Many businesses assume their California privacy exposure is fully addressed through compliance with the California Consumer Privacy Act (CCPA). But that assumption can leave important gaps. We are seeing a rise in inquiries and pre-litigation letters invoking California’s “Shine the Light” law. These requests may appear routine but mishandling them can create real statutory and litigation risk.

It might seem tempting to think that complying with state privacy laws is as easy as Googling a template privacy policy, swapping in your company name, and calling it a day. But here’s the thing—many state privacy laws don’t apply to all companies. Whether they do depends on factors like your company’s annual revenue, how much personal data you buy, sell, or share, and how much of your revenue comes from selling or sharing that data. Some states also have exemptions for certain nonprofits and specific types of data, i.e., employment records.