The Hedge | Brutal Honesty Over Hype Since 2008
The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), created a consumer privacy compliance regime that applies to businesses meeting relatively low revenue and data volume thresholds — and whose compliance costs are systematically underestimated by founders building their California operating budgets.
Who the Law Applies To
The CPRA applies to for-profit businesses that do business in California AND meet one or more of these thresholds: annual gross revenues over $25 million; buy, sell, or share the personal information of 100,000 or more consumers or households annually; or derive 50% or more of annual revenues from selling or sharing consumers’ personal information. The $25 million revenue threshold is low enough to capture a significant portion of mid-stage startups and growing small businesses. Any e-commerce company, subscription business, or SaaS company collecting user data at meaningful scale should assume CPRA applies to them if they serve California consumers — which, given California’s size, most national businesses do.
What Compliance Requires
CPRA compliance is not a checkbox exercise. It requires: a privacy policy that meets specific disclosure requirements about data collection, use, sharing, and retention; consumer request infrastructure that allows California consumers to know what data you hold about them, delete it, correct it, opt out of its sale or sharing, and limit its use for sensitive purposes; data processing agreements with every vendor that processes California consumer personal information on your behalf; internal data inventory and mapping to know what personal information you actually hold and where; a designated privacy contact or officer depending on your data volume; and annual compliance audits if you process sensitive personal information at scale. Each of these requirements has a real implementation and ongoing compliance cost.
The Enforcement Risk
The California Privacy Protection Agency has enforcement authority and has demonstrated willingness to investigate and fine companies that fail to comply. Fines run $2,500 per unintentional violation and $7,500 per intentional violation — per consumer, per violation. A marketing email sent to 10,000 California consumers in violation of CPRA’s opt-out requirements creates exposure of $25 million in theoretical penalties. Most enforcement actions settle for far less, but the exposure is real and the Agency has stated publicly that small and mid-size businesses are not immune from enforcement.
How California Compares
Texas, Florida, and most other states have passed or are passing their own consumer privacy laws, so CPRA is increasingly not a California-unique compliance burden. However, California’s law remains among the most demanding in the country in terms of consumer rights scope and enforcement authority, and it was the first. The compliance infrastructure you build for CPRA is the floor, not the ceiling, of your privacy compliance program. Budget for it explicitly before you assume California is a viable operating location.
The Hedge has been cutting through financial and business noise since 2008. Brutal honesty over hype — always.
The Hedge 