Do small businesses need to comply with the California Consumer Privacy Act?

Written By Shayne Adler

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is not limited to large tech firms—it applies to any for‑profit business that collects personal data and does business in California if it meets certain thresholds.

A business must comply if it has at least US $26.625 M in annual revenue (2025), buys, sells or shares the personal information of 100,000 or more California residents/households, or derives 50 % or more of its annual revenue from selling or sharing Californians’ personal information.

The CCPA grants consumers powerful rights—such as the rights to know, delete and correct personal information, to opt out of sales or sharing, and to limit use of sensitive data. Businesses covered by the law must provide clear privacy notices, respond to consumer requests, and cannot discriminate against people who exercise these rights. Non‑profit organizations and government agencies are generally exemptcppa.ca.gov.

Key obligations and consumer rights

  • Thresholds for coverage – For‑profit entities must meet one of the following: annual revenue ≥ US $26.625 M; buy/sell/share data of ≥ 100 ,000 Californians; or ≥ 50 % of revenue from selling/sharing personal data. The threshold is indexed for inflation and increased from the earlier US $25 M in 2025.

  • Core consumer rights – Californians can request to know what personal data is collected, get it deleted, opt out of the sale or sharing of their data (including via a browser‑based global privacy control), correct inaccurate information, and limit use of sensitive personal information. Businesses must comply with requests and cannot require consumers to waive these rights.

  • Additional duties – The law requires covered businesses to provide conspicuous “Do Not Sell or Share” links, honor opt‑out signals, disclose data‑collection practices in privacy policies, and train staff to handle privacy requests. Service providers and contractors must adhere to written agreements restricting secondary data use. Enforcement is carried out by the California Privacy Protection Agency and state Attorney General.

Internal‑link plan

  • “Understanding consumer data rights” – link to an article that explains each CCPA/CPRA right with examples.

  • “How to handle data deletion requests” – internal guide for businesses on responding to consumer deletion requests and verifying identity.

  • “Assessing whether your business is covered by CCPA/CPRA” – decision tree to determine if a business meets the thresholds.

  • “Updates on other U.S. state privacy laws” – compare CCPA/CPRA with Virginia, Colorado and Texas privacy laws.

Do U.S. companies still need to file beneficial ownership reports under FinCEN’s Corporate Transparency Act?

No—FinCEN’s interim final rule issued 26 March 2025 dramatically narrowed the Corporate Transparency Act (CTA) reporting requirement. FinCEN updated its rules so that “reporting company” now refers only to entities formed under foreign law that register to do business in a U.S. state or tribal jurisdiction. All entities created in the U.S. (formerly called domestic reporting companies) and their beneficial owners, along with U.S. persons who are beneficial owners of any reporting company, are exempt from filing beneficial ownership information (BOI) reports. Existing foreign reporting companies must file BOI reports by 25 April 2025 if they were registered before 26 March 2025; those registering on or after that date have 30 calendar days to file after receiving effective registration notice. FinCEN notes that previous guidance requiring domestic companies to file should be disregarded.

What the interim final rule means

  • Scope of reporting company – Only companies formed under foreign law and registered to do business in a U.S. jurisdiction are considered reporting companies. This means corporations and LLCs created in the United States are exempt.

  • Exemption for U.S. persons – Domestic beneficial owners no longer need to provide BOI; the rule clarifies that BOI of U.S. persons is not required.

  • Deadlines for foreign entities – Foreign reporting companies registered before 26 March 2025 must file by 25 April 2025; those registered on or after 26 March 2025 have 30 days from effective registration to submit their initial report. FinCEN’s guidance emphasises that older deadlines and instructions to report earlier should be disregarded.

  • Future guidance expected – FinCEN plans to issue additional guidance and rulemaking; companies should monitor updates.

Internal‑link plan

  • “Guide to Corporate Transparency Act compliance” – overview of the CTA, including exemptions and the original requirements.

  • “How to determine beneficial ownership” – explainer on identifying beneficial owners, even if reporting is not required.

  • “Foreign entity registration in U.S. states” – guidance for foreign companies on registering and subsequent reporting obligations.

  • “Monitoring FinCEN updates” – a living page tracking future FinCEN guidance and deadlines.

Shayne Adler
Previous

The EU AI Act sets strict 2025–26 rules for AI providers
Next

The Jurassic Park Principle: In the Age of AI, the Poets Inherit the Earth