Beginner's Guide to CCPA Outside of California: Who It Applies To and How to Comply

CCPA Applicability to Non-California Businesses

The California Consumer Privacy Act (as amended by the CPRA) can apply to companies located anywhere if they do business in California and handle Californians’ personal information. You are likely “doing business” in California if you target or serve California residents, accept orders to ship into the state, or track California site visitors.

CCPA coverage generally turns on whether you meet at least one annual gross revenue threshold or data-activity trigger. A “business” includes any for-profit entity that: (1) has over $25 million in annual gross revenue; (2) buys, sells, or shares the personal information of 100,000 or more California consumers or households; or (3) derives 50% or more of annual revenue from consumer data sale or sharing. “Consumers” are California residents, and “personal information” means data that identifies, relates to, or could reasonably be linked to a person or household.

CCPA also reaches companies that act as service providers or contractors to covered businesses. Even if you do not meet a threshold yourself, contracts can impose CCPA-style obligations when you process personal information on behalf of a covered client.

Exemptions from CCPA

Several narrow exemptions may apply to specific entities or data types. These exemptions are limited to the covered data and do not create a blanket pass for all processing you perform.

• Non-profit exemption: Non-profit organizations are generally outside CCPA’s definition of a “business.” However, common branding or control with a for-profit that meets the thresholds can bring a non-profit into scope, and non-profits acting as service providers must honor contract-based restrictions.
• Sectoral/data exemptions: Information regulated by HIPAA/CMIA (protected health information), GLBA (certain financial data), FCRA (credit-reporting data), and DPPA (motor vehicle records) is exempt to the extent those laws cover it. Publicly available, de-identified, or aggregate data is also excluded.
• Workforce and B2B data: As of January 1, 2023, employee, applicant, contractor, and B2B contact data receive consumer privacy rights, subject to lawful exceptions (for example, retention required by tax or employment laws).

CCPA Exclusion for Activities Outside California

CCPA does not apply where every aspect of the commercial conduct occurs wholly outside California. This matters for out-of-state data collection when no part of the collection, processing, or consumer data sale/sharing touches California.

• When the exclusion may apply: You collect personal information from a California resident while they are physically outside California, and no sale, sharing, or processing occurs in or targets California.
• When it typically does not apply: You market to Californians, ship products into the state, have California users on your website or app, or sell/share data tied to California devices, locations, or residents.
• Practical takeaway: If any meaningful part of the transaction touches California, plan for CCPA compliance.

CCPA Compliance Steps for Affected Businesses

Build compliance protocols in phases so you can demonstrate accountability and respond quickly to requests. The steps below focus on what regulators expect to see in a well-run privacy program.

• Map data: Inventory what personal information and sensitive personal information you collect, from whom, for what purposes, where it is stored, and with whom it is shared.
• Minimize and set retention: Limit collection to what is necessary, define retention periods by purpose, and implement deletion routines for stale data.
• Classify sharing: Determine whether any transfers are “sales” (for monetary or other valuable consideration) or “sharing” for cross-context behavioral advertising; document your basis for each.
• Honor opt-outs and signals: Provide a “Do Not Sell or Share My Personal Information” mechanism and honor recognized browser-based opt-out preference signals (such as global privacy control) where applicable.
• Enable rights requests: Offer designated methods to submit access, deletion, correction, and portability requests. If you operate exclusively online with a direct consumer relationship, a single online method can suffice; otherwise, provide at least two methods.
• Verify identity and respond on time: Use reasonable verification procedures and respond within 45 days, with one permissible 45-day extension when reasonably necessary.
• Update vendor contracts: Execute service provider and contractor terms that restrict use, require assistance with consumer requests, and mandate security safeguards.
• Train and document: Train staff who handle consumer privacy rights and maintain records of requests, responses, and key decisions.
• Assess high-risk processing: For profiling, targeted ads, or sensitive data use, conduct risk reviews and tighten controls even where formal assessments are not mandated.

Understanding Consumer Rights Under CCPA

Californians have robust consumer privacy rights, and you must make it easy to exercise them without discrimination. Clear disclosures and prompt responses reduce risk and build trust.

• Right to know/access: Provide information about categories and specific pieces of personal information collected, sources, purposes, and disclosures.
• Right to delete: Delete personal information unless an exception applies (for example, security, legal compliance, or ongoing contract obligations).
• Right to correct: Fix inaccurate personal information you maintain about the consumer.
• Right to opt out of sale/sharing: Stop selling or sharing personal information when a consumer opts out, and respect preference signals.
• Right to limit use of sensitive personal information: Restrict use to necessary purposes stated at collection, when a consumer exercises this right.
• Non-discrimination: Do not deny goods/services, charge different prices, or provide different quality because a consumer exercised their rights, except as allowed for value-based loyalty or incentive programs with required notices.
• Children’s data: Obtain opt-in consent before selling or sharing data of consumers under 16 (parental consent if under 13).

Implementing Data Protection Protocols

Security is a core CCPA expectation. “Reasonable security” scales with your risk profile and the sensitivity of the personal information you handle.

• Access control and least privilege: Limit access to need-to-know roles; review entitlements regularly.
• Encryption and key management: Encrypt data in transit and at rest, and manage keys separately.
• Monitoring and logging: Log access to personal information, alert on anomalies, and retain evidence for investigations.
• Vendor risk management: Assess third parties, require equivalent protections, and monitor ongoing compliance.
• Incident response: Maintain a tested playbook for detection, containment, notification, and remediation.
• Secure development and testing: Integrate privacy by design into SDLC, conduct privacy reviews for new features, and validate cookie/SDK behaviors.
• Data lifecycle controls: Automate retention enforcement, deletion, and de-identification where feasible.

Updating Privacy Policies and Notices

Your privacy policy should tell consumers what you collect, why, for how long, and how to exercise their rights. Keep it accurate, layered, and easy to navigate.

• Notice at collection: Disclose categories of personal information, purposes, whether collection is required, retention periods, and links to opt-out or limit-sensitive-PI tools.
• Core policy content: Describe data sources, business/commercial purposes, categories of recipients, whether you engage in consumer data sale or sharing, and how to submit rights requests.
• Sensitive personal information: Explain uses and offer a “Limit the Use of My Sensitive Personal Information” option when required.
• Preference signals and cookies: State how you process opt-out preference signals and manage cross-context behavioral advertising.
• Governance details: Summarize your security measures at a high level, retention approach, and how you handle appeals or complaints.

Bottom line: if you target Californians or handle their personal information, confirm whether you meet a threshold, implement clear compliance protocols, and keep your notices and practices aligned with what you actually do.

FAQs

Who Must Comply with CCPA Outside California?

Any for-profit entity anywhere that does business in California and meets a threshold—such as the $25 million annual gross revenue threshold, handling personal information of 100,000+ consumers/households, or deriving 50%+ of revenue from consumer data sale or sharing—must comply. Service providers and contractors supporting such businesses must follow contract-based restrictions, too.

What Exemptions Apply to Non-Profit Organizations?

Non-profits are generally exempt, but the non-profit exemption is narrow. If a non-profit controls, is controlled by, or shares common branding with a covered for-profit business, or acts as a service provider processing personal information under contract, CCPA-style obligations can still apply to the processing at issue.

How Is Data Collected Outside California Treated Under CCPA?

CCPA excludes conduct that occurs wholly outside California. If out-of-state data collection, processing, and any sale or sharing occur entirely outside the state, the law typically does not apply to that transaction. If any meaningful element touches California—such as targeting California residents or using data in California—CCPA obligations likely attach.

What Are the Key Steps for CCPA Compliance?

Map your data, minimize collection, and set retention; classify transfers as sales or sharing; enable consumer privacy rights with timely responses; honor opt-outs and preference signals; update vendor contracts; maintain security safeguards and incident response; train staff and document your decisions; and keep privacy policies and notices current and consistent with your actual practices.