Does CCPA Apply to Your Business? [2026 Guide]
Free applicability checker with statutory citations — covers CCPA/CPRA scope, obligations, and penalties.
About CCPA/CPRA
The California Consumer Privacy Act (CCPA), amended and strengthened by the California Privacy Rights Act (CPRA), is California's comprehensive consumer privacy law. It grants California consumers significant rights over their personal information and imposes obligations on businesses that meet certain thresholds.
Who it applies to: CCPA/CPRA applies to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue exceeding $26.625 million (2026 CPI-adjusted); annual buying, selling, or sharing personal information of 100,000 or more consumers or households; or deriving 50% or more of annual revenue from selling or sharing personal information.
Important: Non-profit organisations and government agencies are not covered by CCPA/CPRA. However, any for-profit business anywhere in the world that does business in California and meets one of the thresholds is covered — including non-California businesses.
The CPRA amendments, which took full effect January 1, 2023, strengthened the law significantly, creating the California Privacy Protection Agency (CPPA) as an independent enforcement body and adding new rights including the right to correct inaccurate data and the right to limit use of sensitive personal information.
Key obligations under CCPA/CPRA
Frequently asked questions
Does CCPA apply to businesses outside California?
Yes. CCPA applies to any for-profit business that does business in California and meets one of the thresholds — regardless of where the business is located. A New York company, a UK company, or an Australian company that has California customers and meets the revenue or data volume threshold is subject to CCPA.
Does CCPA apply to small businesses?
CCPA has a revenue threshold of $26.625 million (2026 adjusted) and a data volume threshold of 100,000 consumers. Small businesses that do not meet any of the three thresholds are not covered. However, if a small business derives 50% or more of its revenue from selling personal information, it is covered regardless of total revenue.
What is the difference between CCPA and CPRA?
The CPRA (California Privacy Rights Act, passed November 2020) is an amendment and expansion of the CCPA. Key CPRA additions include: a new sensitive personal information category with opt-out rights; the right to correct; data minimisation requirements; establishment of the CPPA as an independent enforcement body; and new obligations for automated decision-making. Both are now referred to together as CCPA/CPRA.
What does "selling personal information" mean under CCPA?
Under CCPA, "sale" is broadly defined to include any disclosure of personal information for monetary or other valuable consideration. This includes data broker arrangements, sharing data with advertisers for targeted advertising, and other exchanges where data is traded for value. The CPRA added "sharing" as a separate category covering sharing personal information for cross-context behavioural advertising.
What are the CCPA penalties in 2026?
The CCPA provides for civil penalties of up to $2,500 for unintentional violations and $7,988 for intentional violations (2026 CPI-adjusted). There is also a private right of action for data breaches, with statutory damages of $100–$750 per consumer per incident, or actual damages if greater.
Not sure if CCPA/CPRA applies?
Run the full assessment — covers all major privacy laws with exact statutory citations. Free, no account required.
Start free assessment →Not legal advice — educational information only