[munk-a]

Small companies that are just starting out may use real data in test environments since it's a bit easier than using mocked data... Honestly this really only holds for companies that also avoid unit/integration tests (which will generally require that data to support the tests be explicitly mocked in some manner)

Since this involves computers nothing above is a hard rule, but it goes along with my experience.

[jboy55]

The $25 million revenue limit would be a pretty good guide from 'small'. Typically there are a lot of changes around that mark, one of which should be to stop using Customer data insecurely.

[coldacid]

Except that revenue limit is just one term of an OR clause. If you hit any of those three listed points, CCPA comes down on you. No revenue at all but 50k unique visitors, and it applies.

[munk-a]

Yea but the $25mil portion of the clause is the only one I see an excuse for, if you're saying that -all- businesses generating X revenue or higher need to comply with a regulation then it's good to make sure X is high enough that businesses in unrelated fields will be able to afford the cost of compliance without going bankrupt.

The other two categories specifically target companies that really should comply with this law - I assume the $25mil clause is there to make sure large companies can't loop hole themselves out of this somehow (offload PII responsibility onto a subsidiary or a "third party" that is incorporated in Bermuda by the owner of the company)