCPA rights to employees regarding their personal information.
Special Considerations for Startups and Growing Companies
When Startups Typically Cross Thresholds
| Stage | Likely Trigger |
|---|---|
| Pre-seed to Seed | Usually below thresholds |
| Series A | May approach 100,000 users |
| Series B+ | Likely to exceed revenue or data thresholds |
| Post-acquisition | May inherit thresholds from parent company |
Common Scenarios
B2B SaaS Companies:
- Even if you have few direct customers, you may process California residents' data on behalf of clients.
- Your role as a service provider has specific contractual requirements. See CCPA for SaaS companies for detailed guidance.
E-commerce Businesses:
- Lower-priced items may require high transaction volumes, pushing toward data thresholds.
- Email marketing lists often exceed 100,000 faster than expected.
Mobile App Developers:
- Apps with California users collect significant device and behavioral data.
- SDK integrations may constitute "sharing" under CCPA.
Marketplace Platforms:
- Both buyer and seller data counts toward thresholds.
- Multi-sided platforms often exceed data volume thresholds quickly.
How to Assess Your CCPA Applicability
Step 1: Determine If You "Do Business in California"
| Question | If Yes |
|---|---|
| Do you sell products/services to California residents? | Proceed to Step 2 |
| Do you have California employees or contractors? | Proceed to Step 2 |
| Can California residents access your website/app? | Proceed to Step 2 |
| Do you target marketing to California? | Proceed to Step 2 |
Step 2: Evaluate Revenue Threshold
| Data Point Needed | Where to Find It |
|---|---|
| Annual gross revenue | Financial statements, tax returns |
| Preceding calendar year | Prior year's full-year financials |
| Comparison to $26.625 million | Simple threshold comparison |
Step 3: Evaluate Data Volume Threshold
| Data Point Needed | Where to Find It |
|---|---|
| Number of California consumers | User database with state/location fields |
| Household-level data | Device IDs, IP-based location data |
| Data bought, sold, or shared | Vendor and partner contracts |
Step 4: Evaluate Data Revenue Threshold
| Data Point Needed | Where to Find It |
|---|---|
| Revenue from data sales | Revenue attribution by source |
| Revenue from data sharing for ads | Advertising revenue breakdown |
| Percentage calculation | (Data revenue / Total revenue) × 100 |
Service Providers vs. Businesses
If you process California consumers' data on behalf of another company, you may be a "service provider" rather than a covered "business." For detailed contract requirements, see service provider requirements.
| Role | Definition | Obligations |
|---|---|---|
| Business | Determines purposes of processing | Full CCPA compliance required |
| Service Provider | Processes on behalf of a business | Contractual obligations, limited use |
| Contractor | Third party with data access | Written contract required |
Service provider requirements:
- Written contract specifying permitted uses
- Certification of CCPA understanding
- Prohibition on selling or using data for own purposes
- Assistance with consumer rights requests
- Notification if unable to meet obligations
Common Questions
Do I need to comply if I'm below the thresholds?
Technically no, but many businesses choose to comply voluntarily because:
- They anticipate crossing thresholds soon
- California customers expect privacy rights
- It prepares them for other state privacy laws
- It demonstrates privacy maturity to enterprise customers
What if I cross a threshold mid-year?
The CCPA does not provide a grace period. Businesses should monitor their metrics and prepare for compliance before crossing thresholds.
How do I count California consumers?
You need a reasonable method to identify California residents in your data. Common approaches:
- Billing or shipping addresses
- IP geolocation (as a reasonable approximation)
- Self-reported location information
- Phone number area codes (less reliable)
How Bastion Helps
Determining CCPA applicability and preparing for compliance can be complex, especially for growing companies approaching thresholds.
| Challenge | How We Help |
|---|---|
| Threshold assessment | Analysis of your revenue and data volume against current thresholds |
| Service provider classification | Determining your role and obligations in data processing relationships |
| Growth planning | Compliance roadmap aligned with your business trajectory |
| Multi-state considerations | Guidance on CCPA alongside other state privacy laws |
| Vendor obligations | Contract templates and review for service provider relationships |
Unsure whether your business needs to comply with CCPA? Talk to our team →
Sources
- California Consumer Privacy Act (CCPA) - California Attorney General official CCPA page
- CPPA FAQs - California Privacy Protection Agency Frequently Asked Questions
- CCPA Text - California Civil Code 1798.100-1798.199.100
- 2025 Penalty Adjustments - CPPA announcement on updated thresholds