The California privacy law does not stop at the California borders. It keeps tabs on businesses located even outside the state, as CCPA applies to businesses handling personal data regardless of their location. Therefore, compliance with the law boosts reputation, fosters customer trust, and supports growth while also avoiding legal risks. Read more to uncover CCPA’s far-reaching impact on businesses everywhere.
Who does CCPA apply to?
The California Consumer Privacy Act covers for-profit businesses operating in the state of California as well as those outside the state that process California residents’ personal information and meet one or more of the following thresholds:
- Annual gross revenue exceeds $25 million
- Buys, sells, or shares personal information of at least 100,000 consumers
- 50% or more of annual revenue is derived from the sale or sharing of personal information
Organisations covered by federal laws like HIPAA or Gramm-Leach-Bliley Act and nonprofit organisations are generally exempted from CCPA compliance
CCPA’s applicability beyond California
Although CCPA originates in California, its scope goes beyond borders and applies to non-Californian or even non-American businesses. Here is a detailed look.
Does CCPA apply to businesses outside of California?
Yes. CCPA applies to all for-profit businesses processing Californian personal information if they meet the prescribed monetary or numerical threshold.
The term business is defined broadly under CCPA and includes:
- For-profit companies such as limited liability companies, corporations, associations, or companies run by a single person if they meet the CCPA threshold
- Parent and subsidiary companies of the covered business that share common branding like using a logo or name
- Joint ventures or partnerships
- Businesses not meeting the threshold but voluntarily agree to be bound by the law
Related reads
Personal information is broadly defined as any data that can identify, relate to, describe or reasonably capable of being related to or associated with a California resident or household.
It includes name, email address, browsing history, IP address, biometric information, geolocation data, address, phone number, licence number, social security number, purchase history and even inferences drawn from this information.
Therefore, CCPA’s application and compliance obligation go beyond California’s borders. The law aims to protect consumer data regardless of where the data processing takes place, making it critical for all businesses outside the state or even the US to evaluate their operations for potential applicability.
Examples of CCPA’s application outside the state
- A Canadian firm providing products or services to California residents and meets CCPA thresholds must adhere to California law.
- An international SaaS company such as an email service provider with California users should comply with CCPA requirements.
CCPA’s applicability to online businesses and other websites
While the customer base of a local convenience store is primarily limited to familiar faces in the neighbourhood, an online business has the advantage of reaching customers across the state or even across international borders. Think of Amazon which began as a small startup in Washington and transformed into a global “everything store.” The same applies to the global accessibility of websites that can be accessed from anywhere at any time.
Therefore, if your website or application collects personal information from California residents, you must be proactive in CCPA compliance. Here are a few things to note:
- Publish a privacy policy conspicuously on your website explaining what data your business collects and related information
- Offer “Do not sell my personal information” and “Limit the use or share of my sensitive personal information” links to exercise their opt-out rights
- Implement systems to honour global opt-out signals from consumers
- Provide a cookie banner enabling consumers to opt out of third-party cookies and a cookie policy informing them about the use of cookies
- Establish convenient methods to exercise CCPA rights and honour consumer requests promptly
- Fortify your cybersecurity measures by implementing security safeguards at technical and organisational levels
Comply with CCPA cookie consent requirements
- Customisable opt-out banners
- Geo-target features
- Recognise global opt-outs
- Add a “Do not sell/share my information” link
- IAB TCF v2.2 compliant & Google CMP gold partner
- Global privacy compliance
- Trusted manuals and technical support
- Easy-to-implement
- Step-by-step video tutorials
How does CCPA affect other US states?
Here is how CCPA impacts states outside California.
#1 Protection for California residents
CCPA focuses on safeguarding the integrity and confidentiality of their residents’ personal data regardless of the organisation’s location. Therefore, even if a state with its own privacy legislation does business in California, it must ensure compliance with CCPA in addition to its state law.
This means businesses must do the following:
- Honour consumer rights- Right to know, access, erasure, rectification, opt out of the sale of their personal information, limit the use of sensitive personal information, and data portability rights
- Implement security measures to protect personal data from unauthorised access or data breaches
- Have Data Processing Agreements with service providers or third parties
- Comply with transparency and consent obligations
#2 Influence on other state privacy laws
The California Consumer Privacy Act has inspired many US states to enact their own data privacy laws. States like Virginia, Colorado, Texas, and Utah have already implemented state laws similar to the CCPA, and around nine more are anticipated to take effect in 2025.
While these laws share similarities, we must also acknowledge that they have unique requirements suiting their state needs.
#3 National impact and spur on federal privacy talks
Organisations operating across multiple states would now need to consider a range of state-specific laws. However, the resemblances among the laws simplify the compliance process. Additionally, this has also led to discussions for federal privacy laws in the country.
CCPA Compliance tips for businesses operating in multiple states
We will discuss some proven strategies and hands-on resources to aid your business become privacy-compliant this year and to stay ahead of compliance.
Understand CCPA privacy legislation
- Familiarise yourself with CCPA requirements for covered businesses
- Consult privacy professionals for tailored legal advice that meets your business needs
Leverage automation technology
- Set up an advanced CMP like CookieYes to optimise your website for CCPA-compliance
- Use the CookieYes free policy generator to create an easy-to-understand privacy and cookie policy
- Adopt automation tools for data discovery and data mapping
Privacy and Security measures
- Equip your employees to understand CCPA regulations and adopt privacy practices
- Implement robust security measures to protect data
- Adopt internal data protection policies
- Review and update your policies regularly
- Provide extra protection for sensitive data
- Conduct impact assessments regularly
- Conduct data mapping and data discovery
CCPA principles
- Keep track of the categories of personal information you handle
- Limit the data collection and its usage to a minimum
- Keep the data inventory correct and updated
- Anonymise or delete unwanted personal data
Related reads
Monitor third-party compliance
- Ensure that your service providers are CCPA-compliant
- Have a contractual relationship with them
CCPA rights
- Provide two or more convenient consumer request mechanisms
- Honour consumer requests promptly (45 days)
- Store data in a portable format
How do enforcement agencies handle CCPA violations for out-of-state businesses?
Initially, the enforcement powers were solely upon the Attorney General. Later in 2023, the role was expanded by the California Privacy Rights Act (CPRA amendments) by introducing the California Privacy Protection Agency (CPPA).
Out-of-state businesses are also held accountable for violations if they handle consumers’ personal information and meet the CCPA threshold.
In 2022, French retailer Sephora was fined $1.2 million for CCPA non-compliance.
The CCPA fines for violations range between $2500-$7500 per incident per person. Intentional violations attract higher amounts as a penalty.
FAQ on CCPA outside the state
Yes, there are some overlaps between CCPA and the European General Data Protection Regulation. While both laws focus on transparency and protecting consumer rights, there are some differences.
-GDPR has a broader scope and does not prescribe a threshold unlike CCPA
-GDPR enforces an opt-in model whereas CCPA follows an opt-out model for consent
-Contrary to GDPR, California law does not directly regulate cross-border transfers of personal data
-CCPA has a limited private right of action compared to GDPR
-Non-compliance fines range up to $7,500 per violation, while GDPR fines can reach €20 million or 4% of annual revenue
The CCPA applies to companies located in states that lack privacy legislation if they conduct business in California and meet certain requirements. This has led to many businesses adopting privacy practices modelled after the CCPA to ensure compliance, foster customer trust and avoid non-compliance fines.
Yes, around 20 states including Virginia, Colorado, Connecticut, and Utah have enacted privacy laws to protect their resident’s data.