US CCPA Thresholds

Teams should treat Thresholds under the US CCPA as a source-linked operating decision: first check whether the organization meets the definition of a business by doing business in California and satisfying at least one of these thresholds - annual gross revenues in excess of $25 million in the preceding calendar year, annually buying, selling, or sharing the personal information of 100,000 or more consumers or households, or deriving 50 percent or more of annual revenues from selling or sharing consumers' personal information. If a company does not meet one of those thresholds, it may still be covered if it controls or is controlled by a business and shares common branding with it and shares consumers' personal information, or if it is a joint venture or partnership in which each business has at least a 40 percent interest, or a person that voluntarily certifies compliance to the California Privacy Protection Agency.

Once the threshold test is met, confirm which CCPA duties apply at the collection point, including notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, and enforcement exposure, then assign the team that can change the process and keep evidence showing the action and review trigger.

The safest first step is to identify the collection point, consumer right, sale/share status, GPC signal, vendor role, and applicable threshold before assigning the CCPA action.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.