Private members-only forum
Forum โ†’ Privacy & Data

What's the deal with do I actually need to worry??

Started by thepracticalguide_13 · May 14, 2025 · 4 replies
For informational purposes only. Not legal advice.
TH
thepracticalguide_13 OP May 14, 2025

I run a small DTC brand on Shopify. About $600K/year revenue, maybe 8,000 customers. Based in LA.

I keep seeing CCPA requirements everywhere but when I look at the thresholds I think I'm exempt? The law says you need $25M+ revenue OR 100,000+ consumers OR 50%+ revenue from selling data. I'm none of those tbh.

But then I see privacy lawyers saying "every California business needs to comply." Who's right?

CE
circumstantial_evidence_11 Attorney Jun 15, 2025

Under CPRA, "sharing" personal information for cross-context behavioral advertising (which is what Meta Pixel does) triggers opt-out requirements even if no money changes hands. But that only matters if you're a "business" under the statute in the first place.

You don't derive 50%+ of revenue from selling data โ€” you spend money on ads, not earn it. So that threshold doesn't apply to you.

TH
thepracticalguide_13 OP Jun 15, 2025

@Ryan_F_3 โ€” just checked. About 120K unique visitors in the past year. So I might actually hit the threshold...

TH
thepracticalguide_13 OP Jun 17, 2025

UPDATE: Decided to implement basic compliance even though I'm probably under the threshold. Using Shopify's built-in cookie banner and updated my privacy policy. If I keep growing I'll need this anyway.

Thanks for the detailed breakdown โ€” the "consumers vs customers" distinction is something I definitely would have missed.

AM
allison.m_14 Sep 30, 2025

I mean coming back to this thread with a practical update for small e-commerce operators in 2026. The privacy landscape has shifted significantly since this thread started. As of January 2026, there are now 19 states with comprehensive privacy laws either enacted or in effect. Even if you are under CCPA thresholds, you may be subject to privacy requirements in Texas, Oregon, Montana, or other states with lower or no revenue thresholds.

The Texas Data Privacy and Security Act is particularly relevant for e-commerce businesses because it has no revenue threshold and no minimum number of consumers. It applies to any entity that conducts business in Texas or produces products or services consumed by Texas residents AND processes or sells personal data. If you ship products to Texas customers, you likely need to comply.

My recommendation for any small e-commerce business in 2026: implement a baseline privacy program that satisfies the strictest requirements you are likely to face. This means a comprehensive privacy policy, a mechanism for consumers to request deletion of their data, a process for handling opt-out requests, and reasonable data security practices. The cost of implementing this proactively is far less than responding to enforcement actions from multiple states.

One more thing: if you use any third-party analytics, advertising pixels, or customer data platforms, review your data processing agreements. Several state laws require written contracts with service providers that process personal data on your behalf. This is an area where many small businesses are technically non-compliant without realizing it.

HK
heather_k_7 Attorney Sep 30, 2025

Reviving this thread with a 2026 update that is relevant for small businesses. The California Privacy Protection Agency (CPPA) finalized its updated regulations in late 2025, and there are a few developments worth tracking.

First, the CPPA has begun issuing enforcement advisory letters to businesses that clearly meet the thresholds but lack basic compliance measures. These are not formal enforcement actions, but they signal that the agency is actively monitoring. Several small e-commerce companies in the 1-5M revenue range have received these letters, particularly those using aggressive retargeting and data enrichment services.

Second, the Global Privacy Control (GPC) signal is now mandatory to honor under the CPRA regulations. If your website detects a GPC signal from a browser, you must treat it as a valid opt-out of sale and sharing. Most major browsers now support GPC. If you are running Shopify with third-party analytics, ad pixels, or customer data platforms, you need to ensure your consent management platform respects GPC signals. Failure to honor GPC has been cited in multiple CPPA enforcement actions.

Third, the data broker registration requirement under the Delete Act (SB 362) now carries significant penalties for non-registration. If your business buys, sells, or shares personal information of consumers with whom you do not have a direct relationship, you may qualify as a data broker under the expanded definition. This catches some affiliate marketing and lead generation businesses off guard.

My recommendation for small e-commerce businesses: even if you are below the CCPA thresholds, implement a privacy policy, a cookie consent banner that respects GPC, and a process for handling data deletion requests. The cost is minimal compared to the risk, especially since five other states now have comprehensive privacy laws with lower thresholds than California.

Related Resources

๐Ÿ’ฌ Privacy & Data - Terms.Law Forum Forum ๐Ÿ’ฌ Terms.Law Forum - Legal Q&A for Startups Forum ๐Ÿ“ Contractor Walked Off Your Renovation? How to Recover Your Money (2... Demand Letter ๐Ÿ“ Employer Refusing to Pay Overtime - California | Community Forum Demand Letter ๐Ÿ“ Gym Still Charging After Cancellation? How to Force a Refund (2026) Demand Letter