CCPA applicability comes down to three thresholds, all of them numerically precise. $26.625 million in revenue. Buying, selling, or sharing data of 100,000 or more California residents. 50% of revenue from sales of that data. The edges are mathematically sharp. But what counts toward them? That’s where the edges blur.
You hit $25 million in worldwide gross revenue, selling industrial machinery in Colorado, consulting services in Texas, and you’re in, even if your site just sees 200 California visitors a year.
You stay at $24.9 million but run a media site with 800,000 California visitors tracked through cookies and retargeting pixels. Also in.
You’re at $15 million revenue with 60,000 consumers, convinced you’re clear on both counts, but if 51% of your income comes from programmatic ads targeted at California residents, you’re still possibly in.
This guide breaks down what actually counts toward each threshold and how to assess whether your website operations are pushing you over or under the thresholds.
The three thresholds that trigger CCPA
Under the CPRA-amended CCPA, a business is defined as a non-profit entity that collects or processes customer information, does business in California, or meets the thresholds stated by CCPA around revenue and volume.
Threshold 1: $26.6M million in annual gross revenue will bring you in scope
A key point to note here is that the entire global revenue counts towards this threshold. This means that a business that brings in a major share of its revenue selling services or products in other states or countries would still be under CCPA’s scope, even if California residents make up a fraction of their sales.
Threshold 2: Buying, selling, or sharing the personal information of 100,000 or more California residents
The threshold, 100,000, includes visitors from the website, existing customers, registered users, and even transient prospects that are tracked via cookies or other identifiers.
However, that’s not the complete story; the way California defines selling, sharing, or buying brings most businesses in scope. As per the statute, selling includes renting, releasing, disclosing, disseminating, making available, or communicating personal information of California residents in exchange for monetary or other forms of valuable gains.
Technically, that means that even if you don’t sell data labeled under “data purchase”, you can still be in scope. Because even transmitting visitor information to an analytics platform and receiving targeting insights, audience segmentation, or measurement dashboards in return, the count constitutes valuable consideration. The value doesn’t have to be monetary; it just has to benefit your business.
Their definition of sharing closes the gaps further. Sharing means disclosing personal information to third parties for cross-context behavioral advertising. So standard business operations like syncing data with advertising networks, analytics vendors, or third-party marketing platforms fall squarely under this threshold.
It’s important to notice the buying part, too. If you purchase lead lists, acquire marketing data from brokers, or pull in third-party audience segments, those inbound transactions count just as much as outbound data transfers.
Together, it means that a business that buys 60,000 California leads and shares 45,000 users’ browsing data with ad networks crosses 105,000, falling under the threshold, even if it never sells data in the traditional sense.
Threshold 3: Deriving 50% or more of annual revenue from selling or sharing personal information.
If your business makes more than 50% of its revenue from selling or sharing personal information of California residents, then it’s under scope.
But the word ‘derive’ does the real heavy lifting here. Because it doesn’t just limit scope to businesses that sell data like data brokers, but even the ones that offer list-building and lead generation services. The threshold simply looks at revenue that wouldn’t exist without the selling or sharing of personal information.
Where does the website change the calculation?
Website visits push businesses over the threshold without them realizing. The root of that is in how customer data is counted towards the 100,000 threshold.
The statute’s definition of personal information explicitly includes online identifiers, IP addresses, cookies, device IDs, and other unique identifiers that can recognize a person, family, or device over time and across services.
That means each cookie ID, device identifier, or mobile advertising ID transmitted to a third party for behavioral advertising counts as a consumer whose data you’re sharing. The complexity increases when you consider that most businesses don’t think they are sharing or selling data.
Most businesses don’t think they are sharing or selling data. They think of it as marketing infrastructure. In reality, whenever a website loads a Meta Pixel, Google Tag Manager, or any other retargeting or tracking script, it’s making data flow from your website to third parties. That counts as selling or sharing personal information.
Each California visitor touched by those flows counts toward the 100,000 threshold.
Duplicates and double-counting make it even murkier
A single California resident can visit from three devices and clear cookies twice. The question then becomes, should a consumer using multiple devices be counted multiple times under the threshold?
The Attorney General’s Final Statement of Reasons clarifies that a device must relate to a California resident, as it would be unreasonable to count every device globally with no California nexus. Thus, the law does not require heroic identity resolution, but it also doesn’t permit pretending each technical identifier is wholly unrelated when it can be connected to the same person.
In short, if you have the data to link identifiers, like a user logging into the same account on three devices, or your platform stitches identifiers across sessions, you can count them as one consumer. If they are anonymous visitors and you lack the technical means to deduplicate, you count based on the unique identifiers you have.
In short, here’s how the website affects the thresholds.
| Threshold | What It Measures | How websites affect it | Common Blind Spot |
| $26.625M Revenue | Worldwide gross revenue | This is an independent threshold | Teams assume only CA-specific revenue matters |
| 100,000 Consumers | CA consumers whose data you buy, sell, or share | Visitors tracked via cookies/pixels that hit third-party tags count towards the threshold | Teams count “customers” but ignore anonymous web traffic |
| 50% Revenue from selling Data | Revenue from selling/sharing PI of CA residents | Programmatic ad revenue, lead sales, audience monetization, and affiliate revenue driven by CA user targeting | Teams think “we sell ads, not data.” |
Common applicability misconceptions
CCPA has been around for years, amended, debated, and transformed. The interpretations of each update, threshold, and statute are plenty, but so are the misconceptions.
CCPA doesn’t apply to B2B
This was true once. It isn’t anymore. Back then, CCPA granted exemptions for employee data and B2B contact information. The exemptions were set to sunset on January 1, 2023. So as of now, employees, job applicants, contractors, and business contacts are considered customers under the law with access, deletion, correction, and opt-out rights.
That means if your website collects names, email addresses, and IP addresses from California-based employees at client companies, that data counts toward your thresholds. If you process resumes from California job applicants, maintain contact records for California-based vendor representatives, or track website visits from prospects working at California businesses, all of that is personal information subject to CCPA.
There’s one nuance to look at, though. The law still excludes corporate entities, as, legally, a legal entity is different from natural persons.
So B2B SaaS companies, enterprise software providers, and professional services firms that assumed they were exempt need to reassess. If you meet a threshold and process data of CA residents in any capacity, your business would likely be in scope.
CCPA doesn’t apply to you if you’re headquartered out of state
That’s also false. CCPA applies based on where your consumers are, not where your business is. Yes, the statute phrases it like you need to do business in California. But that doesn’t always need physical presence.
If you’re an online store, website, or any service, selling to CA residents via any route, it applies to you.
Put simply, shipping goods to California, providing SaaS or digital services accessible to California residents, or employing California-based remote workers, brings you under the scope.
Marketing or selling into the state counts. Recruiting California residents counts. Engaging in transactions for financial gain with California consumers counts. The geography of your headquarters is irrelevant.
Your business is out of scope if you serve only a small number of CA residents
That’s true, but not always. The thresholds are not co-dependent. They can define applicability individually. So even if you cross the revenue threshold, but not the other two, you get pulled into scope.
The thresholds are like borders. If you cross one, you are fully in scope regardless of how modest your California footprint feels.
A business with $30 million in worldwide revenue is in scope even if only 2% of its customers are in California. A business with 120,000 California consumers whose data it shares via retargeting pixels is in scope even if it has never shipped a product to the state. A business deriving 60% of revenue from programmatic ads tied to California residents is in scope even if its total user base is small.
Long story short, the law does not carve out a special small California presence for businesses once a threshold is crossed.
If you don’t target California, it doesn’t apply
It’s probably the most innocent misconception. But also false.
CCPA isn’t just about intent or targeting. It’s really about the data that gets collected, processed, shared, sold, or served to. If California residents interact with your website, create accounts, make purchases, or get tracked via cookies and analytics, you are processing their personal information regardless of whether you intended to serve them.
A business that markets exclusively to the East Coast but operates a publicly accessible website will still process data from California residents who find the site organically.
When that business meets a threshold, say serving 100,000 CA residents through web traffic, or in purchased leads, it comes under scope.
What counts as selling or sharing data?
They say the devil is in the details. That’s especially true for CCPA. The thresholds appear to be straightforward until you look at what they really mean.
When it was first introduced, selling meant what it’s supposed to, disclosing information to a third-party in exchange of monetary gains or other valuable consideration. So the businesses using analytics and ad platforms assumed they were out of scope.
Today, amendments and updates have closed that gap. If your business discloses personal information to a third-party, even for advertising, analytics, or any other purposes that benefit you, even in non-monetary ways, you still can be in scope. It’s not necessary for money to change hands.
Where the line exists
Whether a data flow counts as selling or sharing depends on how the recipient is classified under CCPA, for that, there are three categories, including service providers, contractors, and third parties.
A service provider processes personal information on behalf of your business for a specific business purpose under a written contract that prohibits selling, sharing, retention beyond what is necessary, and use outside the direct business relationship.
Under CPRA, the contract must also prohibit combining personal information from multiple clients and require that the provider allow you to monitor compliance. Similarly, a contractor must receive personal information directly from your business and is subject to additional oversight obligations.
Third-party can be defined as any business that doesn’t meet the last two definitions. That’s why, if your Meta Pixel, Google Analytics, or ad network relationship lacks a CPRA-compliant service provider or contractor contract, those recipients are third parties. That means disclosures to them for ad targeting, audience building, or measurement count as selling or sharing.
For businesses, this changes the game
In previous enforcement incidents, the California Attorney General treated analytics and advertising scripts without proper service provider contracts as sales of personal information.
Third-party advertising pixels like Meta Pixel, Google Ads, and TikTok Pixel send browsing behavior to platforms that build cross-client profiles and retarget users. In the eyes of the CCPA, that is sharing.
Further, analytics platforms like Google Analytics may constitute sharing when configured to let the platform use data for its own advertising purposes.
Other third-party services that offer critical capabilities like session replay, heatmapping, and A/B testing tools can be considered service providers if contracts limit use to your site and prohibit cross-client profiling. That goes for CDNS and tag managers as well.
The risk is when vendors use visitor data to improve their own models.
How can you assess if you’re under or over the threshold?
Testing your applicability for CCPA hinges on a bunch of questions. And it revolves around your global revenue, the net traffic you get from CA residents, and your business model. The last one is key, because that’s where most businesses slip in calculations.
Start by gathering data for each threshold using real systems
For the revenue threshold, use audited financials or management accounts to confirm worldwide gross revenue in the preceding calendar year.
The test is global, not California-specific, and it is based on gross revenue before expenses. That means exceeding $26.625M in gross revenue gets you in scope. For the 100,000 consumer threshold, you need to count California residents whose personal information you buy, sell, or share annually.
That date can be pulled and stitched from CRM, analytics platforms, lead acquisition and partnerships, as well as advertising automation.
Classify data flows as selling, sharing, or service provider processing
Because the definition of sharing, selling, and service provider processing is so nuanced, you need to look at how your data flows downstream, how it benefits your business, and then compare it against the threshold.
For the service provider, start by inventorying every third-party script, tag, and SaaS integration on your website and apps. This can be done with tag managers, tools like Feroot that automatically discover and inventory all third-party scripts on your website.
Once done, you need to determine if there is a CCPA-compliant service provider contract. Does the vendor use the data only for your business purposes, or also for its own advertising network? Does it involve cross-context behavioral advertising?
If the vendor builds profiles across other businesses’ properties, you are sharing data by definition. Without a compliant contract, the vendor is a third party, and those flows count as selling or sharing.
However, with a strict contract limiting use to your business operations, it can be a service provider relationship that doesn’t count toward the threshold.
Third-party relationships add to your 100,000 consumer count. Service provider relationships typically don’t.
Look at your business model
A lot of businesses don’t realize they are under the scope because they don’t look at their revenue model closely enough. If 50% of your revenue depends on selling or sharing PI of CA residents, then you cross the threshold.
Businesses like advertisement services, lead generation businesses, data brokers, and audience listening platforms bundle data access; these businesses cross the threshold more often than not.
Document your applicability determination
Regulators expect businesses to maintain a written applicability assessment that explains how the business perimeter was defined, what data sources were used to compute each threshold, and what assumptions were made. If you conclude you are out of scope, document why. If you are in scope, note which threshold you crossed and when.
How AlphaPrivacy AI supports applicability assessment
Perhaps the trickiest part of assessing your applicability isn’t the nuances behind the thresholds, but actually knowing how you collect data, when you do it, where it goes, who it belongs to, and which flows count as selling or sharing.
That’s hard for businesses to answer those questions without manually auditing every script their website loads.
AlphaPrivacy AI automates that. It automatically discovers scripts across your website, how they impact data collection, and surfaces every detail you need to know about client-side data collection. It monitors which tracking technologies are active, what personal information they access, and which third parties receive California residents’ data.
That visibility tells you how many California consumers are affected by your website operations and whether those data flows qualify as selling or sharing under CCPA.
The platform automatically maps jurisdictional requirements to your digital footprint, enforcing location-specific consent management, data handling rules, and privacy controls across all markets.
So when a California visitor lands on your site, AlphaPrivacy AI applies CCPA-specific logic, blocking sale and sharing flows if the user opts out, honoring Global Privacy Control signals, and logging which data flows occurred for audit purposes.
This way, one solution handles requirements for GDPR, CCPA, CPRA, and 22 state laws. It manages consent by location and generates jurisdiction-specific privacy documentation automatically. For applicability purposes, that means you have the audit trail that regulators expect if they ever question your status as a CCPA business.
