Applicability Test decisions under the US CCPA should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed.
This guide converts official requirements into scope, evidence, ownership, and review decisions for practical implementation, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
This page maps US CCPA obligations for the US CCPA applicability test to trigger conditions, accountable owners, required deadlines, evidence records, and review paths that product, legal, privacy, security, and compliance teams can apply.
Start by deciding whether the business is a 'business' under the CCPA: it must do business in California, collect consumers' personal information, determine the purposes and means of processing, and meet at least one threshold - annual gross revenues over $25 million, buy/sell/share the personal information of 100,000 or more consumers or households, or derive 50 percent or more of annual revenues from selling or sharing consumers' personal information.
If those criteria are met, the rest of the test should identify which CCPA obligation is triggered, such as notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC handling, service-provider restrictions, or enforcement exposure. The useful answer should name the exact trigger, affected product or process, required action, owner, evidence, and escalation point.
Keep the California source, threshold calculation, notice text, consumer rights workflow, opt-out/GPC evidence, and service-provider contract record together so the CCPA decision can be reviewed later.
Ownership should sit with the team that can change notices, request intake, ad-tech settings, vendor contracts, data retention, or consumer-facing controls, with privacy/legal review for ambiguous cases.
Evidence should show threshold calculations, notice-at-collection placement, privacy-policy disclosures, rights request logs, opt-out/GPC handling, vendor restrictions, and enforcement-response readiness.
Most CCPA mistakes happen at the boundary between a business, service provider, contractor and third party, or between selling, sharing, financial incentives, minors, GPC, and data-broker obligations.
Apply this section before launching a collection point, ad-tech flow, rights workflow, vendor onboarding, financial incentive, minor-focused journey, or data-broker process.
Use a CCPA workflow that captures threshold status, data category, collection point, consumer right, opt-out or GPC trigger, vendor role, evidence, owner, and review date.
The output should be a threshold note, notice update, consumer rights request decision, opt-out/GPC record, vendor clause map, dark-pattern review, or enforcement evidence pack.
This US CCPA guide turns Applicability Test into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.
Turn Applicability Test into scoped questions, evidence fields, and review tasks.
Use Research Copilot to answer follow-up questions with cited source material.
Review scope, evidence, owners, and the next compliance actions with Sorena.
"The CCPA requires business privacy policies to include information on consumers' privacy rights and how to exercise them"
"On March 29, 2023, the Office of Administrative Law approved the California Privacy Protection Agency's regulations and filed"
"How to Implement Global Privacy Control (GPC) for Publishers Engineering Lead for Privacy & Security Compliance Assistant Professor"
"For more information on policies of the IAB CCPA Compliance Framework, visit <"
"--- CA PRIVACY PROTECTION AGENCY - TEXT OF REGULATIONS (CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations) Page"
"The GPP is the only privacy signaling mechanism available to signal consumer privacy choices for all US states"