CCPA Outside California: Do You Need to Comply? Best Practices and Compliance Tips

CCPA Applicability Criteria Outside California

You can be located anywhere and still be subject to the California Consumer Privacy Act (as amended by the CPRA) if you do business in California, collect Personal Information from California residents, and meet specific thresholds. Physical presence in the state is not required.

Who is a “business” under the CCPA?

You are likely a “business” if you determine the purposes and means of processing Personal Information of California consumers and meet any of the Revenue Thresholds or data-volume triggers below. Service providers and contractors that process data on behalf of a business have separate duties but are not “businesses” for the same data.

Revenue Thresholds and data-volume triggers

• Annual gross revenues over $25 million in the preceding year.
• Buying, selling, or sharing Personal Information of 100,000 or more California residents or households in a year.
• Deriving 50% or more of annual revenue from selling or sharing consumers’ Personal Information.

Data Sale Definition and “sharing”

Data Sale Definition is broad: a “sale” occurs when Personal Information is disclosed for monetary or other valuable consideration. “Sharing” covers disclosures for cross-context behavioral advertising, even without payment. Both activities trigger opt-out rights and additional obligations.

Consumer Rights you must honor

California residents have Consumer Rights to know, access, correct, and delete Personal Information; to opt out of sale or sharing; to limit use of Sensitive Personal Information; and to be free from discrimination for exercising these rights. Employees, job applicants, contractors, and most B2B contacts now receive these protections.

Exemptions from CCPA Compliance

Some entities and data types are excluded, but exemptions are narrow and context-specific. You must map data carefully to avoid treating non-exempt data as exempt.

Entity and activity-based exemptions

• Non-profit organizations and government agencies are generally outside scope (see dedicated sections below for caveats).
• Service providers and contractors are covered differently; they must follow contract instructions and are restricted from using Personal Information for their own purposes.

Data-level exemptions

• Protected health information under HIPAA and medical information under California’s CMIA.
• Financial data processed pursuant to the GLBA.
• Consumer credit data handled under the FCRA.
• Vehicle owner data under the DPPA and children’s data covered by COPPA.

Exemptions usually apply only to the specific data processed under those regimes. Mixed datasets should be segmented so non-exempt Personal Information remains subject to CCPA requirements.

Best Practices for CCPA Compliance

Building a durable program requires clear governance, robust processes, and measurable outcomes. The following actions align legal requirements with practical execution.

Compliance Oversight and governance

• Designate a privacy lead with authority to coordinate audits, training, and remediation.
• Maintain a data map showing what Personal Information you collect, from whom, for what purposes, where it is stored, and with whom it is shared.
• Adopt risk-based reviews for high-impact processing, advertising uses, and new products.

Privacy Policy Updates

• Publish a clear, consumer-facing notice describing categories of Personal Information, purposes, retention periods, and whether you sell or share data or use Sensitive Personal Information.
• Explain Consumer Rights and how to submit requests, including recognition of opt-out preference signals like Global Privacy Control (GPC).
• Review and update at least annually and whenever practices change materially.

Consumer rights operations

• Offer at least two request methods (for example, a web form and toll-free number if you engage offline); online-only businesses may provide a web-based method.
• Verify identity proportionately, respond within 45 days (with one 45-day extension when necessary), and track deadlines.
• For access, disclose the categories and specific pieces of Personal Information; for deletion and correction, act or explain applicable exceptions.
• Honor “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” choices, including signals sent via GPC.

Vendor Contract Management

• Classify partners as service providers, contractors, or third parties; this determines whether disclosures are “sales” or “sharing.”
• Use contracts that restrict processing to specified purposes, prohibit combining data without permission, require security, enable audits, and mandate deletion or return at end of service.
• Flow down obligations to sub-processors and monitor for ongoing compliance.

Data security, retention, and minimization

• Implement reasonable security controls, including encryption, access management, and incident response plans.
• Adopt a retention schedule tied to documented purposes; delete or de-identify data when no longer needed.
• Collect only what you need for disclosed purposes, especially for Sensitive Personal Information.

CCPA and Non-Profit Organizations

Non-profit organizations are generally exempt, but their relationships can bring them into scope indirectly. Proactive practices reduce risk and build trust with donors and beneficiaries.

When non-profits may be in scope

• If a non-profit controls or is controlled by a for-profit “business” and shares common branding, certain activities may be treated as part of the business’s operations.
• Joint ventures or partnerships with for-profit entities can trigger obligations, particularly where data is pooled or monetized.
• Acting as a service provider to a covered business imposes contractual duties, even if the non-profit itself is not a “business.”

Practical steps for non-profits

• Adopt a public-facing privacy notice and basic request-handling process aligned with Consumer Rights.
• Segregate donor and program data, limit access, and avoid unnecessary sharing with third parties or advertisers.
• Use Vendor Contract Management to ensure downstream processors follow restrictions and security expectations.

CCPA and Government Agencies

California public agencies are generally excluded from the CCPA’s definition of “business,” but interactions with covered businesses and contractors still matter.

Agency considerations

• When agencies hire vendors, contracts should mirror service provider restrictions, security requirements, and breach-notification obligations.
• Public records obligations may require disclosure processes that differ from CCPA responses; coordinate carefully to avoid over- or under-disclosure.
• Agencies that operate public-facing websites should provide clear notices and reasonable security practices consistent with privacy expectations.

CCPA Impact on Businesses with Online and Physical Presence

Omnichannel businesses must align web, mobile, and in-store operations so notices, choices, and retention rules work seamlessly across every touchpoint.

Online operations

• Audit cookies, SDKs, and pixels to determine whether any disclosures are “sales” or “sharing.”
• Implement consent or choice banners that capture opt-outs, honor GPC, and synchronize preferences across sessions and devices.
• Disclose cross-context behavioral advertising in your Privacy Policy Updates and provide a prominent “Do Not Sell or Share” link.

In-store operations

• Provide notice at collection for point-of-sale, loyalty programs, Wi‑Fi, and video analytics, including retention periods and purposes.
• Train staff to recognize and route Consumer Rights requests; offer printed or scannable QR options linking to request forms.
• For loyalty or financial incentive programs, describe material terms and ensure rewards are reasonably related to the value of the data.

Unifying records and responses

• Use a central identity and preference service so opt-outs apply online and in-store.
• Log all requests in one system to monitor SLAs, metrics, and Compliance Oversight reviews.

Compliance Strategies for Businesses with Affiliates and Revenue from Data Sales

Affiliated groups and data-driven firms face added complexity. Structure governance and contracts to avoid unintended “sales” or “sharing” and to streamline responses at scale.

Group governance and policies

• Adopt enterprise standards for data classification, access, and request handling; allow controlled local variations for unique lines of business.
• Maintain a single privacy notice framework that discloses brand-specific practices while keeping consistent disclosures about “selling,” “sharing,” and Sensitive Personal Information.

Intercompany data flows

• Document whether affiliates act as service providers or third parties to one another; align contracts accordingly to prevent inadvertent “sales.”
• Use standardized data-sharing addenda that define purposes, prohibit secondary use, and require deletion on request.

Revenue from data sales or advertising

• Quantify revenue tied to selling or sharing Personal Information to assess the 50% threshold and related obligations.
• Offer clear opt-outs, minimize identifiers used for cross-context advertising, and consider shifting to contextual or cohort-based approaches.
• Implement robust preference propagation so an opt-out at one affiliate applies network-wide where feasible.

Conclusion and next steps

If you target California residents and meet any threshold, treat CCPA compliance as a core program. Establish Compliance Oversight, deliver accurate disclosures, operationalize Consumer Rights, and mature Vendor Contract Management and security to sustain compliance as your business evolves.

FAQs

What triggers CCPA compliance for businesses outside California?

Meeting any threshold while doing business with California residents triggers obligations: over $25 million in annual revenue; buying, selling, or sharing Personal Information of 100,000+ consumers or households; or earning 50% or more of revenue from selling or sharing Personal Information. You do not need a physical location in California to be covered.

Are non-profit organizations subject to the CCPA?

Generally no, but a non-profit can be pulled into scope if it controls or is controlled by a covered for-profit entity and shares common branding, participates in a joint venture, or acts as a service provider under contract. In those cases, CCPA-style duties often apply to the relevant data.

How should businesses handle consumer data requests under CCPA?

Provide at least two intake methods, verify identity appropriately, and respond within 45 days (with a possible 45-day extension). Supply requested categories or specific pieces of Personal Information, correct or delete where required, and honor opt-outs including Global Privacy Control signals. Keep records of requests and outcomes to demonstrate compliance.

Does having an online presence in California mandate CCPA compliance?

Having a website accessible in California alone is not automatic coverage. If you actively do business with California residents—collecting their Personal Information and meeting one of the thresholds or engaging in selling or sharing—then the CCPA applies. Purposeful targeting, California customers, and monetization patterns are key factors.