The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most significant US privacy law to date. Unlike GDPR, which applies broadly based on processing activities, CCPA uses specific revenue and data volume thresholds. This means many small businesses are genuinely exempt — but you need to check the thresholds carefully rather than assuming exemption.
Who needs to comply with CCPA?
CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these three thresholds:
- Annual gross revenues exceeding $25 million
- Annually buy, sell, receive, or share for commercial purposes the personal information of 100,000 or more California consumers or households
- Derive 50% or more of annual revenues from selling or sharing consumers' personal information
If your business does not meet any of these thresholds, CCPA does not technically apply. A small online course business with revenues under $25 million and fewer than 100,000 California customers is almost certainly exempt. However, if you run a free platform with a large user base that monetises through advertising — hitting 100,000 data records is very achievable even for a modest operation.
Non-profit organisations and businesses that only operate outside California are also generally exempt, though the latter exemption is narrowing as US privacy law expands to other states.
What CCPA requires if it applies to you
If you are in scope, CCPA grants California residents several key rights:
- Right to know — consumers can request a list of what personal information you have collected about them in the past 12 months
- Right to delete — consumers can request deletion of their personal information, with some exceptions
- Right to opt out of sale or sharing — you must include a "Do Not Sell or Share My Personal Information" link if you sell or share data for advertising
- Right to correct — consumers can request correction of inaccurate personal information
- Right to limit use of sensitive personal information — specific categories (health data, financial data, precise geolocation) have additional restrictions
- Right to non-discrimination — you cannot penalise consumers who exercise their rights
How CCPA differs from GDPR
The core conceptual difference is that GDPR requires a positive lawful basis before you process personal data, while CCPA operates on an opt-out model: you can collect and use data unless the consumer tells you not to. CCPA is also US-domestic in scope — it applies to Californian residents rather than all EU/UK data subjects. The practical overlap is in the area of privacy notices and data subject request handling, where both laws require similar disclosures and response mechanisms. If you are already GDPR-compliant, adapting for CCPA is primarily a matter of updating your privacy policy language and adding CCPA-specific opt-out mechanisms.