CCPA Ready · Small business

US state privacy (CCPA/CPRA) for small businesses: does it apply to you?

CCPA/CPRA (California) plus 10+ newer state laws require a privacy notice, a "Do Not Sell or Share" link, honoring opt-out signals, and consumer data rights. Check yours.

Does business size change anything?

📐 The honest answer: CCPA/CPRA only applies above thresholds: roughly $25M+ annual revenue, the personal data of 100k+ California consumers/households, or 50%+ of revenue from selling or sharing personal data. Many small businesses fall below all three and are exempt — but confirm, because crossing any one threshold pulls you in.

What it requires

If it applies to you, here's what you need — these are the points small businesses most often miss:

Published privacy notice, reviewed in the last 12 months?
Do you sell or 'share' personal info (incl. ad cookies)?
Do you honor opt-out preference signals (GPC)?
Can consumers request access/deletion/correction?
Do you disclose data categories + purposes?
Discounts in exchange for data (loyalty)?
Do you avoid penalizing users who exercise rights?

What's at stake

⚠️ Exposure: $2,500/violation — $7,500 if intentional or a minor · Status: In force. Regulators and plaintiffs do go after small businesses — being small is not a defence.

Compare the penalty for every rule →

Common questions

Does uS state privacy (CCPA/CPRA) apply to small businesses?

CCPA/CPRA only applies above thresholds: roughly $25M+ annual revenue, the personal data of 100k+ California consumers/households, or 50%+ of revenue from selling or sharing personal data. Many small businesses fall below all three and are exempt — but confirm, because crossing any one threshold pulls you in.

Does CCPA apply to my business?

California's CCPA/CPRA applies above certain thresholds (revenue, data volume, or selling data), and 10+ other states have similar laws. If you sell to US consumers and collect personal data or use targeted ads, you likely need a notice and opt-out.

What is a 'Do Not Sell or Share' link?

A clear, account-free link (often "Your Privacy Choices") letting consumers opt out of the sale or sharing of their personal information — including cross-context behavioural advertising cookies.

What is GPC and do I have to honor it?

Global Privacy Control is a browser opt-out signal. Under CPRA and several state laws you must treat it as a valid opt-out of sale/sharing.

The source

RuleGoose checks this against the California CCPA/CPRA + US state privacy laws. Read it yourself: California AG — CCPA →

Find out in 60 seconds — free.
The checker tells you whether you're in scope and exactly what's missing. No signup, runs in your browser. Run the CCPA Ready checker →

or read the full US state privacy (CCPA/CPRA) guide, or get one RuleGoose Score across every rule.

Informational only, not legal advice, and not affiliated with California or the FTC. Thresholds can change and be fact-specific — confirm against the cited source. Last reviewed 2026-06-30.