Who Does the CCPA Apply To? Applicability Thresholds Explained

"Does the CCPA apply to me?" is the most common question businesses ask about California's privacy law. And most of the time, the answer they get is frustratingly vague.

Not here. This guide breaks down the CCPA's applicability tests in detail, including how to calculate each threshold, what counts and what doesn't, and the edge cases that trip businesses up. By the end, you should know definitively whether you're covered -- or at least know exactly what you need to figure out.

For the full picture of what compliance looks like once you've determined the law applies, see our Complete Guide to CCPA Compliance.

The Basic Framework

The CCPA applies to a for-profit business that (Cal. Civ. Code § 1798.140(d)):

1. Collects consumers' personal information (or has it collected on its behalf), and
2. Does business in California, and
3. Meets at least one of three thresholds

All three conditions must be true. Let's unpack each one.

Condition 1: Collecting Personal Information

The CCPA defines "personal information" extraordinarily broadly (Cal. Civ. Code § 1798.140(v)). It's any information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

This includes:

• Identifiers: Name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver's license number, passport number
• Customer records: Signature, physical characteristics, telephone number, education, employment history, bank account number, credit card number, insurance information, medical information
• Protected characteristics: Race, religion, sexual orientation, gender identity, marital status, veteran status, disability
• Commercial information: Records of property, products or services purchased, purchasing or consuming histories
• Biometric information: Genetic, physiological, behavioral characteristics used for identification
• Internet or network activity: Browsing history, search history, interaction with websites/apps/advertisements
• Geolocation data: Physical location or movements
• Sensory data: Audio, electronic, visual, thermal, olfactory, or similar information
• Professional or employment information: Current or past job history, performance evaluations
• Education information: Information not publicly available under FERPA
• Inferences: Profiles reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, aptitudes

If you operate a website, you almost certainly collect personal information. Cookies, IP addresses, device identifiers, and form submissions all count. The question isn't usually whether you collect personal information -- it's whether you meet the other conditions.

Condition 2: Doing Business in California

The CCPA applies to businesses that "do business in the State of California" (Cal. Civ. Code § 1798.140(c)). This doesn't mean you need a physical office in California. It's interpreted broadly to include any business that:

• Has a physical presence in California (office, store, warehouse)
• Sells goods or services to California residents
• Has employees in California
• Has a website accessible to California residents (with some caveats)

The "website accessible to California residents" point is the broadest interpretation. In practice, the California Attorney General and the California Privacy Protection Agency (CPPA) have focused enforcement on businesses with a meaningful connection to California -- not random websites that happen to be viewable from a California IP address.

The practical test: If you actively market to, sell to, or target California residents, you're doing business in California for CCPA purposes. If you have California customers, even if you're based in another state, you're likely covered (assuming you also meet a threshold).

Does CCPA Apply to Companies Outside California?

Yes. Emphatically yes. The CCPA applies to any for-profit business that meets the criteria, regardless of where it's headquartered. A company in Florida, Texas, New York, or even outside the United States can be subject to the CCPA if it collects personal information from California residents and meets a threshold.

This is one of the law's most consequential features. Because California has nearly 40 million residents -- about 12% of the U.S. population -- almost any business with a national online presence is "doing business in California."

Condition 3: Meeting a Threshold

Here's where the rubber meets the road. You must meet at least one of three thresholds (Cal. Civ. Code § 1798.140(d)).

Threshold 1: $25 Million in Annual Gross Revenue

The test: Annual gross revenue exceeding $25 million as of January 1 of the calendar year. Note: This threshold is adjusted annually for CPI. As of 2026, the adjusted threshold is $26.625 million per the CPPA's official CPI adjustment.

How to calculate:

• Gross revenue means total income before deductions. Not net profit, not net revenue. Every dollar that comes in.
• It's worldwide revenue, not just California revenue. A company making $30 million total with $2 million from California operations is covered.
• Revenue is measured as of January 1 of the calendar year. If your revenue crossed $25 million in 2025, you're covered for 2026.
• Include revenue from all sources, all product lines, all business divisions. If you're a subsidiary, the revenue of the parent company may be relevant (more on this below).

Common questions:

What if my revenue fluctuates around $25 million? If your prior fiscal year's revenue exceeded $25 million, you should treat yourself as covered for the current year. If it dropped below $25 million, you may no longer be covered, but be cautious -- the law isn't entirely clear on businesses that bounce in and out.

Does this include affiliate or parent company revenue? The CCPA applies to each "business" separately. However, if a parent company controls a subsidiary and they share branding, data practices, or operate as a unified business, the AG or CPPA could potentially look at combined revenue. This is an area where legal counsel is worth consulting.

What about non-revenue income? Grants, investment income, and similar non-operational income generally count toward gross revenue. The CCPA doesn't distinguish between revenue sources.

Threshold 2: Personal Information of 100,000+ Consumers/Households

The test: Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households.

How to calculate:

This threshold was raised from 50,000 to 100,000 by the CPRA, effective January 1, 2023. It applies to personal information you buy, sell, or share -- not merely collect.

Key definitions:

• Buy: Purchasing personal information from a data broker or third party.
• Sell: Disclosing personal information to a third party for monetary or other valuable consideration. This is broader than "selling for cash." If you share customer data with an ad network in exchange for targeted advertising services, that may be a "sale."
• Share: Under CPRA, disclosing personal information to a third party for cross-context behavioral advertising, whether or not money changes hands. This captures common ad-tech arrangements where data flows to advertising platforms.

Counting methodology:

You're counting unique California consumers or households per year. "Consumers" means natural persons (not businesses). "Households" means a group of people residing at the same address.

Important nuances:

• If you have 80,000 unique California customers and you share their data with an advertising partner, and separately share 30,000 of their records with an analytics firm, you're still at 80,000 unique consumers -- not 110,000. The count is unique consumers, not total data transfers.
• Website visitors count if you're collecting personal information (like IP addresses via cookies) and sharing that data with third parties. If you run Google Analytics with default settings and get 100,000+ unique California visitors per year, you may be "sharing" their data with Google -- which could put you over the threshold.
• The count includes consumers whose data you buy, not just those you collect directly. If you purchase marketing lists from data brokers, those individuals count.

This is the threshold that catches businesses off guard. Many mid-sized businesses with active websites and standard advertising practices hit 100,000 California consumers without realizing it.

Threshold 3: 50%+ Revenue from Selling/Sharing Data

The test: Deriving 50% or more of annual revenue from selling or sharing California consumers' personal information.

How to calculate:

Divide your revenue from selling/sharing California consumers' personal information by your total annual revenue. If the result is 50% or more, this threshold is met.

This threshold primarily captures data brokers and companies whose core business model is data monetization. For most operating businesses (retailers, SaaS companies, service providers, manufacturers), data sales are incidental to their primary business, and this threshold isn't relevant.

Companies that might hit this threshold include:

• Data brokers
• Certain lead generation companies
• Some advertising-supported apps or websites where user data is the primary product
• Marketing list companies

If your primary business is selling products, services, or software, this threshold almost certainly doesn't apply to you.

Entities That Are Exempt

Even if you meet the thresholds, some types of organizations are exempt from the CCPA.

Non-Profit Organizations

The CCPA applies only to for-profit businesses. Non-profit organizations, including charitable organizations, are exempt regardless of their size or data practices.

However, there's a significant caveat: if a non-profit operates a for-profit subsidiary, that subsidiary is not exempt. And if a for-profit business is "controlled by" a covered business and shares common branding, the CCPA may apply to it.

Government Agencies

Government agencies and entities are not covered by the CCPA. However, government contractors that are for-profit businesses may be covered based on their own activities.

Businesses Covered by Certain Federal Laws

The CCPA provides specific exemptions for certain categories of data already regulated by federal law (Cal. Civ. Code § 1798.145):

• HIPAA-covered entities and business associates: Health information governed by HIPAA is exempt. However, the entity itself isn't exempt -- only the data covered by HIPAA. If a healthcare provider also collects non-HIPAA consumer data (like website visitor data), that data is subject to the CCPA.
• Financial institutions subject to GLBA: Personal information collected, processed, sold, or disclosed under the Gramm-Leach-Bliley Act is exempt. Again, this is a data-level exemption, not an entity-level exemption.
• Data covered by FCRA: Personal information collected, maintained, or sold under the Fair Credit Reporting Act is exempt.
• Data covered by DPPA: Driver's Privacy Protection Act-covered data is exempt.

These are narrow, data-specific exemptions. The entity isn't exempt; only the specific data governed by the federal law is exempt. A bank subject to GLBA is still subject to the CCPA for any personal information it collects that isn't covered by GLBA.

The Service Provider vs. Business Distinction

This is a critical distinction that many businesses get wrong.

Under the CCPA, a business is the entity that determines the purposes and means of processing personal information. A service provider processes personal information on behalf of a business, under a written contract.

Why does this matter? Service providers have different (and generally lighter) obligations than businesses. A service provider:

• Processes data only as instructed by the business
• Cannot use the data for its own purposes
• Must assist the business in responding to consumer requests
• Is not independently subject to consumer requests (with some exceptions)

Example: You run an e-commerce store (you're the business). You use a cloud hosting provider to store your data (they're the service provider). A consumer sends a deletion request to you. You process it and instruct your hosting provider to delete the data. The consumer doesn't send the request to the hosting provider directly.

However, the service provider classification requires a written contract with CCPA-specific provisions. Without the proper contractual language, your vendor might be classified as a "third party" rather than a service provider -- which has significant implications for data sharing and "sale" determinations.

CPRA added a third category: contractors. Contractors are similar to service providers but with additional restrictions and certification requirements. The distinction is technical, and for most small businesses, the practical difference is small -- but your contracts should specify which category each vendor falls into.

How to Determine Your Status: A Decision Tree

Walk through these questions:

1. Are you a for-profit business?

• No: You're likely exempt. (But check whether you operate for-profit subsidiaries.)
• Yes: Continue.

2. Do you collect personal information from California residents?

• No: The CCPA doesn't apply.
• Yes (or you're not sure): Continue.

3. Do you do business in California?

• No, and you have no California customers: The CCPA doesn't apply.
• Yes, or you have California customers: Continue.

4. Is your annual gross revenue over $25 million?

• Yes: The CCPA applies to you. See the CCPA Compliance Checklist.
• No: Continue to the next test.

5. Do you annually buy, sell, or share personal information of 100,000+ California consumers or households?

• Yes: The CCPA applies to you.
• No: Continue.
• Not sure: Do a data audit. Count your unique California consumers across all channels. If you're close to 100,000, assume you're covered or get legal advice.

6. Do you derive 50%+ of revenue from selling/sharing California consumers' personal information?

• Yes: The CCPA applies to you.
• No: The CCPA likely does not apply to you -- but consider our advice on voluntary compliance in Does CCPA Apply to Small Businesses?.

Edge Cases and Common Confusions

"I'm based outside the U.S."

Doesn't matter. If you collect personal information from California residents and meet a threshold, the CCPA applies. Enforcement against international businesses is more complex, but the legal obligation exists.

"I only have a few California customers"

If you have a few California customers, you probably don't meet any threshold. But "a few" is relative. If you operate a national e-commerce business, your California customer count may be higher than you think. Do the math.

"I only collect data through cookies"

Cookie data (IP addresses, device identifiers, browsing behavior) is personal information under the CCPA. If you share this data with advertising or analytics partners, it counts toward the 100,000-consumer threshold. See our CCPA Cookie Compliance guide for details.

"I use a third-party platform (Shopify, Squarespace, etc.)"

Using a third-party platform doesn't exempt you from the CCPA. If you're the business that determines what data is collected and why, you're the "business" under the CCPA. Your platform provider is a service provider. You're still responsible for compliance.

"I'm a freelancer / sole proprietor"

The CCPA applies to "businesses," which includes sole proprietorships. If you meet the thresholds, you're covered. If you're a freelancer making under $25 million with fewer than 100,000 California clients... you're almost certainly not covered.

"My parent company / franchisor handles compliance"

Maybe, maybe not. If you're a separate legal entity (like a franchise), you may have independent CCPA obligations. If your parent company processes data on your behalf and has the appropriate agreements in place, they may handle some aspects. But the business that actually collects the personal information has the primary compliance obligation.

What Happens When You Cross a Threshold

If you've been below the thresholds and you grow past one, you need to get compliant. There's no official grace period built into the law, though practically speaking, the CPPA and AG have focused enforcement on businesses that clearly should have been compliant and weren't, rather than businesses in the process of ramping up.

Our recommendation: if you're approaching a threshold, start compliance work before you cross it. Building a DSAR process, updating your privacy policy, and reviewing vendor agreements takes time. Don't wait until you're already covered and the clock is ticking.

For a step-by-step compliance plan, see our CCPA Compliance Checklist. For the DSAR-specific process, see our CCPA DSAR Process guide.

The Bottom Line

The CCPA's applicability framework is threshold-based, which means many businesses are exempt. But the thresholds aren't as simple as they appear, and the definitions of "sell," "share," and "personal information" are broader than most business owners realize.

If you're clearly above a threshold, comply. If you're clearly below all of them, consider voluntary compliance as a competitive advantage and risk management strategy. If you're in the gray zone, get specific advice -- the cost of an hour with a privacy attorney is a lot less than the cost of getting it wrong.

References

• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
• CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)
• California Privacy Protection Agency (CPPA): Official CPPA website

---

Ready to build your compliance framework? Whether you're already covered or preparing for the future, our DSAR Compliance Guide provides a practical, step-by-step process for handling consumer data requests. Download it now and build your process before you need it.