A Practical Guide to When Does the CCPA Apply

In practice, when does the CCPA apply? The short answer is: when a covered for-profit business does business in California, collects California residents' personal information, and meets at least one statutory threshold.

The longer answer matters because routine analytics and advertising practices can contribute to the analysis. A company does not need to be headquartered in California to have California privacy obligations.

The Core Applicability Test

The California Privacy Protection Agency's FAQ lists the main thresholds for a covered business. As of the CPPA's current public FAQ, the law applies to for-profit businesses doing business in California that collect California residents' personal information and meet at least one of these conditions:

• Gross annual revenue of $26.625 million or more for the preceding calendar year, effective January 1, 2025.
• Buy, sell, or share the personal information of 100,000 or more California residents or households.
• Derive 50% or more of annual revenue from selling or sharing California residents' personal information.

Because the revenue number is adjusted for inflation, verify the current figure with the CPPA rather than copying old "$25 million" language. The agency publishes updated monetary thresholds and FAQs (CPPA threshold update, CPPA FAQ).

"Doing Business in California" Is Broader Than Having an Office

A company outside California can still fall within scope if it does business in the state, collects California residents' personal information, and meets a threshold. For web businesses, California users may arrive through search, paid ads, social media, SaaS signups, ecommerce orders, newsletters, or app accounts.

Practical indicators include:

• Selling products or subscriptions to California residents.
• Targeting ads to California.
• Having California customers or users.
• Shipping goods to California.
• Offering services available to California residents.
• Collecting analytics data from California visitors at scale.

If you are close to a threshold, get legal advice. Scope decisions can affect privacy notices, opt-out links, contracts, and data rights workflows.

What Counts as Personal Information?

The CCPA definition is broad. Personal information can include identifiers, online identifiers, IP addresses, browsing history, search history, geolocation data, commercial information, and inferences. The California Attorney General's CCPA page summarises consumer rights and links to the legal framework (California OAG).

For analytics teams, this means personal information may include:

• Cookie identifiers.
• Device identifiers.
• IP-derived location.
• Pageview histories.
• Campaign parameters.
• Account-linked product events.
• Cross-context advertising data.

Even if the dashboard is aggregated, the underlying data pipeline may process personal information.

How Analytics Can Affect Thresholds

The 100,000 consumer or household threshold is the one many digital teams overlook. High-traffic websites can reach that number through ordinary visits. If analytics, pixels, or tag managers collect personal information from California residents, those visitors may count toward data-volume analysis.

The sale/share threshold is also important. "Sharing" under the CPRA is tied to cross-context behavioural advertising. If you disclose personal information to ad platforms for retargeting or audience building, you may have opt-out obligations even if no money changes hands.

Common Exemptions and Limits

The CCPA does not apply to every organization or every data type. Government agencies and many nonprofits are generally outside the core business definition. Some information regulated by sector-specific laws may be exempt or treated differently. Employment and business-contact contexts have changed under the CPRA and should be reviewed carefully rather than assumed exempt.

Do not rely on a generic exemption list without checking current law and the specific data flow.

A Website Owner's Scope Checklist

Use this assessment:

1. Are we a for-profit entity?
2. Do we do business in California?
3. Do we collect California residents' personal information?
4. Are we above the current revenue threshold?
5. Do we buy, sell, or share personal information of 100,000 or more California residents or households?
6. Do we derive 50% or more revenue from selling or sharing personal information?
7. Do our analytics or advertising tools disclose data to third parties?
8. Do we use cross-context behavioural advertising?
9. Do we honor opt-out preference signals where required?
10. Are our privacy policy and contracts current?

Why Privacy-First Analytics Helps

If your analytics setup avoids cookies, persistent identifiers, full IP storage, cross-site profiling, and advertising data sharing, the CCPA analysis becomes simpler. You may still be a covered business because of other operations, but the analytics system itself creates fewer obligations and fewer user-rights edge cases.

For growing companies, that is the strategic point. Design analytics so it answers business questions without pushing you closer to avoidable privacy thresholds or "sale/share" complexity.

How to estimate visitor thresholds

Do not wait until year-end to estimate whether the 100,000 consumer or household threshold might matter. Use a conservative monthly review for California traffic. Combine web analytics, server logs, account signups, newsletter records, and ad-platform audiences where relevant. Deduplicate only when you have a defensible method; overconfident deduplication can hide risk.

Also separate collection from sharing. A high-traffic site using first-party aggregate analytics may have a different obligation profile from a lower-traffic site that sends identifiers to ad networks for cross-context behavioral advertising. Keep a simple note beside each major tracker: collects personal information, shares for advertising, honors opt-out, and supports deletion. That makes scope analysis much easier when the business grows.

CCPA Scope Review Checklist

Review the scope question quarterly if California traffic, ad spend, revenue, or audience size is growing. Check the current CPPA threshold page, estimate California consumers or households conservatively, and separate ordinary collection from sale or sharing for cross-context behavioral advertising.

For analytics, review advertising pixels, tag-manager destinations, server-side conversion APIs, enrichment vendors, event properties, opt-out links, Global Privacy Control handling, sensitive-data limits, vendor contracts, and retention. If aggregate analytics answers the business question, use that instead of visitor-level sharing.