--- title: "CPRA Applicability Test" canonical_url: "https://www.sorena.io/artifacts/us/cpra/applicability-test" source_url: "https://www.sorena.io/artifacts/us/cpra/applicability-test" author: "Sorena AI" description: "Confirm California scope and then identify which CPRA specific obligations activate." keywords: - "CPRA applicability test" - "CPRA scope" - "California privacy thresholds" - "CPRA SPI trigger" - "CPRA" - "Applicability Test" - "California privacy" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # CPRA Applicability Test Confirm California scope and then identify which CPRA specific obligations activate. *Applicability* *CPRA* ## California CPRA Applicability Test Grounded in the California statute, CPPA regulations, and the 2026 California rule changes. A CPRA applicability test should answer both whether the business is in scope and which special California workstreams must be built on top of the baseline programme. ## Threshold analysis The same California business thresholds remain the starting point: more than 25 million dollars in annual gross revenue, 100,000 or more consumers or households, or 50 percent of annual revenue from selling or sharing personal information. - Record the threshold met and the underlying calculation - Check exemptions by dataset rather than assuming the whole business is exempt - Map affiliated entities that may affect the business analysis - Revalidate the result after acquisitions, new adtech, or rapid growth ## CPRA specific trigger review After scope is confirmed, identify whether the business uses or discloses sensitive personal information outside permitted purposes, sells or shares information, relies on service providers or contractors, or runs processing that may trigger risk assessment, cybersecurity audit, or ADMT obligations. - Identify all SPI categories and the purposes attached to them - List every sale, sharing, and cross context advertising flow - Review whether contract forms are current - Assess whether any processing appears in the California risk assessment or audit trigger set ## Evidence pack The output should be a living scope and trigger register that explains not only why the business is covered, but also why certain CPRA workstreams do or do not apply. - Maintain a versioned register for SPI, rights, contracts, and assessment triggers - Link the register to notices, contracts, and the data map - Escalate borderline assessment trigger decisions to privacy and security together - Review the register whenever California rulemaking changes *Recommended next step* *Placement: after the applicability result* ## Turn California CPRA Applicability Test into an operational assessment Assessment Autopilot can take California CPRA Applicability Test from deciding whether these obligations apply in practice to a reusable workflow inside Sorena. Teams working on California CPRA can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for California CPRA Applicability Test](/solutions/assessment.md): Start from California CPRA Applicability Test and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through California CPRA](/contact.md): Review your current process, evidence gaps, and next steps for California CPRA Applicability Test. ## Primary sources - [CPPA regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - Official California regulations hub. - [California privacy statute effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_2026.pdf?ref=sorena.io) - Current statutory text as reflected in CPPA materials. - [CPPA FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official California FAQ. - [CPPA CCPA updates](https://cppa.ca.gov/ccpa_updates.html?ref=sorena.io) - Rulemaking and effective date updates. ## Related Topic Guides - [CPPA Regulations Tracker | California Rulemaking Tracker](/artifacts/us/cpra/cppa-regulations-tracker.md): Track the California rules that changed the operating baseline in 2026 and the related regulator outputs. - [CPRA Checklist | California Privacy Rights Act Checklist](/artifacts/us/cpra/checklist.md): Track the California privacy workstreams that changed under CPRA and the 2026 rules. - [CPRA Compliance Program | California Operating Model](/artifacts/us/cpra/compliance.md): Run a California programme that can absorb ongoing CPPA rules without constant redesign. - [CPRA Consumer Rights Workflow | California Rights Operations](/artifacts/us/cpra/consumer-rights-workflow.md): Run California rights operations across delete, correct, know, opt out, and limit. - [CPRA Contracts, Contractors, and Service Providers](/artifacts/us/cpra/contracts-contractors-and-service-providers.md): Draft California recipient contracts that support both baseline CPRA compliance and the newer assurance obligations. - [CPRA Deadlines and Compliance Calendar | California Privacy Calendar](/artifacts/us/cpra/deadlines-and-compliance-calendar.md): Use the dates that matter for the current California privacy regime. - [CPRA FAQ | Practical California Privacy Rights Answers](/artifacts/us/cpra/faq.md): Answer the California questions that stall CPRA implementation decisions. - [CPRA Penalties and Fines | California Enforcement Exposure](/artifacts/us/cpra/penalties-and-fines.md): Understand what makes California exposure larger, faster, and harder to defend. - [CPRA Requirements | California Control Requirements](/artifacts/us/cpra/requirements.md): Translate the current California regime into control statements that teams can build and test. - [CPRA Risk Assessment Template | California Risk Assessment Guide](/artifacts/us/cpra/cpra-risk-assessment-template.md): Use a California specific template that matches the current rule structure instead of a generic DPIA form. - [CPRA Risk Assessments and Cybersecurity Audits | California Assurance Guide](/artifacts/us/cpra/risk-assessments-and-cybersecurity-audits.md): Prepare for the California assurance duties that now have real structure, timing, and evidence requirements. - [CPRA Sensitive Personal Information | California SPI Guide](/artifacts/us/cpra/sensitive-personal-information.md): Handle SPI with the level of design and evidence the California rules now expect. - [CPRA vs CCPA | What Actually Changed in California Privacy](/artifacts/us/cpra/ccpa-vs-cpra.md): A practical CPRA vs CCPA delta guide grounded in the current California statute, CPPA regulations, Proposition 24, and official agency guidance. - [CPRA vs Colorado Privacy Act | State Privacy Comparison](/artifacts/us/cpra/cpra-vs-colorado-privacy-act.md): Compare the California and Colorado models before reusing a state privacy template across both. - [CPRA vs Virginia VCDPA | State Privacy Comparison](/artifacts/us/cpra/cpra-vs-virginia-vcdpa.md): Compare California and Virginia privacy models before reusing contracts or request flows across both. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/us/cpra/applicability-test