The Hedge | Brutal Honesty Over Hype Since 2008
California’s consumer privacy law — the California Consumer Privacy Act (CCPA) as amended and expanded by the California Privacy Rights Act (CPRA) — is one of the most comprehensive state privacy laws in the country. Understanding which businesses it applies to, what it requires, and what the enforcement landscape looks like in 2026 is essential for any California business with a website or customer database.
Who Is Covered
The CCPA/CPRA applies to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue exceeding $25 million; buy, sell, or share personal information of 100,000 or more consumers or households annually; or derive 50% or more of annual revenue from selling consumers’ personal information. For most small businesses — those with revenue well under $25 million and fewer than 100,000 customer records — CCPA/CPRA coverage is not triggered. But for growing businesses approaching these thresholds, compliance planning should start well before the threshold is crossed.
What Covered Businesses Must Do
For businesses within CCPA/CPRA’s scope, the requirements are substantial: provide a privacy notice at the point of data collection; honor consumer rights to know what data is collected, request deletion, and opt out of sale or sharing; implement data security appropriate to the sensitivity of the information collected; and maintain a “Do Not Sell or Share My Personal Information” link on any website that sells or shares data. The CPRA’s amendments added a new category for “sensitive personal information” with heightened protections and consumer opt-out rights.
The Enforcement Landscape
The California Privacy Protection Agency (CPPA), established by CPRA, has issued its first enforcement actions and is building a track record. Fines for intentional violations can reach $7,500 per violation — per consumer affected. For a business that processes 10,000 consumer records with a systemic violation, the theoretical maximum penalty is $75 million. In practice, first-time violators who remediate promptly receive significantly reduced penalties. The enforcement risk is real for businesses within CCPA’s scope; for businesses below the thresholds, the immediate risk is minimal but worth monitoring as the business grows.
The Hedge has been cutting through financial and business noise since 2008. Brutal honesty over hype — always.
The Hedge 