The Email That Changes Everything
A few months ago, an e-commerce brand based in Ulster County—let’s call them Hudson Harvest Provisions—forwarded me an email from a customer in San Jose. The subject line read: “Do Not Sell My Personal Information.” The owner had never seen a request like it. She figured it was spam, or maybe some kind of phishing attempt. It was neither. It was a consumer exercising a right under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and it meant her business had obligations she didn’t know existed.
This is more common than most Hudson Valley business owners realize. If you run a Shopify store in New Paltz, a specialty food brand in Rhinebeck, or a craft goods operation in Beacon that ships nationwide, you almost certainly have California customers. And if your business meets certain thresholds, those customers carry rights that California law requires you to honor—regardless of where your LLC is registered.
When Does a New York Business Fall Under California Law?
The CCPA, as expanded by the CPRA (which took full effect on January 1, 2023, with enforcement beginning July 1, 2023), applies to any for-profit entity that collects personal information from California residents and meets at least one of three thresholds:
- Annual gross revenue exceeding $25 million. This is measured worldwide, not just California revenue. A Hudson Valley manufacturer doing $30 million in total sales—even if only $800,000 of that comes from California—clears this bar.
- Buying, selling, or sharing the personal information of 100,000 or more California consumers or households annually. “Sharing” here includes cross-context behavioral advertising. If your website uses Meta Pixel, Google Analytics with advertising features, or similar tracking on pages visited by 100,000 California residents per year, you may qualify under this prong even if you never explicitly “sell” a data record.
- Deriving 50% or more of annual revenue from selling or sharing consumers’ personal information. This threshold captures data brokers and certain ad-tech-dependent businesses. Most Hudson Valley product companies won’t meet this one, but if your model relies heavily on affiliate data monetization, take a closer look.
Six Consumer Rights You Need to Understand
Once your business falls within scope, California residents can exercise the following rights against you. These are not suggestions. They are legally enforceable obligations, and the California Privacy Protection Agency has the authority—and the budget—to pursue violations.
Right to Know
A consumer can ask you to disclose the categories and specific pieces of personal information you have collected about them, the sources of that information, the business or commercial purpose for collecting it, and the categories of third parties with whom you share it. You must be able to produce this information in a portable, readily usable format.
Right to Delete
Consumers can request that you delete personal information you have collected from them. You must also direct your service providers and contractors to delete it. There are exceptions—you can retain data necessary to complete a transaction, detect security incidents, comply with legal obligations, or conduct certain internal research—but the default is deletion.
Right to Opt-Out of Sale or Sharing
This is the “Do Not Sell My Personal Information” right, and it is the one that landed in Hudson Harvest Provisions’ inbox. Under the CPRA, this right now also covers “sharing” for cross-context behavioral advertising. If you pass customer data to a third-party advertising platform that uses it for its own targeting purposes, that qualifies as sharing and triggers opt-out requirements.
Right to Correct
Added by the CPRA, this allows consumers to request corrections to inaccurate personal information. You must use commercially reasonable efforts to correct the data upon a verified request.
Right to Limit Use of Sensitive Personal Information
If you collect sensitive personal information—Social Security numbers, precise geolocation, racial or ethnic origin, health data, financial account details—consumers can direct you to limit its use to what is strictly necessary to provide the goods or services they requested. For most e-commerce operations, this primarily affects payment processing and account security data.
Right to Non-Discrimination
You cannot charge a higher price, provide a lower quality of service, or deny goods to a consumer who exercises any of these rights. You can offer financial incentives for data collection, but they must be clearly disclosed and reasonably related to the value of the data.
Fulfilling Consumer Requests: The Operational Workflow
Receiving a request is one thing. Handling it correctly is where most Hudson Valley businesses stumble. Here is the workflow you need to build before the next request arrives.
Intake and acknowledgment. You must provide at least two methods for consumers to submit requests: a toll-free phone number and either a web form, an email address, or another designated channel. When a request comes in, acknowledge it within ten business days. This acknowledgment should confirm receipt, describe your verification process, and set expectations for the response timeline.
Verification. Before disclosing or deleting personal information, you must verify the requestor’s identity. The level of verification should be proportionate to the sensitivity of the request. For a “right to know categories” request, matching two data points is generally sufficient. For specific-pieces or deletion requests, match three data points or use a signed declaration under penalty of perjury. Document your verification steps every time.
Response. You have 45 calendar days from receipt of a verifiable request to respond. You can extend by another 45 days if reasonably necessary, but you must notify the consumer of the extension within the initial window. Responses must be free of charge, easy to understand, and for data portability requests, in a readily usable format such as CSV or structured JSON.
Documentation and recordkeeping. Maintain a log of every consumer request: how you verified the requestor, what action you took, and when you completed it. Businesses handling more than ten million consumers’ data must publish annual metrics on request volume and response times. Even below that threshold, a well-maintained log is your primary evidence of compliance in any enforcement inquiry.
Service Providers, Contractors, and Third Parties: The Contract Layer
The CCPA/CPRA draws hard lines between three categories of entities that receive personal information from you, and each requires different contractual treatment.
Service providers process personal information on your behalf and under your instructions. Your fulfillment warehouse in Kingston, your email marketing platform, your payment processor—these are typically service providers. You must have a written contract prohibiting them from retaining, using, or disclosing the data for any purpose other than performing the specified services. The contract must also prohibit selling or sharing the data and require CCPA/CPRA compliance.
Contractors are a category introduced by the CPRA. Like service providers, they process data under contract, but the CPRA adds a requirement that contractors certify they understand the restrictions and will comply with them. The contract must grant you the right to audit or test the contractor’s compliance. In practice, many businesses in the Hudson Valley treat their smaller vendors—a local photographer who accesses customer lists for marketing shoots, a freelance developer who touches the production database—as contractors.
Third parties are everyone else: entities that receive personal information from you and are not processing it solely on your behalf under contract. If you share customer email addresses with a partner brand for a joint marketing campaign without a proper service-provider or contractor agreement in place, that partner is a third party. Transfers to third parties trigger the consumer’s right to opt out, and you must disclose these transfers in your privacy policy.
Getting these distinctions right matters because the opt-out right applies specifically to third-party transfers. If you have properly structured service-provider agreements, the data flowing to those providers is not a sale or share, and the opt-out does not interrupt your operational data flows.
Evidence Pack: What Auditors and Regulators Want to See
If the California Privacy Protection Agency, or a plaintiff’s attorney, comes asking questions, they are going to want documentation. The following table outlines the core evidence artifacts every in-scope Hudson Valley e-commerce business should maintain.
| Artifact | Description | Update Frequency | Owner |
|---|---|---|---|
| CCPA/CPRA-Compliant Privacy Policy | Must disclose categories of PI collected, purposes, consumer rights, categories of third parties, and retention periods. Must include a “Do Not Sell or Share My Personal Information” link. Updated to reflect CPRA requirements including sensitive PI disclosures. | Annually and upon material change | Legal / Privacy Lead |
| “Do Not Sell or Share” Link Implementation | A clear, conspicuous link on your homepage titled “Do Not Sell or Share My Personal Information” that enables consumers to opt out. Must also honor the Global Privacy Control (GPC) browser signal as a valid opt-out request. | Verify quarterly | Web Development / Marketing |
| Consumer Request Log | Tracks each request by type (know, delete, opt-out, correct, limit), date received, verification method, date of response, outcome, and any extensions taken. Include requestor ID (anonymized) and assigned handler. | Updated per request; reviewed quarterly | Operations / Privacy Lead |
| Data Inventory and Mapping | Catalog of all personal information collected, the source, storage location, purpose, retention period, and downstream recipients. Identifies sensitive PI categories separately as required by the CPRA. | Annually and upon new data collection | IT / Privacy Lead |
| Service Provider Agreement Addendum | Contract language that meets CCPA/CPRA requirements: restrictions on use, prohibition on selling/sharing, obligation to cooperate with consumer requests, right to audit (for contractors), and data breach notification terms. | At contract execution and renewal | Legal / Procurement |
| Employee Training Records | Documentation that staff who handle consumer inquiries or access personal information have been trained on CCPA/CPRA requirements, consumer rights, and internal request-handling procedures. | Annually | HR / Privacy Lead |
| GPC and Cookie Consent Configuration | Evidence that your website detects and honors the Global Privacy Control signal, and that cookie/tracking consent mechanisms are configured to treat GPC as a valid opt-out of sale and sharing. | Verify quarterly | Web Development |
Common Mistakes East Coast SMBs Make with CCPA/CPRA
After working with several dozen Hudson Valley and mid-Hudson businesses on privacy compliance, I see the same mistakes repeated. Here are the ones that create the most risk.
Assuming it does not apply because you are in New York. This is the most common and most dangerous assumption. The CCPA/CPRA is not about where your business is located. It is about where your customers are. If you sell online and meet a threshold, you are in scope. Full stop.
Treating “Do Not Sell” as irrelevant because you do not literally sell data. The CPRA expanded the definition to include “sharing” personal information for cross-context behavioral advertising. If you have a Meta Pixel on your website, you are likely sharing personal information with Meta for advertising purposes. That is enough to trigger the opt-out obligation. Many business owners in the region genuinely do not realize that standard marketing tools create this exposure.
Ignoring the Global Privacy Control signal. California regulations require businesses to treat the GPC browser signal as a valid opt-out request. If a consumer visits your site with GPC enabled and your site does not detect or honor it, you are in violation. Most consent management platforms support GPC detection, but it has to be configured—it is rarely on by default.
Using boilerplate privacy policies that predate the CPRA. The CPRA added disclosure requirements around sensitive personal information, retention periods, and the right to correct. A privacy policy last updated in 2021 will not satisfy current requirements. I have seen Hudson Valley businesses copy policies from template libraries that still reference the pre-CPRA version of the law. The CPPA has specifically called out inadequate privacy policies in enforcement actions.
Failing to flow down obligations to vendors. Your fulfillment partner, your email service provider, your analytics vendor—every entity that touches California consumer data needs a compliant contract. A handshake agreement or generic terms-of-service page does not satisfy the CCPA/CPRA’s written-contract requirement. If your vendor will not sign a data processing addendum with CCPA/CPRA-specific terms, that is a red flag about the vendor, not about the regulation.
Not keeping records of request handling. When a consumer submits a request, the clock starts. If you cannot show that you acknowledged, verified, processed, and responded within the required timelines, you have no defense in an enforcement action. The log does not need to be sophisticated—a well-structured spreadsheet works—but it needs to exist and be accurate.
Where to Start This Week
If you suspect your Hudson Valley e-commerce operation might be in scope, here is what to prioritize. First, determine whether you actually meet a threshold—pull your annual revenue figures and estimate California consumer volume using your e-commerce platform’s geographic analytics. Second, audit your privacy policy against the CPRA’s disclosure requirements. Third, check whether your website has a functioning “Do Not Sell or Share” link and whether it actually stops data sharing when clicked. Fourth, inventory your vendors and identify which ones need updated contracts. These four steps will not make you fully compliant overnight, but they will close the most significant gaps and give you a defensible position while you build out the rest of your program.
California privacy law will continue to evolve, and other states—including New York, which has its own comprehensive privacy legislation in development—are watching closely. Building a solid CCPA/CPRA compliance foundation now does not just satisfy one state’s requirements. It positions your business to adapt as the regulatory landscape shifts.