CCPA and CPRA for Consumer App Founders: What Applying to California Users Requires
Most founders assume CCPA only applies to enterprise companies. It doesn't — a consumer app with 100,000 California users is covered regardless of revenue. Here's what the thresholds, six consumer rights, and 2025 CPPA enforcement actions mean for your product.
The Assumption That Gets Founders Sued
Most consumer app founders hear "CCPA" and picture enterprise legal teams, Fortune 500 compliance budgets, and California-headquartered corporations. That picture is wrong — and the gap between the assumption and the statute is where enforcement exposure lives.
California's Consumer Privacy Act, as amended by the CPRA, does not key coverage to company size or geography. It keys coverage to one of three alternative thresholds defined in Cal. Civ. Code §1798.140: annual gross revenue above $26.625 million (2025 CPI-adjusted), buying or selling the personal information of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenue from selling or sharing personal information. Hit any one of the three, and the law applies — regardless of where you're incorporated or how much you've raised.
A game, wellness app, or edtech platform with 100,000 California monthly active users clears the data-volume threshold on its own. No revenue requirement. No California office. Founders who built their compliance assumptions around the revenue prong alone have discovered this the hard way. The CCPA compliance obligations that follow — privacy notices, opt-out rights, data deletion workflows — attach the moment that threshold is crossed.
Three Doors Into CCPA/CPRA Coverage (Any One Is Enough)
The statute lays out three independent coverage triggers in Cal. Civ. Code §1798.140(d)(1). A business that meets any one of them must comply — there is no minimum size requirement, no California headquarters requirement, and no requirement to meet more than one prong.
- Revenue threshold. Annual gross revenue exceeding $26,625,000 (the 2025 CPI-adjusted figure, up from the original $25 million). That number applies to total company revenue worldwide — not just California sales. A DTC app with $28 million in nationwide subscriptions clears this threshold even if California generates only a fraction of that revenue.
- Data-volume threshold. Buying, selling, receiving, or sharing the personal information of 100,000 or more consumers or households in any rolling 12-month period. The CPRA raised this from CCPA's original 50,000 figure and removed "devices" from the count — so each unique individual or household counts once, regardless of how many devices they use.
- Revenue-from-data threshold. Deriving 50% or more of annual revenue from selling or sharing personal information. "Sharing" under §1798.140(ah) explicitly includes sharing for cross-context behavioral advertising — meaning a free app that monetizes through ad networks may hit this threshold without ever exchanging consumer data for cash.
The rolling 12-month window in the second prong deserves attention. Coverage is not a once-a-year snapshot taken on January 1. A wellness app that accumulates 100,000 California users within any trailing 12-month window is covered from that point — not at the start of the next calendar year. Founders who assume they have until year-end to build compliance infrastructure are operating on a misreading of the statute.
The data-volume threshold also catches founders who have zero advertising revenue and assume revenue-based prongs are the only ones that matter. A mobile game studio with 150,000 California installs generates personal information — device identifiers, gameplay events, in-app purchase behavior — through ordinary analytics and event tracking. That data collection counts toward the 100,000-consumer threshold. The studio is covered even if it has never run a single ad or sold a user record.
One other boundary worth understanding: partial B2B exemptions under §1798.145(n) do not exempt a business from CCPA entirely. If your primary customers are other businesses, your website visitors, newsletter subscribers, and end-users of any consumer-facing product remain "consumers" under the statute. B2B founders who assumed they were categorically outside CCPA's reach have learned this lesson during enforcement.
The Six Consumer Rights and What Each Requires You to Build
Knowing you're covered by CCPA/CPRA is step one. Step two is translating each right into something your engineering team can actually implement. Every right has a response window, an exception set, and a product surface — and most founders discover the product surface too late.
Right to Know
Under Cal. Civ. Code §1798.110, consumers can ask you to disclose what personal information (PI) you've collected, where it came from, why you collected it, and which third parties you've shared it with. You have 45 days to respond, with a one-time 45-day extension if you notify the consumer. Build a verified request intake — a form or in-app flow — that triggers an internal data lookup across every system that touches user data: analytics, ad platforms, CDPs, support tools. A privacy policy disclosure alone does not satisfy this right; you must respond to individual requests.
Right to Delete
Cal. Civ. Code §1798.105 lets consumers ask you to delete their PI. When you receive a verified deletion request, you must also direct your service providers and contractors to delete the same data — the obligation flows downstream. Nine statutory exceptions apply, including security purposes, completing a transaction, legal obligations, and certain research uses. Build a deletion workflow that doesn't stop at your own database: it needs to send deletion instructions to every vendor that received that user's data.
Right to Correct
Added by CPRA effective January 1, 2023, Cal. Civ. Code §1798.106 gives consumers the right to request correction of inaccurate PI you hold about them. You must use commercially reasonable efforts to correct it within 45 days. For consumer apps where profile data drives personalization — fitness stats, dietary preferences, age-gated content settings — a correction request isn't hypothetical. Add an editable profile section and a formal correction request channel alongside your delete flow.
Right to Opt Out of Sale or Sharing
Cal. Civ. Code §1798.120 requires you to honor opt-out requests, including signals sent automatically by browsers and operating systems through the Global Privacy Control (GPC) standard. The California Privacy Protection Agency has already fined companies for ignoring GPC: Todd Snyder paid $345,000 and Tractor Supply paid $1.35 million, with GPC non-compliance as the primary violation in both cases. If your app runs in a web view or mobile browser context, your consent management platform must detect and honor GPC signals without requiring the consumer to take any additional step.
Right to Limit Use of Sensitive Personal Information
This is the CPRA right that catches the most consumer app founders off guard. Cal. Civ. Code §1798.121 lets consumers direct you to use or disclose sensitive PI only for the primary purpose for which you collected it. Sensitive PI includes precise geolocation, health and biometric data, financial account details, racial or ethnic origin, religious beliefs, sexual orientation, and the contents of messages. If your app touches any of those categories — a wellness app logging menstrual cycles, a game using device location, a financial tracker storing account numbers — you need a dedicated "Limit the Use of My Sensitive Personal Information" link in your app's settings and privacy UI. A general opt-out toggle does not cover this right. It requires a separate, labeled control.
Right to Non-Discrimination
Cal. Civ. Code §1798.125 prohibits you from penalizing consumers who exercise any of these rights — no service denials, no price increases, no degraded experience. Loyalty and rewards programs are permitted, but only with proper advance notice about the financial incentive's value and the PI being exchanged for it. Review any tiered feature structure or premium access model to confirm that exercising a privacy right doesn't incidentally downgrade the user's experience.
Automated Decision-Making Opt-Out
Cal. Code Regs. §7221, finalized in September 2025 (effective January 1, 2027), gives consumers the right to opt out of profiling used in decisions with legal or similarly significant effects — credit decisions, insurance pricing, employment, and housing. For consumer apps, this catches recommendation engines and scoring models that influence what users see, qualify for, or get matched with. If your app surfaces ranked recommendations, risk scores, or eligibility determinations, map whether those outputs could constitute a "significant effect" and build an opt-out path before regulators make the determination for you.
What Your Privacy Notice Must Contain Under CPRA
A privacy policy page is not optional decoration — California Civil Code §1798.130 specifies exactly what it must say. Your privacy notice must disclose:
- The categories of personal information you collect
- The purposes for which each category is collected or used
- Whether you sell or share PI and which categories of third parties receive it
- How long you retain each category of PI, or the criteria you use to determine retention periods
- The consumer rights available and clear instructions for how to exercise each one
If your app collects sensitive personal information — geolocation, health data, financial data, precise location — the notice must address those categories specifically. Vague catch-all language does not satisfy the statute.
Notice at Collection Is a Separate Requirement
CPRA added a requirement that trips up most founders: a notice at collection. At the moment your app collects personal information — a signup form, a permissions prompt, a checkout screen — you must tell the user what categories of PI you are collecting and why. A link to your full privacy policy at that moment is not enough. Under the CPRA regulations at Cal. Code Regs. tit. 11, §7012, the collection-point disclosure must be clear and prominent, not buried in a footer.
How to Handle Rights Requests
Your notice must include a method for submitting every major rights request — opt-out of sale or sharing, Right to Limit sensitive personal information use, Right to Delete, Right to Correct, and Right to Know. The California Privacy Protection Agency launched the Delete Request and Opt-Out Platform (DLOOP) in 2025, which businesses may now use as a compliant channel for receiving and processing deletion and opt-out requests.
The Tractor Supply Warning
The CPPA's September 2025 action against Tractor Supply — resulting in a $1.35 million fine — included a finding that the company failed to maintain a functioning consumer privacy notice. But there was a second failure that caught many founders off guard: since January 2023, CPRA requires a separate privacy notice for job applicants, employees, and independent contractors in California. If your consumer app has any California-based contractors or staff, you need that notice too. Updating your general policy once a year, as the statute requires, is the floor — not the ceiling.
What the CPPA Has Penalized: A Founder’s Study Guide
The CPPA spent 2024 and 2025 building a case record. Three enforcement actions against consumer-facing companies now tell you, with specificity, what the agency targets first. Read them as a compliance checklist, not as news.
Todd Snyder — $345,178 (May 2025)
Todd Snyder's cookie banner disappeared when users clicked it — for 40 consecutive days. That failure alone prevented California consumers from submitting opt-out requests. The CPPA added two more violations: the company required government-issued photo ID or a passport to process opt-out requests, which is flatly prohibited (opt-outs cannot require identity verification), and the site ignored Global Privacy Control signals. Three distinct violations, one enforcement action, $345,178.
American Honda — $632,500 (March 2025)
Honda's connected vehicles collected precise geolocation and driving behavior data and shared it with third parties. The CPPA settlement targeted the absence of adequate notice and the absence of a functional opt-out mechanism — not a data breach, not a hack. The company was penalized for doing exactly what its business model required, without the disclosure and control infrastructure CPRA demands. If your app collects location or movement data, this settlement describes your risk profile.
Tractor Supply Company — $1,350,000 (September 2025)
The largest CPPA fine in the agency's history. Four violations: no functioning privacy notice; no privacy notice for job applicants (the prior section of this article covers the applicant-notice requirement); no GPC support and no effective opt-out mechanism; and sharing consumer personal information with third parties without data processing agreements. The remedy went beyond the fine — Tractor Supply must submit annual certification from a corporate officer for four years confirming continued compliance.
The Pattern
Three cases, three amounts, one consistent enforcement theory. The CPPA has concentrated its early docket on opt-out infrastructure failures (broken banners, missing GPC support, ID requirements that create friction), inadequate disclosure to all categories of people whose data a company touches — including applicants — and the absence of written data processing agreements with service providers and contractors. None of these companies were penalized for exotic data practices. They were penalized for missing the basics. For a consumer app founder, the diagnostic question is straightforward: if a California user sent an opt-out signal right now, what would actually happen?
Your 30-Day CCPA/CPRA Readiness Checklist
The violations covered in this article — Todd Snyder, Honda, Tractor Supply — share a common thread: each company knew California consumers were using its product and still shipped incomplete compliance. The checklist below addresses the exact gaps CPPA enforcement has targeted.
- Run a data inventory. Map every category of personal information your app collects, document the business purpose for collecting it, and list every third party that receives it. This inventory is the foundation for your privacy notice and your deletion and correction workflows. Without it, you cannot accurately disclose what you collect or honor requests to delete it.
- Run your threshold check. Count unique California consumers or households over any trailing 12-month window. Include installs, registrations, and analytics events — not just active users or paying accounts. A user who downloaded your app and never opened it again may still count toward the 100,000-consumer threshold under §1798.140(d)(1)(B).
- Configure and test your opt-out mechanics. Your consent banner must actually work. Your in-app opt-out flow must route to a real signal. And your server must detect Global Privacy Control (GPC) signals — client-side cookie logic alone is insufficient. Test GPC detection independently of your CMP. Both Todd Snyder and Tractor Supply were cited for opt-out flows that were present on paper but failed in practice.
- Draft or update your privacy notice and notice at collection. Under CPRA, the policy must now include retention periods for each PI category, a separate callout for sensitive personal information, and DLOOP instructions. The notice at collection must appear at each point where you collect PI — not just in the footer link to your full policy.
- Audit your vendor contracts. Every service provider and contractor that receives personal information must be covered by a data processing agreement with CCPA-compliant terms. Sharing PI without a contract was a cited violation in both the Honda and Tractor Supply enforcement actions. Review your analytics providers, attribution platforms, CRM tools, and infrastructure vendors.
- Add a job applicant privacy notice if you hire in California. CPRA extended CCPA coverage to employees and applicants as of January 1, 2023. The applicant notice is separate from your consumer privacy policy. A combined document covering both groups does not satisfy the requirement.
CPPA enforcement is not waiting for companies to reach enterprise scale. A $345,000 penalty landed on a mid-size fashion retailer. A $1.35 million penalty hit a regional chain. If your app has California users and you cross any of the three thresholds, these six steps are not optional — they are the baseline the agency expects.
Not sure whether you cross a CCPA threshold, or need a lawyer to review your privacy notice and vendor contracts before the CPPA comes looking? Promise Legal works with consumer app founders on exactly this.