When Does the CCPA Apply? Understanding California's Privacy Law Scope

The CCPA does not apply to every business. Understanding its scope is critical for determining whether your organization has obligations under California's privacy law.

Who Is Covered

The CCPA applies to for-profit businesses that collect personal information of California residents and meet at least one of these thresholds: annual gross revenue exceeding $25 million, buying/selling/sharing personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information.

Who Is Exempt

Government agencies, nonprofits, and businesses that do not meet the thresholds are generally exempt. The CCPA also does not apply to employee data or business-to-business data, though the CPRA has introduced some protections in these areas.

Geographic Scope

The CCPA protects California residents regardless of where the business is located. A company in New York, London, or Tokyo that collects data from California residents and meets the thresholds must comply.

What Triggers Obligations

Even organizations that do not directly serve California may be covered if their websites are accessible to California residents and they meet the volume or revenue thresholds. Using analytics tools that share data with third parties can contribute to meeting these thresholds.

Practical Assessment

Organizations should audit their data practices to determine whether they fall within the CCPA's scope. The thresholds can be met through routine web analytics and advertising activities that many organizations do not consider "selling" data.