Who must comply with CCPA?

Asked by: Geo Gaylord  |  Last update: July 8, 2026
Score: 4.2/5 (68 votes)

The California Consumer Privacy Act (CCPA), as amended, applies to for-profit entities that do business in California, collect California residents' personal information, and meet one of three thresholds: $26.625+ million gross annual revenue (as of 2025), buying/selling/sharing data of 100,000+ residents, or deriving 50%+ revenue from selling/sharing data.

Who is required to comply with CCPA?

The CCPA applies to for-profit businesses that do business in California and meet any of the following: Have a gross annual revenue of over $25 million; Buy, sell, or share the personal information of 100,000 or more California residents or households; or.

Which organizations must comply with the CCPA?

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to for-profit entities that do business in California, collect California residents' personal information, and meet one of these thresholds: $25M+ gross annual revenue; buys/sells/shares personal info of 100,000+ residents/households; or derives 50%+ of revenue from selling/sharing data.

What thresholds determine if a business must comply with the CCPA?

A business must comply with the CCPA if it has over $25 million in annual revenue, processes data from 100,000+ California residents, or derives more than 50% of its revenue from selling personal data.

Who is required to comply with the privacy act?

The Privacy Act of 1974 (5 U.S.C. § 552a) applies to records about U.S. citizens and lawful permanent residents maintained by federal agencies within the executive branch. It regulates how these agencies collect, maintain, and disclose personal information in a "system of records".

Which Businesses Must Comply With CCPA?

15 related questions found

Who must comply with the privacy rule?

The HIPAA Privacy Rule applies to "covered entities"—specifically health plans, health care clearinghouses, and health care providers who transmit health information electronically—and their business associates. These entities must protect individuals' medical records and personal health information (PHI).

Can my personal data be shared without permission?

Sharing data about anyone without a lawful basis is unlawful, but there are specific regulations to protect children online and their data needs greater protection. For example, it's unlawful to sell on children's personal data for commercial re-use.

What is exempt from CCPA?

Legal obligations

Information that businesses must collect or retain to comply with state or federal laws is exempt from the CCPA. This includes records required for regulatory inquiries, subpoenas, or litigation. Businesses must ensure that such data is used strictly for its legal purpose.

What is the 4-hour rule in California?

The "4-hour rule" in California, officially known as Reporting Time Pay, requires employers to pay non-exempt employees for at least half of their scheduled shift—up to a maximum of 4 hours—if they report to work but are sent home early or given less than half their expected work. This law, found in Industrial Welfare Commission Wage Orders, ensures compensation for showing up, regardless of the hours actually worked.

Does the CCPA apply to small businesses?

What businesses does the CCPA apply to? The CCPA applies to for-profit businesses that do business in California and meet any of the following: Have a gross annual revenue of over $25 million; Buy, sell, or share the personal information of 100,000 or more California residents or households; or.

What organizations do not comply with CCPA and CPRA may be subject to?

Organizations that do not comply with the CCPA and CPRA may be subject to civil penalties, administrative fines, private lawsuits, and injunctive relief. Penalties can reach up to $2,500 per unintentional violation and up to $7,500 per intentional violation or violations involving minors.

How to ensure CCPA compliance?

To comply with the California Consumer Privacy Act (CCPA), businesses must map data, update privacy policies annually, provide a "Do Not Sell or Share My Personal Information" link, and honor consumer requests to delete or access data within 45 days. Key requirements include providing notice at collection, offering opt-out mechanisms, and training employees on data privacy.

Who is not required to comply with HIPAA?

Entities not required to comply with HIPAA are those that do not qualify as covered entities (healthcare providers, plans, or clearinghouses) or their business associates. Common examples exempt from HIPAA include employers, life insurers, schools, most law enforcement, and consumer-facing fitness apps.

What are the criteria for CCPA?

The CCPA applies to for-profit businesses that do business in California, collect California residents' data, and meet one of these thresholds: >$25 million gross annual revenue, >50% revenue from selling/sharing personal info, or >100,000 consumers/households' data bought/sold/shared annually. It grants rights to access, delete, and opt-out of data sales.

What is the 25 million threshold for CCPA?

Annual gross revenue that exceeds $25 million (adjusted for inflation); Annually buy, share, or sell the personal information of more than 100,000 consumers or households; or. Derive 50% or more of annual revenues from selling or sharing consumers' personal information.

Does CCPA apply to all states?

The California Consumer Privacy Act (CCPA) does not apply to all states as a federal law, but it has broad extraterritorial reach. It protects California residents' data, regardless of where the business is located, if the company does business in California and meets specific revenue or data processing thresholds.

What is the 7 day rule in California?

In California, the "7-day rule" (or day of rest law) dictates that non-exempt employees are entitled to one day of rest every workweek, and employers cannot force them to work more than six days in a row. However, employees may voluntarily work all seven days. If a seventh consecutive day is worked in a single workweek, the first eight hours are paid at time-and-a-half (1.5×), and any hours over eight are paid at double-time (2×).

Is 9 to 5 still a thing?

The traditional 9-to-5, 40-hour workweek is largely considered a relic of the past, often replaced by longer 8-to-5 (8.5-hour) schedules, hybrid work, or flexible, hourly roles. While the concept of a fixed, full-time workday still exists in some sectors, it has largely evolved into more flexible, or conversely, more demanding "always-on" structures.

Are there exceptions to the 4-hour rule?

While the 4-hour minimum shift law provides strong protections, there are certain exceptions where an employer does not have to pay reporting time wages. These include: Utility emergencies like burst pipes, flooding, gas leaks, electrical outages, or technology failures that stop work from happening.

Do I need to comply with CCPA?

Buy, sell, or share the personal information of 100,000 or more consumers or households. Derive 50% or more of your annual revenue from selling or sharing consumers' personal information. Businesses that meet certain thresholds must comply with the CCPA.

What are some examples of CCPA violations?

A business that operates a chain of grocery stores failed to disclose information about its collection and use of consumer personal information in a privacy policy, failed to provide notice of consumers' CCPA rights, including the right to know, delete, and to not be discriminated against, and did not inform consumers ...

Who can enforce CCPA?

The California Privacy Protection Agency's (Agency) mission is to protect consumer privacy, ensure businesses and consumers are well–informed about their rights and obligations, and vigorously enforce the California Consumer Privacy Act (CCPA).

Can I legally look at my wife's text messages?

Accessing your wife's text messages without her permission is generally illegal and violates federal or state privacy laws, such as the Stored Communications Act, even if you are married or own the phone account. Sneaking onto her phone to read private messages can lead to criminal charges or civil lawsuits and such evidence is often inadmissible in court.

What personal information Cannot be shared?

Sharing sensitive information such as your address, phone number, family members' names, car information, passwords, work history, credit status, social security numbers, birth date, school names, passport information, driver's license numbers, insurance policy numbers, loan numbers, credit/ debit card numbers, PIN ...

Is breaking confidentiality a felony?

Any violation of this paragraph shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution."