CPRA Applicability Threshold — Self-Determination Form
Status: internal compliance document. This document does NOT constitute legal advice. Purpose: document the operator's good-faith determination that the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) does not apply to Raxx at the time of v1 launch (2026-05-23 UTC) and the basis for that determination. This form should be re-evaluated at least annually and upon material changes to Raxx's revenue, customer count, or data-sharing practices. Last updated: 2026-05-11 UTC.
Authority: Cal. Civ. Code § 1798.140(d); CPPA CPI adjustments at https://cppa.ca.gov/regulations/cpi_adjustment.html
Part 1 — Applicability Checklist
A for-profit business that "does business in the State of California" and collects "consumers' personal information" is subject to CCPA/CPRA if it meets at least one of the following thresholds.
Threshold A — Annual Gross Revenue
Threshold: As of 2026-01-01, annual global gross revenues exceeding $26,625,000 (CPI-adjusted per CPPA).
| Question | Response |
|---|---|
| Does Raxx have annual global gross revenues exceeding $26,625,000? | [ ] Yes [ ] No |
| If no, state approximate 2025 annual revenues (or "pre-revenue" if applicable): | _____ |
| Data verified from: | [ ] Financial statements [ ] Accounting software [ ] Best estimate |
Determination for Threshold A: [ ] In scope [ ] Not in scope
Threshold B — Consumer Record Volume
Threshold: Annually buying, selling, receiving for commercial purposes, or sharing for commercial purposes, the personal information of 100,000 or more California consumers or households.
| Question | Response |
|---|---|
| Does Raxx sell, share, buy, or receive (for commercial purposes) personal information of 100,000+ California consumers annually? | [ ] Yes [ ] No |
| Approximate number of California consumers whose personal information Raxx processes: | _____ |
| Note: "processes" includes collecting, storing, using — but the threshold specifically applies to "buying, selling, receiving for commercial purposes, or sharing for commercial purposes." Internal processing of subscriber data does not meet this threshold unless the data is sold or shared commercially. |
Determination for Threshold B: [ ] In scope [ ] Not in scope
Threshold C — Revenue from Data Sales
Threshold: Deriving 50% or more of annual revenues from selling or sharing consumers' personal information.
| Question | Response |
|---|---|
| Does Raxx derive 50% or more of annual revenues from selling or sharing personal information? | [ ] Yes [ ] No |
| Describe any selling or sharing of personal information for commercial purposes: | _____ |
| Does Raxx sell user data to advertisers, data brokers, or any third party? | [ ] Yes [ ] No |
Determination for Threshold C: [ ] In scope [ ] Not in scope
Part 2 — Summary Determination
| Threshold | In scope? |
|---|---|
| A — Revenue >$26.6M | [ ] Yes [ ] No |
| B — 100K+ consumer records processed commercially | [ ] Yes [ ] No |
| C — 50%+ revenue from data sales | [ ] Yes [ ] No |
| CCPA/CPRA applies to Raxx? | [ ] YES — at least one threshold met [ ] NO — no threshold met |
Part 3 — ADMT Self-Determination
Even if CCPA does not apply (thresholds not met), this section documents Raxx's determination that ADMT risk assessment obligations are not triggered.
The CPPA finalized ADMT regulations (effective 2026-01-01 for covered businesses; 2027-01-01 for consumer rights):
- ADMT is defined as: "Any technology that processes personal information and uses computation to replace or substantially replace human decision-making."
- ADMT risk assessment required when ADMT is used for "significant decisions" affecting consumers' access to: employment, housing, credit, health care, education, insurance, or essential goods.
Raxx ADMT determination:
| Question | Response |
|---|---|
| Does Raxx use any technology that replaces or substantially replaces human decision-making? | [ ] Yes [ ] No |
| If yes, describe: | _____ |
| Does Raxx's automated technology make decisions about consumers' access to employment, housing, credit, health care, education, insurance, or essential goods? | [ ] Yes [ ] No |
| Does Raxx's backtesting or signal layer produce outputs that are used without human review to make significant decisions about consumers? | [ ] Yes [ ] No |
Does the payment_event_count field drive any automated accept/reject decision about a consumer? |
[ ] Yes [ ] No |
ADMT determination: [ ] ADMT risk assessment required [ ] ADMT risk assessment NOT required
Basis for "not required" determination (if applicable):
Raxx is a rule-based strategy execution platform. Trading strategy rules are set by the human operator; Raxx executes them deterministically. The AI layer, per architectural decisions dated 2026-04-29, augments understanding and assists with parsing but does not make autonomous decisions or replace human decision-making. payment_event_count is a raw display counter, not an input to any automated decision system. No Raxx output makes a significant decision about a consumer's access to employment, housing, credit, health care, education, insurance, or essential goods.
Part 4 — Re-Evaluation Triggers
This self-determination must be re-evaluated if any of the following occur:
- [ ] Raxx's annual gross revenues approach or exceed $20 million
- [ ] Raxx's California customer count approaches or exceeds 75,000 subscribers
- [ ] Raxx begins selling, licensing, or sharing any user personal data with third parties for commercial purposes
- [ ] Raxx adds any feature that uses ML/AI to make automated recommendations or decisions about users or third parties
- [ ] Any regulatory authority (CPPA, California AG, FTC) issues guidance materially changing the thresholds or ADMT definitions
- [ ] Raxx is determined to be a registered investment adviser under the Investment Advisers Act 1940 (which may trigger GLBA/Reg P — separate analysis required)
Part 5 — Operator Attestation
I, the undersigned, as authorized representative of [COMPANY LEGAL NAME] ("Raxx"), have reviewed the CCPA/CPRA applicability thresholds and ADMT definitions as of the date signed below. Based on my good-faith review, I determine that:
[ ] Raxx IS subject to CCPA/CPRA — initiate full compliance program immediately.
[X] Raxx IS NOT subject to CCPA/CPRA at this time, based on the threshold analysis above. This determination will be re-evaluated at the triggers listed in Part 4. Despite not being covered, Raxx will maintain a privacy policy that accurately describes its data practices, consistent with FTC Section 5 obligations.
Regarding ADMT: Raxx does not use ADMT as defined by the finalized CPRA regulations and does not make significant decisions as defined. ADMT risk assessment obligations are not triggered.
Signed: Kristerpher Henderson Printed name: Kristerpher Henderson Title: Founder / Authorized Representative, MooseQuest LLC dba Raxx Date (UTC): 2026-05-13
Sources
- Cal. Civ. Code § 1798.140(d):
https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.140 - CPPA CPI threshold adjustment:
https://cppa.ca.gov/regulations/cpi_adjustment.html - CPPA CCPA regulations page:
https://cppa.ca.gov/regulations/ccpa_updates.html - Baker Botts ADMT analysis:
https://www.bakerbotts.com/thought-leadership/publications/2025/august/a-101-of-the-cppas-finalizes-rules-on-admt-risk-assessments-and-cybersecurity-audits - Wiley Law CCPA regulations:
https://www.wiley.law/alert-California-Finalizes-Pivotal-CCPA-Regulations-on-AI-Cyber-Audits-and-Risk-Governance - IAPP CCPA applicability:
https://iapp.org/news/a/does-the-ccpa-as-modified-by-the-cpra-apply-to-your-business - CookieYes CCPA applicability:
https://www.cookieyes.com/blog/who-does-ccpa-apply-to/