Skip to main content

CCPA/CPRA

12 min read

Does CCPA Apply to Other States? Everything You Need to Know     

By Safna January 6, 2025

Does CCPA Apply to Other States? Everything You Need to Know     

The California privacy law does not stop at the California borders. It keeps tabs on businesses located even outside the state, as CCPA applies to businesses handling personal data regardless of their location. Therefore, compliance with the law boosts reputation, fosters customer trust, and supports growth while also avoiding legal risks. Read more to uncover CCPA’s far-reaching impact on businesses everywhere.  

Who does CCPA apply to?

The California Consumer Privacy Act covers for-profit businesses operating in the state of California as well as those outside the state that process California residents’ personal information and meet one or more of the following thresholds:

  • Annual gross revenue exceeds $25 million
  • Buys, sells, or shares personal information of at least 100,000 consumers
  • 50% or more of annual revenue is derived from the sale or sharing of personal information

Organisations covered by federal laws like HIPAA or Gramm-Leach-Bliley Act and nonprofit organisations are generally exempted from CCPA compliance

CCPA’s applicability beyond California

Although CCPA originates in California, its scope goes beyond borders and applies to non-Californian or even non-American businesses. Here is a detailed look.

Does CCPA apply to businesses outside of California?

Yes. CCPA applies to all for-profit businesses processing Californian personal information if they meet the prescribed monetary or numerical threshold.

Screenshot of the definition of 'business' under the California Consumer Privacy Act (CCPA), outlining the criteria for entities subject to the law.
Business as defined by CCPA

The term business is defined broadly under CCPA and includes:

  • For-profit companies such as limited liability companies, corporations, associations, or companies run by a single person if they meet the CCPA threshold
  • Parent and subsidiary companies of the covered business that share common branding like using a logo or name
  • Joint ventures or partnerships 
  • Businesses not meeting the threshold but voluntarily agree to be bound by the law

Personal information is broadly defined as any data that can identify, relate to, describe or reasonably capable of being related to or associated with a California resident or household.

It includes name, email address, browsing history, IP address, biometric information, geolocation data, address, phone number, licence number, social security number, purchase history and even inferences drawn from this information.

Therefore, CCPA’s application and compliance obligation go beyond California’s borders. The law aims to protect consumer data regardless of where the data processing takes place, making it critical for all businesses outside the state or even the US to evaluate their operations for potential applicability. 

Examples of CCPA’s application outside the state

  • A Canadian firm providing products or services to California residents and meets CCPA thresholds must adhere to California law.
  • An international SaaS company such as an email service provider with California users should comply with CCPA requirements.

CCPA’s applicability to online businesses and other websites

While the customer base of a local convenience store is primarily limited to familiar faces in the neighbourhood, an online business has the advantage of reaching customers across the state or even across international borders. Think of Amazon which began as a small startup in Washington and transformed into a global “everything store.” The same applies to the global accessibility of websites that can be accessed from anywhere at any time.

Therefore, if your website or application collects personal information from California residents, you must be proactive in CCPA compliance. Here are a few things to note:

  • Publish a privacy policy conspicuously on your website explaining what data your business collects and related information
  • Offer “Do not sell my personal information” and “Limit the use or share of my sensitive personal information” links to exercise their opt-out rights
  • Implement systems to honour global opt-out signals from consumers
  • Provide a cookie banner enabling consumers to opt out of third-party cookies and a cookie policy informing them about the use of cookies
  • Establish convenient methods to exercise CCPA rights and honour consumer requests promptly
  • Fortify your cybersecurity measures by implementing security safeguards at technical and organisational levels

Comply with CCPA cookie consent requirements

  • Customisable opt-out banners
  • Geo-target features
  • Recognise global opt-outs
  • Add a “Do not sell/share my information” link
  • IAB TCF v2.2 compliant & Google CMP gold partner
  • Global privacy compliance
  • Trusted manuals and technical support
  • Easy-to-implement
  • Step-by-step video tutorials

How does CCPA affect other US states?

Here is how CCPA impacts states outside California.

#1 Protection for California residents

CCPA focuses on safeguarding the integrity and confidentiality of their residents’ personal data regardless of the organisation’s location. Therefore, even if a state with its own privacy legislation does business in California, it must ensure compliance with CCPA in addition to its state law.

This means businesses must do the following:

  • Honour consumer rights- Right to know, access, erasure, rectification, opt out of the sale of their personal information, limit the use of sensitive personal information, and data portability rights
  • Implement security measures to protect personal data from unauthorised access or data breaches
  • Have Data Processing Agreements with service providers or third parties
  • Comply with transparency and consent obligations

#2 Influence on other state privacy laws

The California Consumer Privacy Act has inspired many US states to enact their own data privacy laws. States like Virginia, Colorado, Texas, and Utah have already implemented state laws similar to the CCPA, and around nine more are anticipated to take effect in 2025. 

While these laws share similarities, we must also acknowledge that they have unique requirements suiting their state needs.

#3 National impact and spur on federal privacy talks

Organisations operating across multiple states would now need to consider a range of state-specific laws. However, the resemblances among the laws simplify the compliance process. Additionally, this has also led to discussions for federal privacy laws in the country.

CCPA Compliance tips for businesses operating in multiple states

We will discuss some proven strategies and hands-on resources to aid your business become privacy-compliant this year and to stay ahead of compliance.

Understand CCPA privacy legislation

  • Familiarise yourself with CCPA requirements for covered businesses
  • Consult privacy professionals for tailored legal advice that meets your business needs

Leverage automation technology 

  • Set up an advanced CMP like CookieYes to optimise your website for CCPA-compliance
  • Use the CookieYes free policy generator to create an easy-to-understand privacy and cookie policy
  • Adopt automation tools for data discovery and data mapping 

Privacy and Security measures 

  • Equip your employees to understand CCPA regulations and adopt privacy practices
  • Implement robust security measures to protect data 
  • Adopt internal data protection policies 
  • Review and update your policies regularly
  • Provide extra protection for sensitive data
  • Conduct impact assessments regularly
  • Conduct data mapping and data discovery 

CCPA principles

  • Keep track of the categories of personal information you handle
  • Limit the data collection and its usage to a minimum
  • Keep the data inventory correct and updated
  • Anonymise or delete unwanted personal data

Related reads

7 must know CCPA rules

Monitor third-party compliance

  • Ensure that your service providers are CCPA-compliant
  • Have a contractual relationship with them

CCPA rights

  • Provide two or more convenient consumer request mechanisms
  • Honour consumer requests promptly (45 days)
  • Store data in a portable format

How do enforcement agencies handle CCPA violations for out-of-state businesses?

Initially, the enforcement powers were solely upon the Attorney General. Later in 2023, the role was expanded by the California Privacy Rights Act (CPRA amendments) by introducing the California Privacy Protection Agency (CPPA).

Out-of-state businesses are also held accountable for violations if they handle consumers’ personal information and meet the CCPA threshold.

In 2022, French retailer Sephora was fined $1.2 million for CCPA non-compliance.

The CCPA fines for violations range between $2500-$7500 per incident per person. Intentional violations attract higher amounts as a penalty.

FAQ on CCPA outside the state

Are there any overlaps between the CCPA/CPRA and GDPR for businesses outside California?

Yes, there are some overlaps between CCPA and the European General Data Protection Regulation. While both laws focus on transparency and protecting consumer rights, there are some differences.

-GDPR has a broader scope and does not prescribe a threshold unlike CCPA

-GDPR enforces an opt-in model whereas CCPA follows an opt-out model for consent

-Contrary to GDPR, California law does not directly regulate cross-border transfers of personal data

-CCPA has a limited private right of action compared to GDPR

-Non-compliance fines range up to $7,500 per violation, while GDPR fines can reach €20 million or 4% of annual revenue

How does CCPA impact businesses in states with no similar privacy laws?

The CCPA applies to companies located in states that lack privacy legislation if they conduct business in California and meet certain requirements. This has led to many businesses adopting privacy practices modelled after the CCPA to ensure compliance, foster customer trust and avoid non-compliance fines.

Do other states have privacy laws similar to CCPA?

Yes, around 20 states including Virginia, Colorado, Connecticut, and Utah have enacted privacy laws to protect their resident’s data. 

Photo of Safna

Safna

Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.

Keep reading

Featured image of 7 Steps to Enhance Compliance Management for Your Business

Privacy Laws

7 Steps to Enhance Compliance Management for Your Business

Have you thought about compliance as a growth driver? For most businesses, it is just …

Read more
Featured image of Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Consent

Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Onetrust and CookieYes to find the one that best suits your business's consent management needs.

Read more
Featured image of Iubenda vs Osano vs CookieYes: Which One Is The Best?

Iubenda vs Osano vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Iubenda, and CookieYes to find the one that best suits your business's consent management needs.

Read more

Show all articles