Does my Cardiff business actually need to comply with CCPA — what are the thresholds?

Yes if you do business in California AND meet ANY one of three thresholds: (a) $25M+ annual gross revenue, (b) buy, sell, share, or process personal information of 100,000+ California consumers or households per year, (c) derive 50%+ of annual revenue from selling or sharing California consumers' personal information. CCPA was amended by CPRA in 2023 — same thresholds, expanded rights (correction, limit use of sensitive personal info), new enforcement agency (California Privacy Protection Agency / CPPA) running alongside the CA Attorney General. If you don't hit a threshold you have no CCPA obligation today — but most enterprise B2B buyers in California ask anyway during vendor onboarding, and the threshold can move once. Most Cardiff SMBs are either in-scope already or one growth quarter away. The honest move is to do the baseline build (privacy policy + DSR + 'Do Not Sell or Share' link) regardless — it's $5K of work that future-proofs you.

What's the minimum CCPA build for a Cardiff SMB — DIY without a tool?

The 5-piece baseline for a Cardiff SMB that's in scope: (1) Updated privacy policy disclosing the categories of personal info collected, sources, purposes, third parties shared with, and the consumer rights (know, delete, correct, opt-out of sale/share, limit use of sensitive info, non-discrimination). Termly and IUBENDA have free policy generators that pass for SMB. (2) DSR (Data Subject Request) intake — at minimum a privacy@yourdomain.com address, a web form, and a documented internal SOP for response (45 days, with one 45-day extension allowed). (3) 'Do Not Sell or Share My Personal Information' link in the website footer, AND honoring Global Privacy Control (GPC) browser signals automatically. (4) Cookie consent banner that distinguishes strictly-necessary from analytics/advertising cookies (Osano free, Termly free, CookieYes free tier — all sufficient for SMB). (5) Service-provider agreements (DPAs) with every vendor processing CA personal info — AWS, Google, Stripe, Mixpanel, etc. all have public DPAs you sign or accept. Total: under $5K and 20–40 hours.

OneTrust vs Osano vs DataGrail vs Termly — which CCPA platform fits a Cardiff team?

Osano is the SMB-friendly default — clean UX, $1K–$10K/yr depending on traffic, strong cookie consent + DSR workflow, no consulting overhead. Best for sub-50-employee Cardiff businesses with one or two states to handle. Termly is the cheapest defensible option — free tier covers basic privacy policy + cookie banner, paid tier $1K–$3K/yr. Best for very small businesses just getting the baseline live. DataGrail wins on data discovery + automation — it scans your SaaS stack and maps personal-info flows automatically. $25K–$60K/yr range. Best for Cardiff mid-market with 30+ SaaS tools and real DSR volume. Transcend wins on developer-first DSR fulfillment APIs — code-based privacy. $30K–$80K/yr. Best for product-heavy companies that want to automate DSR responses end-to-end. Ketch wins on consent-management for AdTech-heavy sites. $25K–$70K/yr. OneTrust + TrustArc are the enterprise picks — heaviest, most consulting overhead, $50K–$300K+/yr. Defensible in the boardroom and in front of the CPPA, but overkill for most Cardiff SMBs. Securiti wins on AI/ML data-privacy posture — best if you train models on user data.

What does a Data Subject Request (DSR) workflow look like for a Cardiff business?

A consumer submits a request (Right to Know / Right to Delete / Right to Correct / Right to Opt Out of Sale-or-Share / Right to Limit Use of Sensitive Info / Right to Non-Discrimination). You have to: (1) Verify their identity (without asking for more info than necessary). (2) Acknowledge receipt within 10 business days. (3) Respond within 45 days (one 45-day extension allowed with notice). (4) Provide the data, delete it, correct it, or honor the opt-out as requested — and confirm in writing. (5) Document everything for your internal audit trail. For a small Cardiff business that gets <5 DSRs/month, this is a Notion or Airtable workflow with a privacy@ inbox and a 1-page response SOP. For a business getting 20+ DSRs/month, you need DSR automation — Osano, DataGrail, Transcend, Ketch, OneTrust, TrustArc all do this. The hidden cost is identity verification — too lax and you leak data; too strict and you frustrate consumers and fail the 'reasonable verification' standard. Most failures are paperwork (missed deadline, no acknowledgment), not actual data mishandling.

How do I find honest CCPA routing in Cardiff BEFORE the CPPA letter shows up?

Three moves: (1) Run the threshold test today — figure out if you're in scope (revenue, CA-consumer count, or sale/share revenue %). If yes, you have an active obligation already. If no, do the baseline anyway because thresholds move. (2) Ship the 5-piece baseline (privacy policy + DSR intake + 'Do Not Sell or Share' link + cookie banner + service-provider DPAs) — under $5K, 20–40 hours. Don't wait for a demand letter. (3) Text PJ at 858-461-8054 with 'I need CCPA routing for Cardiff, here's our revenue tier + CA-consumer volume + AdTech footprint + DSR volume' — he'll route to the right tool tier (or no tool), help triage which service-provider DPAs you actually need vs which ones are already in place, and connect you to privacy counsel for the heavier reviews. PJ has built the CCPA baseline for Cardiff SMBs using Osano, Termly, DataGrail, and the DIY Notion + privacy@ inbox stack — and helped scale up to Transcend/OneTrust for larger teams. No fee, no markup, no affiliate. Faster than vendor demos + more honest than the trade-press write-ups.

A LOCAL CCPA NOTE · 2026-05-12 · CARDIFF

CCPA Compliance in Cardiff-by-the-Sea, CA

Q: What does CCPA/CPRA compliance really cost a Cardiff business in 2026?

Three tiers. DIY / SMB self-serve: under $5K all-in (privacy-policy template + DSR email inbox + 'Do Not Sell or Share' link + cookie banner free tier + basic data inventory in Notion or a spreadsheet). 20–40 internal hours. Standard SMB first year: $5K–$25K (counsel review of the policy, $2K–$10K + privacy-tool basic tier like Osano or Termly Pro $1K–$8K/yr + DSR workflow build + service-provider agreements). Mid-market: $25K–$80K/yr (full privacy management platform — OneTrust, TrustArc, DataGrail, Securiti, Transcend, Ketch — covering consent management, DSR automation, cookie scanning, data mapping, multi-state laws). Enterprise: $80K–$300K+/yr (OneTrust or TrustArc enterprise + dedicated privacy counsel + DPO if EU operations). CPPA fines: $2,500 per unintentional violation, $7,500 per intentional violation or violation involving a minor. Sephora paid $1.2M in 2022, DoorDash paid $375K in 2024 — the CPPA is enforcing and not just against billion-dollar companies.

Q: How do I find honest CCPA routing in Cardiff BEFORE the CPPA letter shows up?

Three moves: (1) Run the threshold test today — figure out if you're in scope (revenue, CA-consumer count, or sale/share revenue %). If yes, you have an active obligation already. If no, do the baseline anyway because thresholds move. (2) Ship the 5-piece baseline (privacy policy + DSR intake + 'Do Not Sell or Share' link + cookie banner + service-provider DPAs) — under $5K, 20–40 hours. Don't wait for a demand letter. (3) Text PJ at 858-461-8054 with 'I need CCPA routing for Cardiff, here's our revenue tier + CA-consumer volume + AdTech footprint + DSR volume' — he'll route to the right tool tier (or no tool), help triage which service-provider DPAs you actually need vs which ones are already in place, and connect you to privacy counsel for the heavier reviews. PJ has built the CCPA baseline for Cardiff SMBs using Osano, Termly, DataGrail, and the DIY Notion + privacy@ inbox stack — and helped scale up to Transcend/OneTrust for larger teams. No fee, no markup, no affiliate. Faster than vendor demos + more honest than the trade-press write-ups.

CCPA compliance for Cardiff startups — honest cost ranges, the vendor-vs-DIY decision, what you actually need vs what tooling vendors want to sell you, and how to route fast when a deal is pending the report.

PJ Zonis Single operator · SideGuy Solutions · Solana Beach · Honest CCPA routing for NCSD founders. Onboarded operators onto Drata, Vanta, Sprinto, Secureframe, Thoropass — and built the DIY layer for ones who didn't want the SaaS — about →

📌 TL;DR — CCPA compliance in Cardiff

CCPA/CPRA in Cardiff: SMB self-serve under $5K (privacy policy update + DSR email inbox + basic data inventory). Standard SMB compliance $5K–$25K all-in first year (counsel review + privacy-tool basic tier like Osano/Termly + DSR workflow). Mid-market $25K–$80K/yr (OneTrust / TrustArc / DataGrail / Securiti / Transcend / Ketch — full privacy management platform with consent management, DSR automation, cookie scanner, data mapping). Triggers: $25M+ revenue OR 100K+ CA consumer records OR 50%+ revenue from selling/sharing CA personal data. CPPA fines up to $2,500 per unintentional violation, $7,500 per intentional or minor violation. The cheapest move is the boring one — get the privacy policy + DSR inbox + 'Do Not Sell or Share' link live.

Real CCPA cost range for Cardiff businesses

SMB self-serve: under $5K all-in · Standard SMB first year: $5K–$25K · Mid-market platform: $25K–$80K/yr (OneTrust, TrustArc, DataGrail, Securiti, Transcend, Ketch, Osano Pro) · Counsel review: $2K–$10K · CPPA/AG fines: $2,500–$7,500 per violation

The Cardiff CCPA scene

Cardiff-by-the-Sea is the smallest of the NCSD coastal nodes but it punches above its size on founder density per square mile — small B2B SaaS shops, fractional engineering leaders, surf-adjacent consultancies that quietly serve enterprise clients, and a tight wellness + lifestyle-tech corridor running between San Elijo and Cardiff Town Center. The compliance pattern here is the same one Encinitas sees, just smaller team sizes — usually 3–15 people who are 18–36 months in, suddenly fielding a security questionnaire from a regulated buyer, and trying to figure out how to ship an attestation in 60–90 days without burning the engineering quarter. Most Cardiff founders we route already know the vendors by name; what they need is the honest 'which one fits OUR stack at OUR headcount with OUR deal pressure' call.

Here's the part most Cardiff operators miss: CCPA is the ONE compliance framework that applies to almost every Cardiff business by default — because Cardiff IS California. SOC 2 is enterprise-buyer driven, HIPAA is healthcare-driven, PCI is payment-volume driven — but CCPA/CPRA applies the moment you cross $25M revenue, 100K CA consumer records, or 50% revenue from selling/sharing CA personal data. Most Cardiff SMBs either already qualify or are one growth quarter away from qualifying. The pattern: a business gets a CCPA-related demand letter from an attorney trolling for plaintiff cases, or a CPPA inquiry, or a B2B buyer asks 'show me your CCPA program' as part of vendor onboarding — and now there's a 30–60 day window to make everything real. The good news: the baseline build is cheaper and faster than SOC 2 or HIPAA. Privacy policy update + DSR (Data Subject Request) workflow + 'Do Not Sell or Share' link + cookie consent banner + data inventory + service-provider agreements. Under $5K self-serve, under $25K with counsel + tooling. The bad news: the CPPA is actively enforcing in 2026 — Sephora paid $1.2M in 2022, DoorDash paid $375K in 2024, and the agency is doing sweeps on connected vehicles, AI/ML data training practices, and dark-pattern consent flows.

The CCPA decision framework — DIY vs platform vs counsel

Three decisions stacked. Decision one: are you in scope? CCPA/CPRA triggers if you do business in CA AND meet ANY of: (a) $25M+ annual gross revenue, (b) buy/sell/share personal info of 100K+ CA consumers or households, (c) derive 50%+ revenue from selling/sharing CA personal info. If you don't hit any threshold, you have ZERO CCPA obligation — but the privacy-policy hygiene is still worth doing because most enterprise B2B buyers ask anyway. Decision two: DIY vs platform vs counsel-led. DIY ($0–$5K, 20–40 hours): update privacy policy from a vetted template, set up a DSR intake form + workflow, add the 'Do Not Sell or Share' link, build a basic data inventory, stand up cookie consent (Osano free tier or Termly free tier). Works for sub-100-employee, low-data-volume, no-AdTech-on-site businesses. Platform ($5K–$80K/yr): Osano Pro, Termly Pro, DataGrail, OneTrust, TrustArc, Securiti, Transcend, Ketch — automates consent management, DSR routing, cookie scanning, data mapping. Worth it once you have AdTech vendors firing (Google Ads, Meta Pixel, TikTok Pixel, Pinterest), multi-state privacy laws to handle (Colorado, Virginia, Connecticut, Texas, Oregon, Montana), or DSR volume above ~20/month. Counsel-led ($10K–$50K one-time): privacy counsel reviews your data flows, drafts the policy, sets up the data processing addenda with service providers, builds the response SOPs. Worth it for healthcare-adjacent, fintech, AdTech-heavy, or B2C with sensitive categories (precise geo, biometric, kids data). Decision three: which platform tier. Osano + Termly are the SMB-friendly picks ($300–$8K/yr). OneTrust + TrustArc are enterprise-defensible but heavyweight. DataGrail + Transcend + Ketch + Securiti are the mid-market 'modern alternatives' — better UX, less consulting overhead, $25K–$60K/yr range.

Common questions

→ Does my Cardiff business actually need to comply with CCPA — what are the thresholds?
→ What does CCPA/CPRA compliance really cost a Cardiff business in 2026?
→ What's the minimum CCPA build for a Cardiff SMB — DIY without a tool?
→ OneTrust vs Osano vs DataGrail vs Termly — which CCPA platform fits a Cardiff team?
→ What does a Data Subject Request (DSR) workflow look like for a Cardiff business?
→ How do I find honest CCPA routing in Cardiff BEFORE the CPPA letter shows up?

Where SideGuy fits

SideGuy doesn't sell CCPA software — SideGuy is a single-operator routing layer in Cardiff that connects Cardiff businesses to the right CCPA/CPRA build tier based on revenue, CA-consumer volume, AdTech footprint, and DSR volume. When you text PJ at 858-461-8054 with the situation (your revenue tier + CA consumer count + AdTech vendors + DSR volume + the pressure source), he routes to the right combination — DIY 5-piece baseline if you're sub-threshold or low-volume, Osano or Termly if you want a tool without enterprise overhead, DataGrail or Transcend or Ketch for mid-market AdTech-heavy or DSR-heavy operators, OneTrust or TrustArc for enterprise defensibility and multi-state programs. PJ has built CCPA baselines for Cardiff SMBs and helped scale into the platform tier when DSR or AdTech volume earned it. No fee, no markup, no affiliate. Cardiff is in California — CCPA is the one privacy law you can't ignore.

▸ NEED HELP IMPLEMENTING THIS?

SideGuy operates as your Forward Deployed Engineer for CCPA — same role Palantir charges $400K/year for, delivered SMB-style. We sit beside your team for the duration of the CCPA push: tooling pick, evidence collection, policy library, audit-firm coordination, remediation engineering. You don't manage a vendor — you have an operator inside the work.

→ See the FDE service page

PJ Zonis · SideGuy Solutions · Cardiff
Single operator. Honest CCPA routing for Cardiff founders. CCPA, multi-state privacy, DSR workflows, custom layers — same lane.
Text 858-461-8054 with your stack + headcount + the deal pressure. Fast routing to the vendor, auditor, or DIY layer that actually fits.