Does Your Small Business Need to Comply with CCPA? A Practical Guide

The CCPA Threshold Question

Many small business owners hear about CCPA and immediately think: "That's for big companies, not me." And technically, they might be right — CCPA has specific thresholds for applicability. But the answer is more nuanced than it first appears.

When CCPA Applies

Your business is subject to CCPA if you do business in California AND meet any one of these:

• Annual gross revenue exceeds $25 million
• You buy, sell, or share personal information of 100,000+ California consumers, households, or devices per year
• You derive 50% or more of annual revenue from selling or sharing personal information

The 100,000 threshold is lower than it sounds. If your website gets 300+ visitors per day from California, you likely hit 100,000 devices per year. Each unique browser or device counts.

Even Below Thresholds: Why You Should Care

Even if you're below the thresholds, there are compelling reasons to implement CCPA-style compliance:

• You might cross the threshold without realising it. Website traffic grows. If you're counting on being under 100K, you might cross it with a viral post or seasonal traffic spike.
• Other state laws may apply. Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and more states now have privacy laws with different (often lower) thresholds.
• Consumer trust. Visitors who see a privacy-respecting website are more likely to buy. Studies show 71% of consumers are more likely to purchase from companies they trust with their data.
• Future-proofing. Federal privacy legislation is being discussed. Building compliance now is cheaper than retrofitting later.

Minimum Steps for Small Businesses

Even if full CCPA compliance isn't legally required for your business, these steps are best practice:

1. Privacy policy — Have one. Make it clear and accessible.
2. Cookie disclosure — Tell visitors what cookies and trackers you use
3. Opt-out mechanism — Provide a way for visitors to opt out of tracking
4. Honour Do Not Track / GPC — Respect browser privacy signals
5. Data security — Implement reasonable security measures for any personal data you store

The Cost of Non-Compliance

CCPA fines are $2,500 per unintentional violation and $7,500 per intentional violation. Each affected consumer interaction can be a separate violation. Additionally, CCPA grants consumers a private right of action for data breaches, with statutory damages of $100–750 per consumer per incident.

For a small business, even a modest enforcement action can be devastating.

LegalBanner for Small Businesses

LegalBanner's free plan covers one website and includes basic consent management that covers both GDPR and CCPA. You don't need the Pro plan to get started — the free tier handles geo-detection, opt-out links, and script blocking. As your business grows and compliance needs expand, you can upgrade.