CPRA Calculator: Determine Your California Privacy Rights Act Applicability

What is the CPRA?

The California Privacy Rights Act (CPRA), effective January 1, 2023, is a comprehensive data privacy law that significantly amends and expands the California Consumer Privacy Act (CCPA). It grants California consumers extensive rights over their personal information and imposes strict obligations on businesses that collect, process, and share this data. The CPRA is often considered one of the strongest privacy laws in the United States, drawing comparisons to global standards like GDPR.

Who Should Use a CPRA Calculator?

A CPRA calculator is an essential tool for any business that:

• Collects, processes, or sells personal information of California residents.
• Operates nationally or internationally and interacts with California consumers.
• Wants to proactively understand its privacy obligations.
• Is unsure about its status under the CPRA and needs a preliminary assessment.

This includes e-commerce sites, tech companies, service providers, and any entity handling consumer data that could potentially meet the CPRA's applicability thresholds. Understanding if the CPRA applies to you is the foundational step in developing a robust compliance program.

Common Misunderstandings About CPRA Applicability

Many businesses mistakenly believe CPRA only applies to "big tech" or companies with massive revenue. However, the law has multiple applicability criteria, and even businesses with moderate revenue but significant data processing activities can be subject to its rules. Another common misconception is that if you don't "sell" data, you're exempt. The CPRA's definition of "selling" and "sharing" is broad and includes many common data practices, including targeted advertising, which may trigger applicability.

CPRA Applicability Criteria and Explanation

Unlike a traditional mathematical formula, CPRA applicability is determined by meeting any one of a set of specific criteria. If a business satisfies even one of these thresholds, the CPRA generally applies to its processing of California consumer personal information.

A business is subject to the CPRA if it meets *any one* of the following conditions:

1. Has annual gross revenues in excess of **$25,000,000 (USD)** in the preceding calendar year.
2. Annually buys, sells, or shares the personal information of **100,000 or more** California consumers or households.
3. Derives **50% or more** of its annual gross revenues from selling or sharing consumers' personal information.
4. Is an entity that controls or is controlled by a business that meets any of the above thresholds, and shares common branding with that business.

It's important to note that the CPRA also applies to service providers and contractors of businesses that are subject to the CPRA, even if those service providers/contractors don't meet the thresholds directly, provided they handle personal information on behalf of the CPRA-covered business.

Key Variables and Their Impact

The table below outlines the critical variables used in determining CPRA applicability:

Practical Examples of CPRA Applicability

Example 1: Large E-commerce Business

Scenario: An online retailer based outside California but selling nationwide has an annual gross revenue of **$30,000,000 USD**. They process personal information for over 500,000 California consumers annually, primarily for order fulfillment and marketing. Less than 10% of their revenue comes from sharing data for targeted advertising.

• Inputs:
  • Annual Gross Revenue: $30,000,000
  • California Consumer/Household Count: 500,000
  • Revenue from Data Activities: 8%
  • Controlled by Applicable Business: No
• Results:
  • Revenue Threshold ($25M) Met: Yes
  • Consumer Threshold (100,000) Met: Yes
  • Data Revenue Threshold (50%) Met: No
  • Controlled Business Criterion Met: No
  • CPRA Applies: Yes

Explanation: Even though their data-sharing revenue is low, this business meets both the revenue threshold and the consumer count threshold, making them subject to the CPRA.

Example 2: Mid-sized Data Analytics Firm

Scenario: A data analytics firm specializes in providing insights to other businesses, often involving aggregated and de-identified data. Their annual gross revenue is **$15,000,000 USD**. However, they buy and share personal information for 80,000 California consumers, and 60% of their revenue is directly derived from these data sharing activities.

• Inputs:
  • Annual Gross Revenue: $15,000,000
  • California Consumer/Household Count: 80,000
  • Revenue from Data Activities: 60%
  • Controlled by Applicable Business: No
• Results:
  • Revenue Threshold ($25M) Met: No
  • Consumer Threshold (100,000) Met: No
  • Data Revenue Threshold (50%) Met: Yes
  • Controlled Business Criterion Met: No
  • CPRA Applies: Yes

Explanation: This business does not meet the revenue or consumer count thresholds. However, because over 50% of its revenue comes from selling or sharing personal information, the CPRA still applies. This highlights the importance of checking all criteria with the CPRA calculator.

How to Use This CPRA Calculator

Using our CPRA calculator is straightforward and designed to give you a quick, preliminary assessment of your business's applicability. Follow these steps for accurate results:

1. Input Your Annual Gross Revenue: Enter your business's total gross revenue from the preceding calendar year in US Dollars. Be as precise as possible.
2. Enter California Consumer/Household Count: Provide the number of unique California consumers or households whose personal information your business annually buys, sells, or shares. This can include customers, website visitors, or app users.
3. Specify Revenue from Data Activities: Indicate the percentage of your total annual gross revenue that is derived specifically from selling or sharing consumers' personal information. Enter a value between 0 and 100.
4. Check Controlled Business Status: Tick the checkbox if your business is part of a larger corporate group where a parent company or subsidiary meets any of the CPRA thresholds and shares common branding with your entity.
5. Click "Calculate CPRA Applicability": The calculator will instantly process your inputs and display whether the CPRA likely applies to your business.
6. Interpret Results: The "Primary Result" will clearly state "Yes" or "No". Below that, you'll see which specific thresholds (Revenue, Consumer, Data Revenue, Controlled Business) your business meets. This breakdown helps you understand *why* the CPRA may or may not apply.
7. Use the "Reset" Button: If you want to run new scenarios or correct inputs, click "Reset" to clear all fields and start over.
8. Copy Results: The "Copy Results" button will save a summary of your inputs and the calculator's output to your clipboard for easy record-keeping or sharing.

Important Note on Units: All monetary values are assumed to be in United States Dollars (USD). The consumer count is a unitless number, and revenue from data activities is expressed as a standard percentage (0-100%). No unit conversions are necessary within this calculator, as these are the standard units defined by the CPRA.

Key Factors That Affect CPRA Applicability

Beyond the direct thresholds, several operational and strategic factors can influence whether the CPRA applies to your business, or how you should interpret the applicability criteria:

• Definition of "Consumer": The CPRA defines a "consumer" as a natural person who is a California resident. This includes employees, job applicants, and business-to-business (B2B) contacts, in addition to traditional customers. This broad definition can significantly increase your "consumer count."
• Scope of "Selling" and "Sharing": The CPRA broadens the definition of "selling" data to include "sharing" data for cross-context behavioral advertising. This means many common marketing activities, even without direct monetary exchange for data, can trigger the "revenue from data activities" or "consumer count" thresholds.
• Corporate Structure and Common Branding: The "controlled by a business" criterion means that even smaller subsidiaries can be subject to CPRA if their parent company or an affiliate meets the thresholds and they share a common brand. This is a critical factor for corporate groups.
• Data Volume vs. Data Value: While the CPRA includes a revenue threshold, it also heavily weighs the *volume* of consumer data handled (100,000 consumers/households) and the *value* derived from that data (50% of revenue). Businesses with lower overall revenue but high data activity can still be covered.
• Nature of Data Processing: The types of personal information collected (e.g., sensitive personal information) and how it's processed (e.g., profiling, automated decision-making) are central to CPRA compliance, even if they don't directly determine applicability. However, these activities are often tied to the "selling/sharing" definitions.
• Service Provider and Contractor Relationships: Even if your business doesn't meet the direct thresholds, you might still be obligated to comply with CPRA requirements if you act as a service provider or contractor to a CPRA-covered business. This is determined by contractual agreements, not direct applicability.
• Evolution of Privacy Law: The CPRA, like other privacy laws, may be subject to future amendments or new interpretations by the California Privacy Protection Agency (CPPA). Staying informed about these developments is crucial.

Frequently Asked Questions (FAQ) About the CPRA Calculator and Applicability