Does CCPA Apply to Small Businesses? What You Need to Know

Let's get straight to the point: if you're a small business, the CCPA probably doesn't apply to you. Probably.

That "probably" is doing a lot of work, though. And even if you're currently exempt, there are good reasons to pay attention. The privacy landscape is shifting fast, and waiting until you're legally required to comply is like waiting until you smell smoke to buy a fire extinguisher.

This guide breaks down the CCPA thresholds, explains how to figure out where your business stands, and gives you honest advice about what to do either way.

The Three CCPA Thresholds

The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these three criteria (Cal. Civ. Code § 1798.140(d)):

Threshold 1: Annual Gross Revenue Over $25 Million (Cal. Civ. Code § 1798.140(d)(1)(A))

If your business has annual gross revenue exceeding $25 million (adjusted annually for CPI; $26.625 million as of 2026), the CCPA applies. Period.

A few important details:

• This is gross revenue, not net income. Revenue before expenses.
• It's worldwide revenue, not just California revenue.
• It includes revenue from all business activities, not just those involving personal information.
• It's measured as of January 1 of the calendar year.

For most small businesses, this threshold is the easy one to evaluate. If you're making less than $25 million a year, you're clear on this criterion. But keep in mind that "gross revenue" includes everything -- every dollar that comes in the door, before you subtract payroll, rent, materials, or anything else.

Threshold 2: Data from 100,000+ Consumers or Households (Cal. Civ. Code § 1798.140(d)(1)(B))

If you annually buy, sell, or share the personal information of 100,000 or more California consumers or households, the CCPA applies.

This threshold was originally 50,000 under the CCPA as enacted in 2018. The CPRA (California Privacy Rights Act) raised it to 100,000, effective January 1, 2023. This change actually removed some businesses from coverage, which was the intent.

How do you count? Every unique California consumer or household whose personal information you process in a calendar year. This includes:

• Website visitors from California (if you collect cookies, IP addresses, or device identifiers)
• Customers who make purchases
• Email subscribers
• App users
• Anyone whose data you buy from a third-party source

Here's where small businesses get surprised: if you run a website with moderate traffic and use standard analytics and advertising tools, you might be collecting data from more California residents than you think. California has nearly 40 million residents -- roughly 12% of the U.S. population. If your website gets 850,000 unique U.S. visitors per year and they roughly mirror the national population distribution, about 100,000 of them could be Californians.

That said, the threshold refers to personal information you buy, sell, or share, not just collect. If you're collecting data passively through website cookies but not actively buying or selling it, you may not hit this threshold even with high traffic. The distinction matters.

Threshold 3: 50%+ Revenue from Selling/Sharing Data (Cal. Civ. Code § 1798.140(d)(1)(C))

If 50% or more of your annual revenue comes from selling or sharing California consumers' personal information, the CCPA applies regardless of your revenue size or data volume.

This threshold primarily targets data brokers -- companies whose core business is buying and selling consumer data. If you're a typical small business (a retailer, a restaurant, a service company, a SaaS startup), this threshold almost certainly doesn't apply to you.

The only small businesses that might hit this threshold are those built around data monetization: certain advertising-supported apps, niche data aggregation services, or lead generation companies.

So... Does It Apply to You?

Let's be real about the numbers.

If your annual revenue is under $25 million (and for most businesses the IRS considers "small," it is), the first threshold doesn't apply.

If you're not actively buying, selling, or sharing data from 100,000+ Californians per year, the second threshold doesn't apply. And for most small businesses -- even those with a meaningful web presence -- it doesn't.

If data sales aren't your primary revenue source, the third threshold doesn't apply.

For the vast majority of small businesses, the CCPA does not currently apply.

There. We said it. Most CCPA guides won't tell you this clearly because they're selling compliance services and want you scared enough to buy. We'd rather be honest.

But here's where things get nuanced.

Why You Should Care Even If You're Exempt

Reason 1: Thresholds Can Change

The CPRA already changed the second threshold from 50,000 to 100,000. Future amendments could lower it. Other states are passing their own privacy laws with different thresholds -- and some of them apply to businesses much smaller than CCPA covers.

As of 2026, comprehensive privacy laws are in effect in California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Minnesota, Maryland, and Rhode Island. Several of these have lower applicability thresholds. If you do business across state lines (and on the internet, you do), you may be covered by a state privacy law even if CCPA doesn't apply.

Reason 2: You Might Be Bigger Than You Think

Small businesses have a habit of underestimating their data footprint. If you use:

• Google Analytics
• Facebook/Meta advertising
• Email marketing software (Mailchimp, Constant Contact, etc.)
• A CRM system (HubSpot, Salesforce, etc.)
• Any e-commerce platform
• Customer review tools
• Loyalty programs

...then you're collecting personal information. Lots of it. From lots of people. Doing a basic data inventory is worthwhile even if you conclude the CCPA doesn't apply, because it helps you understand your actual exposure.

Reason 3: Consumers Don't Check Thresholds

When a California consumer emails you asking what data you have about them, they're not going to preface it with "I acknowledge that your business may not meet the CCPA thresholds and therefore this request may not be legally binding."

They're going to ask. And if you respond with "the CCPA doesn't apply to us, go away," that's technically correct but practically terrible. It's bad customer service, and it's the kind of response that ends up in a viral social media post or a complaint to the Attorney General.

Having a process for handling data requests -- even a simple one -- is good business practice regardless of your legal obligations.

Reason 4: Your Business May Grow

If you're planning to grow your business (and presumably you are), you'll eventually cross a threshold. Building privacy-respecting practices now is dramatically cheaper than retrofitting them later. Companies that integrate privacy into their operations from the start spend a fraction of what companies spend when they're forced to comply after years of ignoring the issue.

Reason 5: Data Breaches Don't Care About Thresholds

The CCPA's private right of action for data breaches (Cal. Civ. Code § 1798.150) -- where individual consumers can sue you for $100 to $750 per person per incident -- applies to any business that suffers a breach due to a failure to implement reasonable security measures. There's debate about whether this applies only to businesses that meet the CCPA thresholds, but the conservative (and safer) interpretation is that the security provisions may apply more broadly.

Even setting aside the legal question, a data breach is devastating for a small business regardless of CCPA status. Implementing reasonable security measures is something every business should do. For details on what's at stake, see our CCPA Penalties guide.

What Small Businesses Should Actually Do

Here's our practical advice, organized by urgency.

Do Now (Whether or Not CCPA Applies)

Know what data you collect. Spend an afternoon mapping out what personal information your business collects, where it's stored, and who has access. You'd be surprised how many small business owners can't answer these questions. This doesn't need to be a formal audit. A spreadsheet listing "what data, where stored, who accesses it, why we have it" is fine.

Have a privacy policy. Even if the CCPA doesn't require you to have one with all its specific disclosures, having a basic privacy policy is expected by consumers and required by many platforms (Apple App Store, Google Play, most advertising networks). Your privacy policy should honestly describe what data you collect and what you do with it.

Implement basic security. At minimum:

• Use strong, unique passwords (and a password manager)
• Enable multi-factor authentication on all business accounts
• Keep software updated
• Use encryption for sensitive data
• Limit who has access to customer data
• Back up your data regularly

These aren't CCPA requirements for exempt businesses. They're just not being reckless with other people's information.

Have a plan for data requests. If a customer asks what data you have about them or asks you to delete it, know what you'll do. Even a simple policy like "we'll respond within two weeks and provide what we can" is better than scrambling when the email arrives.

Do Soon (If You're Approaching Thresholds)

Review your vendor agreements. If you share customer data with third-party services (and you do -- your payment processor, your email platform, your CRM), review those agreements for data protection terms. Most major SaaS providers have updated their terms for CCPA compliance, but verify.

Formalize your privacy policy to CCPA standards. Even if you're under the thresholds, upgrading your privacy policy to include CCPA-standard disclosures (categories of data collected, sources, purposes, third parties) is smart. It's transparent, it builds customer trust, and it means less work when you do cross a threshold.

Set up a basic DSAR process. Designate someone to handle privacy requests. Create a simple intake process (even a dedicated email address). Document how you'll verify identity and respond. This doesn't need to be elaborate -- it just needs to exist.

Do When You Cross a Threshold

Full CCPA compliance. Follow our CCPA Compliance Checklist and implement everything. Data mapping, privacy policy with all required disclosures, DSAR process with proper verification, "Do Not Sell" link if applicable, vendor agreements, training, and security measures.

What About the CPRA Changes?

The California Privacy Rights Act (CPRA) amended the CCPA effective January 1, 2023. For small businesses, the most relevant change was raising the second threshold from 50,000 to 100,000 consumers/households. This actually made it less likely that a small business would be covered.

Other CPRA changes that matter if you do cross a threshold:

• New consumer rights (correction, limiting use of sensitive personal information)
• New data minimization requirements (don't keep data longer than necessary)
• A new enforcement agency (the California Privacy Protection Agency, or CPPA) with its own rulemaking authority
• Expanded definition of "sharing" that captures more advertising-related data disclosures

For the full rundown, see our CPRA Compliance guide.

Other State Laws to Watch

Even if the CCPA doesn't apply to you, other state privacy laws might. A few to be aware of:

Virginia (VCDPA): Applies to businesses that control or process data of 100,000+ Virginia consumers, or 25,000+ if you derive more than 50% of revenue from data sales. No revenue threshold.

Colorado (CPA): Similar to Virginia -- 100,000 Colorado consumers, or 25,000+ if you derive revenue from data sales. No revenue threshold.

Connecticut (CTDPA): 100,000 Connecticut consumers, or 25,000+ with revenue from data sales. No revenue threshold.

Texas (TDPSA): Applies to businesses that operate in Texas or produce products/services consumed by Texans, and are not classified as a "small business" under the SBA definition. Texas is a big market, and this law has a broader reach than many others.

The pattern is clear: privacy laws are expanding, and their applicability thresholds vary. A small business that's exempt under CCPA might be covered under Texas law or another state's regulations.

For more detail on who exactly the CCPA covers, see Who Does the CCPA Apply To?.

The Honest Bottom Line

If you're a small business making under $25 million in revenue, not actively buying and selling data from 100,000+ Californians, and not running a data brokerage -- the CCPA probably doesn't apply to you today.

But privacy regulation is heading in one direction: more coverage, more rights, more obligations. Building good privacy practices now isn't about checking a legal box. It's about running a business that respects the people who trust you with their information.

That's not just good compliance. It's good business.

References

• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
• CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)
• California Privacy Protection Agency (CPPA): Official CPPA website

---

Want to get ahead of compliance requirements? Even if the CCPA doesn't apply to you yet, our DSAR Compliance Guide gives you a practical framework for handling data requests that you can implement in a day. Be ready before you have to be.