Regulations

CCPA Who Does It Apply To? A 2026 Scope Guide for Businesses

DataShyre Staff
DataShyre Staff Jun 25, 2026
5 min read

CCPA Who Does It Apply To? A 2026 Scope Guide for Businesses

If you are searching ccpa who does it apply to, the short answer is this: the law does not just target Big Tech. It applies to for-profit businesses that do business in California, decide why and how personal information is processed, and meet at least one of the law’s thresholds. That sounds simple. In practice, teams still get this wrong when they focus only on company size and ignore data volume, ad-tech sharing, or employee and vendor data.

CCPA scope illustration showing a California business threshold checklist and subtle DataShyre.com branding

If you need the broader rights picture after this scoping check, start with our guide to California consumer privacy. If your team is balancing U.S. and EU programs, this GDPR vs. CCPA comparison helps separate what overlaps from what does not.

CCPA who does it apply to: the short answer

The California Privacy Protection Agency FAQ and Civil Code section 1798.140 line up on the core test. A covered business is generally a for-profit company that collects personal information, decides the purposes and means of processing, does business in California, and meets at least one threshold:

  • annual gross revenue of at least $26.625 million for the preceding calendar year, using the current CPI-adjusted threshold
  • annual buying, selling, or sharing of personal information of 100,000 or more consumers or households
  • 50% or more of annual revenue derived from selling or sharing consumers’ personal information

The CPPA also says the CCPA can reach certain entities controlled by a covered business, some joint ventures, and parties that voluntarily certify themselves as subject to the law. Service providers and contractors are not off the hook either; they have separate duties under the same regime.

A practical four-part test for business teams

1. Are you a for-profit business?

This is the first gate. The CPPA says the CCPA does not generally apply to nonprofits or government agencies. That said, many operating teams stop here too early. If you sit inside a for-profit group structure with shared branding or common control, the analysis may not stop with the entity name on the contract.

2. Do you decide why and how the data is processed?

This is the part that separates a business from a vendor acting only on instructions. If your team chooses the purpose, the audience, the retention period, or the monetization model, you are probably closer to the business side of the line than the processor side.

3. Do you do business in California?

You do not need a California headquarters for this question to matter. If you regularly market to, sell to, or otherwise operate with California residents, assume the issue deserves an actual scoping review instead of a shrug.

4. Do you meet one of the thresholds?

This is where ccpa who does it apply to usually stops being theoretical. Plenty of companies are under the revenue threshold and still land inside the law because they buy, sell, or share data at scale. Others clear the revenue threshold without realizing the number was raised from $25 million to $26.625 million effective January 1, 2025.

There is another easy miss here: the CPPA says California residents include employees, job applicants, and contacts for customers, vendors, and independent contractors. And the old employee and business-to-business exemptions expired on December 31, 2022. So if your business is covered, those datasets cannot be waved away as legacy exceptions.

Why this question matters more in 2026

California’s updated CCPA regulations took effect on January 1, 2026. When the rules were finalized, CPPA General Counsel Phil Laird said they would “provide clarity for businesses.” That is true, but it also means there is less room now for fuzzy scoping and half-built workflows.

The enforcement trend is just as direct. In California’s February 11, 2026 Disney settlement, Attorney General Rob Bonta said businesses cannot force people to “go device-by-device or service-by-service” to opt out. That matters for any company that treats privacy choice as a front-end widget while the back-end data flows keep running.

In the May 8, 2026 General Motors settlement, Bonta said companies cannot “hold on to data and use it later for another purpose.” That is a scoping issue as much as a retention issue. Once a company is covered, California is looking past the privacy notice and into the real operating model.

Editorial checklist graphic showing CCPA scope questions, employee and vendor data, ad-tech sharing, and subtle DataShyre.com branding

The most common scope mistakes

Assuming “small” means out of scope

A mid-market brand with a large web audience, several ad partners, and aggressive analytics can cross the 100,000-consumer threshold faster than leadership expects.

Ignoring employee and B2B data

This is still one of the easiest ways to age your compliance memo overnight. If your company is covered, HR systems, applicant workflows, and vendor-contact records belong in the review.

Treating exempt data as a blanket exemption

The CPPA notes that some information remains exempt, including certain medical information and consumer credit reporting information. That does not mean the whole company is exempt. It usually means the analysis has to be more precise.

Thinking consent tooling answers the scope question

A banner or preference center can help with compliance, but it does not answer whether the law applies in the first place. Scope comes first. Tooling comes after.

Bottom line

The cleanest answer to ccpa who does it apply to is this: if you are a for-profit business touching California residents’ data and you meet a revenue, data-volume, or data-monetization threshold, you should assume the law is in play until counsel or privacy ops proves otherwise.

That is why the best scoping exercise is not a one-line legal conclusion. It is a cross-functional check across revenue, web traffic, ad-tech sharing, HR data, vendor data, and retention practices. Get that right, and the rest of your California privacy work becomes much easier to prioritize.

Sources

  • California Privacy Protection Agency
  • California Legislative Information
  • California Department of Justice
DataShyre Platform

Ready to fix your privacy program?

Join 3,500+ businesses using DataShyre to automate consent management, DSR fulfillment, and compliance — without the complexity.