CCPA Outside California: Real-World Scenarios to Understand When It Applies

CCPA Applicability Criteria

The CCPA can apply to a company located anywhere if it meets the geographical applicability criteria and handles the personal information of California residents. You become a covered “business” when you are a for‑profit entity that does business in California and meet at least one threshold.

Primary triggers

• Annual gross revenue threshold: $25 million or more, measured across the organization and relevant affiliates that share branding.
• Consumer data processing volume: handling personal information of 100,000 or more California consumers or households within a rolling 12-month measurement.
• Personal information sale or sharing: deriving 50% or more of annual revenues from the sale or sharing of personal information.

“Sale” is broadly defined and can include transfers for monetary or other valuable consideration. “Sharing” covers cross‑context behavioral advertising. Both can occur through common adtech integrations even when you never exchange raw lists.

Entities under common control

If you control or are controlled by another entity and share a common brand, your activities may be aggregated for threshold analysis. This prevents businesses from fragmenting operations to stay below a threshold.

Definition of Doing Business in California

The CCPA does not tie “doing business in California” solely to offices, stores, or servers. It focuses on how and from whom you collect or use data. You may be doing business in California even without a physical footprint.

Practical indicators

• You offer goods or services to California addresses or price and market specifically to California consumers.
• You knowingly collect personal information from devices located in California (for example, via IP geolocation) or run campaigns targeted to California audiences.
• You employ staff or contractors who work from California and whose personal information you process.
• You maintain partnerships or adtech flows that track California users and use that data for analytics, personalization, or advertising.

In short, if your operations predictably reach California residents and you collect or use their data, you are likely doing business in California for CCPA purposes.

Common Misconceptions About CCPA

• “No office in California means no CCPA.” Physical presence is not required; applicability turns on your data practices and California consumers.
• “We don’t sell data.” Personal information sale is broader than list‑selling and can include transfers for value through advertising technology, data cooperatives, or enrichment services.
• “B2B doesn’t count.” The B2B data partial exemption sunset, so most rights now extend to business contacts; treat B2B contacts as in scope unless a specific limitation applies.
• “Only paying customers count toward thresholds.” Thresholds look at consumers or households whose data you handle, not just purchasers—think site visitors, app users, and leads.
• “We can wait until we cross a threshold.” Obligations should be in place before crossing, because the rolling 12-month measurement can push you over without much warning.

Exemptions and Limitations

Some data or entities are out of scope, but the carve‑outs are specific and often data‑level rather than blanket.

• Business entity exemption: nonprofits and government entities are generally outside the law, though their for‑profit subsidiaries or vendors may still be covered.
• Data‑level exemptions: certain information subject to sectoral laws (for example, financial data under GLBA, medical data under HIPAA, credit reporting data under FCRA) may be exempt when processed pursuant to those laws.
• Publicly available, deidentified, or aggregated information is not “personal information” under the CCPA when properly handled.
• Legal and security exceptions allow processing required to comply with law, investigate security incidents, or exercise/defend legal claims.

Because exemptions are narrow, you should map data precisely to confirm what is truly excluded and what remains subject to CCPA obligations.

Compliance Obligations for Out-of-State Businesses

If you meet a trigger, you must implement a rights‑based privacy program tailored to California residents, even when you operate elsewhere.

Notices and transparency

• Provide clear, layered privacy notices at collection and in your privacy policy that explain categories of personal information, purposes, retention, and whether you sell or share data.
• Disclose how consumers can opt out of personal information sale or sharing and, if applicable, limit the use and disclosure of sensitive personal information.

Consumer rights operations

• Offer, verify, and fulfill requests to know, delete, correct, and opt out, with accessible methods (web form, toll‑free number, or email as applicable).
• Honor browser‑based preference signals (such as a recognized opt‑out signal) as an opt‑out of sale or sharing.

Adtech and cookies

• Inventory all advertising and analytics partners; configure them as service providers where appropriate or offer opt‑outs if the relationship is a sale or share.
• Display “Do Not Sell or Share My Personal Information” and, where needed, “Limit the Use of My Sensitive Personal Information.”

Vendor contracts and governance

• Execute service provider or contractor terms that restrict use, require assistance with requests, and mandate security and subprocessor controls.
• Define retention schedules and apply data minimization so you keep only what you need for disclosed purposes.
• Train staff, monitor metrics tied to the rolling 12-month measurement, and maintain records of requests and responses.

Impact of Data Processing Thresholds

Thresholds determine whether you are in scope and can shift with campaigns, seasonality, or growth. Understanding them early helps you avoid last‑minute compliance scrambles.

• Annual gross revenue threshold: crossing $25 million brings you into scope even if you handle relatively little California data or do not engage in personal information sale.
• Consumer data processing volume: free trials, newsletter signups, and ad impressions can push you over 100,000 California consumers or households faster than purchases alone.
• Revenue mix: if a large share of revenue comes from selling or sharing data (including ad‑supported models), you may qualify based on business model rather than size.
• Rolling 12-month measurement: counts move with time; you may fall in and out of scope as you gain or lose California traffic, so monitor continuously.

Plan for the “just crossed” moment by having notices, opt‑outs, and contracts ready before marketing or partnerships increase your counts.

Practical Examples of CCPA Enforcement Outside California

Example 1: E‑commerce retailer in Ohio

An online retailer ships nationwide and runs retargeting ads. It processes 140,000 California consumer profiles over a rolling 12-month measurement and uses adtech that constitutes sharing. It must provide opt‑outs, update notices, and implement service provider contracts, even without a California office.

Example 2: B2B SaaS vendor in Illinois

A SaaS platform has $27 million in annual gross revenue and 40,000 California admin users. The revenue threshold alone triggers CCPA. With the B2B data partial exemption sunset, the company must honor access, deletion, and correction rights for business contacts and support opt‑out where applicable.

Example 3: Canadian mobile game studio

The studio collects ad IDs and precise location for personalization and participates in cross‑context behavioral advertising. It has 120,000 California players. Despite being outside the U.S., the sale/sharing model and consumer data processing volume trigger obligations for California users.

Example 4: New York nonprofit with a for‑profit subsidiary

The nonprofit may qualify for a business entity exemption, but its for‑profit subsidiary that shares branding runs a fundraising storefront targeting California. The subsidiary’s operations and shared branding can bring it squarely into CCPA scope.

Example 5: UK marketplace using hashed email matching

The marketplace discloses hashed emails to multiple partners for audience expansion, receiving discounts and premium placements in return. That exchange can be a personal information sale or sharing, so opt‑outs and “Do Not Sell or Share” disclosures apply to California consumers.

Taken together, these scenarios show that CCPA applies based on what you do with California data—not where you are located. If you touch California consumers, design your program to meet the law’s requirements before growth pushes you over a threshold.

FAQs

Does CCPA apply to businesses with no physical presence in California?

Yes. If you do business in California and meet a threshold—such as the annual gross revenue threshold, the consumer data processing volume threshold, or significant revenue from personal information sale or sharing—the CCPA can apply even without a California office or servers.

Can deleting data avoid CCPA compliance thresholds?

Deleting data after collection does not retroactively erase obligations. Thresholds use a rolling 12-month measurement, so prior activity counts. Proactive scoping—limiting collection, disabling sale/sharing, and controlling California targeting—can reduce future counts, but you must still honor rights for data you already processed.

What defines doing business in California under CCPA?

Practically, you are doing business in California when you predictably reach California residents and collect or use their data—through shipping, targeted marketing, California workforce, or tracking California site/app users. The focus is on your data flows and consumers, not physical presence alone.

Is geo-blocking an effective way to avoid CCPA obligations?

Geo‑blocking may reduce exposure but is not a guaranteed shield. It can be bypassed, misclassify users, and conflict with marketing goals. If you still collect or use California residents’ data—or meet the annual gross revenue threshold—you can remain in scope despite geo‑blocking.