CCPA compliance for small e-commerce — do I actually need to worry?

I run a small DTC brand on Shopify. About $600K/year revenue, maybe 8,000 customers. Based in LA.

I keep seeing CCPA requirements everywhere but when I look at the thresholds I think I'm exempt? The law says you need $25M+ revenue OR 100,000+ consumers OR 50%+ revenue from selling data. I'm none of those.

But then I see privacy lawyers saying "every California business needs to comply." Who's right?

You're reading the statute correctly. CCPA (now CPRA) has those three thresholds and you need to meet at least one to be a "business" under the law with full compliance obligations.

At $600K and 8K customers, you're likely exempt from the core CCPA requirements.

BUT — two caveats:

• If you share customer data with third parties in ways that could be "selling" under CCPA's broad definition (including for advertising), you could hit the 50% threshold faster than you think.
• The California AG has signaled they're considering lowering thresholds. And other states have different rules.

I use Meta ads and Google Ads. I have the Facebook Pixel on my site. Does that count as "selling" data?

Under CPRA, "sharing" personal information for cross-context behavioral advertising (which is what Meta Pixel does) triggers opt-out requirements even if no money changes hands. But that only matters if you're a "business" under the statute in the first place.

You don't derive 50%+ of revenue from selling data — you spend money on ads, not earn it. So that threshold doesn't apply to you.

Same situation here. $400K revenue, Shopify store. I added a privacy policy and cookie banner anyway because:

1. It's cheap insurance if the rules change
2. Enterprise customers ask about it during B2B deals
3. App Store Review guidelines require privacy policies even for small apps

Cost me maybe $500 for a lawyer to review a template privacy policy. Worth the peace of mind.

The 100,000 consumer threshold is easier to hit than you'd think. That's "consumers" not "customers" — meaning anyone whose personal info you collect. Every website visitor who accepts cookies, everyone on your email list, everyone who abandons a cart. Tracked over a calendar year.

With 8K customers you might have 80K+ visitors. Check your analytics.

@DTCDan — just checked. About 120K unique visitors in the past year. So I might actually hit the threshold...

Good catch. The 100K threshold is consumers, households, or devices whose personal information you buy, sell, or share. Key question: are those 120K visitors California residents? CCPA only covers CA consumers.

If you don't collect location data, you'd need to estimate based on traffic patterns. Generally 12% of US online traffic is California, so 120K visitors might be ~15K California consumers — probably still under the threshold.

But you're close enough that I'd recommend basic compliance: privacy policy disclosing your data practices, "Do Not Sell/Share" link (even if just to be safe), and honoring opt-out requests.

UPDATE: Decided to implement basic compliance even though I'm probably under the threshold. Using Shopify's built-in cookie banner and updated my privacy policy. If I keep growing I'll need this anyway.

Thanks for the detailed breakdown — the "consumers vs customers" distinction is something I definitely would have missed.

Reviving this thread because the CPPA just released their updated regulations in November 2024. Some relevant changes for small businesses:

• The automated decision-making rules are now in effect — if you use any AI-based personalization or dynamic pricing, there are new disclosure requirements
• Data broker registration requirements have been tightened
• The CPPA has been more aggressive about enforcement actions, even sending warning letters to smaller companies

@ShopifyFounder_LA — how has your compliance journey been going? Still using the Shopify built-in tools?

@RetailMaven_OC — thanks for the ping! Actually, a lot has changed. We hit $1.2M revenue this year and our email list grew to 35K subscribers. Still under the thresholds technically, but I ended up doing a full compliance audit in Q3.

The Shopify cookie banner works but I switched to a dedicated CMP (consent management platform) because we expanded to selling in the EU and needed GDPR compliance anyway. Ended up being simpler to have one solution that handles both.

The automated decision-making disclosure requirement you mentioned — does that apply to basic product recommendation widgets? We use Shopify's built-in recommendations.

The ADMT (Automated Decision-Making Technology) rules are nuanced. Basic product recommendations probably don't trigger the full requirements — those are aimed at decisions that have "legal or similarly significant effects" on consumers, like credit decisions, insurance pricing, or employment screening.

However, if you use dynamic pricing algorithms that show different prices to different consumers based on their profile, that could trigger disclosure obligations. Same with automated fraud detection that might block legitimate customers.

For a standard e-commerce setup with product recs, you're likely fine with a general disclosure in your privacy policy. The CPPA has indicated they're focused on higher-risk uses first.

One thing worth mentioning — the threshold lowering that was discussed back in 2024 hasn't happened yet, but there's an active proposal being considered by the legislature for the 2024 session. The proposed change would drop the consumer threshold to 50,000 and add a new category for businesses that process "sensitive personal information" regardless of size.

If you're collecting any health-related data (like for supplements or wellness products), biometric data, or precise geolocation, you might want to pay attention to this. The proposal has support from the AG's office.

@ShopifyFounder_LA — congrats on the growth! Smart move getting ahead of compliance before you're forced into it.