CCPA compliance for small e-commerce — do I actually need to worry?

I run a small DTC brand on Shopify. About $600K/year revenue, maybe 8,000 customers. Based in LA.

I keep seeing CCPA requirements everywhere but when I look at the thresholds I think I'm exempt? The law says you need $25M+ revenue OR 100,000+ consumers OR 50%+ revenue from selling data. I'm none of those.

But then I see privacy lawyers saying "every California business needs to comply." Who's right?

You're reading the statute correctly. CCPA (now CPRA) has those three thresholds and you need to meet at least one to be a "business" under the law with full compliance obligations.

At $600K and 8K customers, you're likely exempt from the core CCPA requirements.

BUT — two caveats:

• If you share customer data with third parties in ways that could be "selling" under CCPA's broad definition (including for advertising), you could hit the 50% threshold faster than you think.
• The California AG has signaled they're considering lowering thresholds. And other states have different rules.

I use Meta ads and Google Ads. I have the Facebook Pixel on my site. Does that count as "selling" data?

Under CPRA, "sharing" personal information for cross-context behavioral advertising (which is what Meta Pixel does) triggers opt-out requirements even if no money changes hands. But that only matters if you're a "business" under the statute in the first place.

You don't derive 50%+ of revenue from selling data — you spend money on ads, not earn it. So that threshold doesn't apply to you.

Same situation here. $400K revenue, Shopify store. I added a privacy policy and cookie banner anyway because:

1. It's cheap insurance if the rules change
2. Enterprise customers ask about it during B2B deals
3. App Store Review guidelines require privacy policies even for small apps

Cost me maybe $500 for a lawyer to review a template privacy policy. Worth the peace of mind.

The 100,000 consumer threshold is easier to hit than you'd think. That's "consumers" not "customers" — meaning anyone whose personal info you collect. Every website visitor who accepts cookies, everyone on your email list, everyone who abandons a cart. Tracked over a calendar year.

With 8K customers you might have 80K+ visitors. Check your analytics.

@DTCDan — just checked. About 120K unique visitors in the past year. So I might actually hit the threshold...

Good catch. The 100K threshold is consumers, households, or devices whose personal information you buy, sell, or share. Key question: are those 120K visitors California residents? CCPA only covers CA consumers.

If you don't collect location data, you'd need to estimate based on traffic patterns. Generally 12% of US online traffic is California, so 120K visitors might be ~15K California consumers — probably still under the threshold.

But you're close enough that I'd recommend basic compliance: privacy policy disclosing your data practices, "Do Not Sell/Share" link (even if just to be safe), and honoring opt-out requests.

UPDATE: Decided to implement basic compliance even though I'm probably under the threshold. Using Shopify's built-in cookie banner and updated my privacy policy. If I keep growing I'll need this anyway.

Thanks for the detailed breakdown — the "consumers vs customers" distinction is something I definitely would have missed.