Clym Logo

CCPA Applicability - 2026 Guide: How to Know if the Law Applies to Your Business

~ 7 min read

CCPA Applicability Guide 2026: How to Know if the Law Applies to Your Business

This CCPA applicability guide for 2026 helps businesses understand whether the California Consumer Privacy Act applies to them by breaking down key applicability thresholds. It explains how the updated $26.625M revenue threshold works, how the 100,000‑consumer data volume rule is calculated through website traffic and identifiers, and when the 50% data broker revenue rule applies. The guide also clarifies CCPA extraterritorial coverage, outlines how online tracking technologies can trigger CCPA obligations, and highlights practical next steps for organizations assessing their CCPA compliance status.

Summarize full article with:

Determining CCPA applicability is the first and most important step in understanding your privacy obligations.

With the expanded requirements introduced under the California Privacy Rights Act (CPRA) and new inflation adjustments taking effect in 2026, the scope of who must comply has shifted. A business that was exempt last year may now fall within scope due to updated revenue thresholds or expanded definitions around “data brokerage.”

This guide explains the three legal thresholds that trigger coverage, clarifies who must comply with CCPA even outside California, and links to deeper resources on key data categories.


CCPA applicability checklist: Quick “Am I covered?” logic flow (2026)

Use this quick decision sequence to assess your status:

  1. Are you a for-profit entity doing business in California?
    (Yes → Continue)
  2. Do you meet ANY ONE of the following 3 criteria?
    • A. Annual Global Gross Revenue > $26.625 million
    • B. Buy/Sell/Share data of > 100,000 CA consumers or households
    • C. Derive > 50% of annual revenue from selling/sharing data
  3. Result: If you checked A, B, or C, the CCPA generally applies.

CCPA revenue threshold 2026 explained: Understanding the $26.6M rule

Many businesses assume the revenue threshold applies only to money made within California, but the scope is broader. Effective January 1, 2025, the original $25 million statutory threshold is adjusted for inflation. For the 2026 compliance year, your business is covered if its annual gross revenues exceed $26,625,000.

Global revenue rule under CCPA: why worldwide revenue counts

The law evaluates your full economic footprint, not just your activity within the state.

  • Global scope: This threshold typically refers to total global gross revenue, not revenue earned in California. For example, if your company is based in France, generates $30M worldwide, and earns only $100k from California customers, you likely meet this threshold if you are considered to be “doing business” in the state.
  • Inflation updates: The CPPA updates this monetary threshold every two years based on the Consumer Price Index (CPI).

Compliance Tip: The statute (Civil Code § 1798.140) still lists “$25,000,000,” but footnotes that the figure is updated under § 1798.199.95(d). Use the adjusted $26.625M amount in your assessments.


CCPA data volume threshold: does 100,000 consumers apply to your business?

This threshold often surprises smaller companies because it focuses on data volume, not revenue. Your business falls under the CCPA if it annually buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices.

The 275 visitors rule: how website traffic triggers CCPA coverage

This is the most common pitfall for SMBs. You do not need 100,000 customers, the law counts unique identifiers such as cookies, device IDs, and IP addresses.

  • The calculation:
    100,000 unique visitors ÷ 365 days ≈ 274 visitors per day
  • The reality:
    If your website averages around 275 daily visitors from California, and you use tools such as Google Analytics, Meta Pixel, or similar trackers, you are collecting personal information from 100,000 “consumers or devices” each year.
  • The verdict: If this applies, you are required to comply.

Pro Tip #1: Adopting CCPA data minimization strategies may help reduce your identifier volume and keep you below the threshold.

Pro Tip #2: Check your Google Analytics “California” user count for the past 12 months. If “Users” exceed 100,000, you are in scope.


CCPA data broker threshold: understanding the 50% revenue rule (2026)

If your business model relies heavily on data monetization, pay close attention to how your revenue is generated. You fall within the CCPA if 50% or more of your annual revenue comes from selling or sharing personal information.

Delete Act (SB 362) requirements for 2026: what data brokers must do

Meeting this threshold often means you qualify as a Data Broker, a business that knowingly collects and sells personal information from consumers with whom it does not have a direct relationship.

Starting in 2026, additional Delete Act obligations apply:

  • Registration: Register with the CPPA by January 31 each year and pay the $6,000 registration fee
  • DROP integration: Integrate with the state’s DROP Platform, enabling consumers to delete their information across all registered brokers via a single request

Does CCPA apply outside California? Understanding extraterritorial coverage (2026)

The CCPA applies based on consumer location, not business location. A physical presence in California is not required.

Any organization that meets one or more thresholds and collects personal information from California residents is generally covered.

Common scenarios

Business type

Scenario

Verdict

SaaS Platform

HQ in New York; 150,000 free-tier users logging in from CA IPs.

Covered (Meets 100k volume threshold)

E-Commerce

HQ in London, UK; ships luxury goods to CA; global revenue $50M.

Covered (Revenue threshold + doing business in CA)

Non-Profit

A charity located in San Francisco.

Exempt (Generally)

"Hybrid" Non-Profit

Shares brand/logo with a for-profit entity.

Covered (Common branding rule)

What data is regulated under CCPA? Full scope of covered information

Once you confirm applicability, the next step is understanding which data categories the CCPA covers.

CCPA personal information definition: what counts as PI?

Under the CCPA, “Personal Information” (PI) is broad and includes:

  • Identifiers: IP addresses, cookie IDs, mobile device IDs
  • Internet activity: Browsing history, search history
  • Inferences: Profiles built about preferences, characteristics, or behaviors

Selling vs. sharing under CCPA: what’s the difference?

“Selling” does not require money to change hands.

  • Selling: Exchanging PI for monetary or other valuable consideration
  • Sharing: Disclosing PI for Cross-Context Behavioral Advertising (e.g., retargeting)

Impact: If your website uses third-party ad pixels, you are likely “sharing” data and must provide an opt-out link.


CCPA compliance next steps: what to do if the law applies to you

Compliance is continuous, not a one-time setup. If you meet any threshold, or if your traffic averages ~275 CA visitors per day, you should begin taking action.

  1. Scan your website: Use Clym’s Cookie Scanner to identify every cookie and tracker contributing to your "100,000" count.
  2. Update your privacy policy: Confirm it reflects 2026 requirements and updated thresholds.
  3. Start your data inventory: Read our CCPA compliance guide for businesses in 2026 to begin mapping your data flows.
  4. Know the risks: Review the latest CCPA penalties & fines to understand the cost of inaction.

For a complete overview of all your obligations, read our ultimate guide on CCPA compliance.

Alex Margau

Content Manager

Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.

Find out more about Alex

Related articles