Can the California Consumer Privacy Act (CCPA) apply to businesses in other states and other countries? The clear answer is: Yes, the CCPA can apply to businesses anywhere in the world.
As a first-of-its-kind data privacy law in the United States, the CCPA has affected business practices across the country, and even the world. Because it is a state law, there is some confusion among business leaders as to where the CCPA applies. While there are some jurisdictional limitations, they are not necessarily geographical.
How can a California law apply to businesses in other states and even other countries? It achieves this by way of two key provisions:
As to the first part, "doing business" in California is to be broadly understood. Whatever goods or services a business provides, if it provides them in California on a regular basis then that's probably good enough. For example, if an online media company based in New York makes its content available to readers in California (assuming it is accompanied by a for-profit element such as advertising), that should qualify as doing business in the state. The idea behind this is that by doing so, a business is availing itself of the protections, and therefore also the limitations, of California law. For most companies with any kind of online presence, it is a low bar to meet.
There still needs to be some connection to activity that takes place within California. Otherwise, the law would clearly be overreaching. For example, just because a retailer does business in California doesn't mean the CCPA can apply to its interactions with Minnesota residents that take place entirely inside Minnesota. Because of this, the CCPA is further limited to protecting California residents only. It should be noted, though, that California residents retain their CCPA rights even when temporarily traveling outside of the state.
The result is that, to the extent it does business in California and collects the personal information of California residents, any company in the world can be bound by the CCPA.
Not sure if you are required to be CCPA compliant? Use this checklist to determine whether the CCPA applies to your business.
If you answered yes to all four of these questions, then the CCPA applies to your business.
The California Privacy Rights Act (CPRA) changes the second threshold requirement to: "Businesses that buy, sell, or share the personal information of 100,000 consumers or households." Besides raising the number to 100,000, the threshold is further relaxed by not counting individual devices or when businesses only "receive" consumers' personal information.
If the CCPA applies to your business, don't delay on becoming compliant. Enforcement is underway and the California Attorney General is already sending out 30-day cure notices, potentially leading to expensive fines.
Worried about the cost of CCPA compliance and the demands on your staff's time? TrueVault Polaris automates the process of getting fully compliant and makes it easy to stay that way. Designed by attorneys, it provieds a guided experience anyone can follow, letting your business avoid the expense of hiring a law firm or consultant.
Learn more about TrueVault Polaris and contact our team today.
Read our Complete CCPA Guide for a more detailed look at the law.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.