In short, the CCPA (CPRA) does apply outside the United States. This is because the California Consumer Privacy Act (CCPA) applies to all entities that collect or process the personal information of Californians, regardless of where such entities are located.
Of course, there are several other criteria you need to consider to be certain if the CCPA (CPRA) applies to your business. But, in any case, the CCPA/CPRA's scope is not limited by geographical or territorial boundaries.
This article will examine the extraterritorial application of the CCPA (CPRA) and help you determine if it applies to your business. We'll also discuss what steps you can take to comply if your business falls under its scope.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. CCPA (CPRA) Overview
- 2. CCPA (CPRA) Definitions
- 2.1. Who is a Consumer?
- 2.2. What is Personal Information?
- 2.3. Who is a Service Provider?
- 3. Extraterritorial Application of the CCPA (CPRA)
- 4. The CCPA/CPRA's Scope: Who Does it Apply to?
- 4.1. Do You Run a For-Profit Business?
- 4.2. Do You Collect and Manage Consumers' Personal Information?
- 4.3. Does Any of the CCPA/CPRA's Threshold Apply to Your Business?
- 5. How to Comply with the CCPA (CPRA)
- 5.1. Provide a CCPA/CPRA-Compliant Privacy Policy
- 5.2. Observe CCPA (CPRA) Consumer Rights
- 5.3. Create a "Do Not Sell My Personal Information" Page
- 5.4. Maintain Reasonable Security Safeguards
- 5.5. Provide a Notice at Collection
- 6. Summary
CCPA (CPRA) Overview
The CCPA was signed into law by California State Governor Jerry Brown on June 28, 2018, and became effective on January 1, 2020. The law gives residents of California more control over their personal information by granting them several consumer privacy rights. It was amended by the California Privacy Rights Act (CPRA) which took affect on January 1, 2023.
As the first law of its kind in the United States, the CCPA (CPRA) serves as a model data protection regulation, opening the door to a nationwide campaign to protect the online privacy of consumers.
The law also provides a foundation for many of the concepts found in subsequent privacy laws like the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA).
It's worth noting that the CCPA (CPRA) shares quite a few similarities with the gold standard of privacy laws, the EU General Data Protection Regulation (GDPR). And while the CCPA (CPRA) is less stringent than its European equivalent, it features an identical set of objectives.
To sum it up, the CCPA (CPRA):
- Applies data protection responsibilities to companies that collect or process the personal information of California residents
- Advocates the principles of transparency, accountability, and control when handling personal information
- Grants California residents certain rights over their information through access, opt-out, transfer, and deletion requests
- Establishes significant penalties for companies that violate its requirements
Now that we understand what the CCPA (CPRA) aims to accomplish, let's examine how the law defines certain terms.
CCPA (CPRA) Definitions
To get a good grasp of what the CCPA (CPRA) entails and how your business can comply appropriately, you need to understand how the law defines its terms. Let's briefly go over the essentials.
Who is a Consumer?
A consumer under the CCPA (CPRA) refers to a "natural person" who is a resident of California, as defined in Cal. Code Regs. tit. 18, ยง 17014:
"(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose."
Notably, the CCPA/CPRA's definition of consumers doesn't include visitors to California. Moreover, the law covers California residents even when they are temporarily outside of California.
What is Personal Information?
The CCPA (CPRA) defines personal information as:
"any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The CCPA (CPRA) goes on to provide a comprehensive list of data types that may constitute personal information. Some of the more common ones include:
- Full names
- Nicknames/Usernames
- Email addresses
- Passport numbers
- Drivers license number
Other categories of data that can constitute personal information include but aren't restricted to:
- Geolocation data
- Biometric data
- Internet data (e.g., IP address, browser history, cookies, etc.)
- Employment-related information
- Education-related information
- Protected classifications (e.g., race, nationality, sex, etc.)
However, personal information does not include publicly available information.
Note that the CPRA amended the CPRA to have a category of sensitive personal information that includes things such as sexual orientation, criminal history, biometric data and political affiliation.
Check out our article about how to comply with the CPRA's "limit the use of my sensitive personal information" requirement.
Who is a Service Provider?
A service provider refers to any entity that receives and processes personal information on behalf of a business.
Essentially, a service provider operates exclusively under the direction and supervision of a business. Service providers may include analytics platforms, payment processors, marketing agencies, and so on.
For more information on service providers, check out our article: The Complete Guide to CCPA Service Providers.
Now that we understand the purpose of the CCPA (CPRA) as well as its key terms, let's go over the extraterritorial application of the law.
Extraterritorial Application of the CCPA (CPRA)
Businesses may assume that since the CCPA (CPRA) is a state law, it doesn't apply outside California or the United States. This assumption is not only incorrect, but it could also lead to enforcement actions and substantial fines for such businesses.
Much like the GDPR, the CCPA/CPRA's scope isn't limited to businesses within its geographic jurisdiction. In other words, your business doesn't need to be physically present in California to be bound by the CCPA (CPRA).
The CCPA (CPRA) can apply to businesses anywhere in the world as long as they "do business" in California or collect consumers' personal information and meet one of the CCPA/CPRA's thresholds (as we'll see in the next section).
Although the CCPA (CPRA) doesn't clarify what "doing business" means, the California Attorney General stated that this phrase should be interpreted "according to the plain language of the words and other California law."
Based on this statement, any entity that "does business" in California does at least one of the following:
- Engages in transactions with California residents for a financial benefit (e.g., offering products or services)
- Hires California residents as employees or contractors
- Pays (or is subject to paying) California state taxes
In the next section, we'll discuss (in more detail) the factors determining whether your business is subject to the CCPA (CPRA).
The bottom line here is that the CCPA (CPRA) isn't restricted by geographical boundaries. Consequently, the law applies to businesses anywhere in the world as long as they fall under its jurisdiction.
The CCPA/CPRA's Scope: Who Does it Apply to?
The CCPA (CPRA) is quite comprehensive and includes several factors to determine whether businesses must comply with its provisions. To help you find out if your business falls under the CCPA/CPRA's scope, consider this three-part question:
Do You Run a For-Profit Business?
Based on its primary definition of a business, the CCPA (CPRA) applies exclusively to for-profit entities that "do business" in California.
If your business is a non-profit entity, you will likely not need to comply with the CCPA (CPRA).
However, an exception may apply in some instances, thanks to the CCPA/CPRA's secondary definition of a business.
Essentially, any entity (including a non-profit) that controls or is controlled by a for-profit business and "shares common branding" with such a business may fall under the CCPA/CPRA's scope.
Do You Collect and Manage Consumers' Personal Information?
Simply put, your business may fall under the CCPA/CPRA's scope if you collect the personal information of consumers (aka California residents). Alternatively, the CCPA (CPRA) may apply to you if personal information is collected on your behalf.
To provide additional context, if you (independently or jointly with others) decide the "purposes and means" of processing consumers' personal information, then you may also be subject to the CCPA (CPRA).
This provision is notably identical to the GDPR's definition of a controller.
Does Any of the CCPA/CPRA's Threshold Apply to Your Business?
If your business meets at least one of the following thresholds, the CCPA (CPRA) may apply to your business:
- Your annual gross revenue exceeds $25 million.
- You annually buy, sell, receive or share for commercial purposes the personal information of more than 100,000 consumers, households, or devices.
- You derive at least 50% of your annual revenue from selling or sharing consumers' personal information.
If you answered yes to all three questions, the CCPA (CPRA) undoubtedly applies to your business.
To summarize, the CCPA (CPRA) applies to any for-profit entities that "does business" in California or collects consumers' personal information and meets at least one of the CCPA/CPRA's thresholds.
Next, we'll briefly discuss what steps you can take to comply with the CCPA (CPRA) if your business falls under its scope.
How to Comply with the CCPA (CPRA)
Once you've established that the CCPA (CPRA) applies to your business, you're required to comply with certain obligations as stipulated under the law.
For more in-depth coverage of the CCPA (CPRA) requirements, check out our article: CCPA Compliance Requirements.
Here's a brief overview of your major CCPA (CPRA) responsibilities.
Provide a CCPA/CPRA-Compliant Privacy Policy
As a CCPA/CPRA-covered entity, you must provide consumers with a transparent, meaningful, and up-to-date Privacy Policy placed conspicuously on your website or app.
Your Privacy Policy must include specific disclosures, including how you collect, use, and share consumers' personal information. Keep in mind that you must update your Privacy Policy every 12 months and include the latest effective date within your policy.
In addition, the CCPA (CPRA) requires you to disclose the following details in your Privacy Policy:
- Specific information about CCPA (CPRA) consumer rights(we'll address this in more detail below)
- The categories of personal information you have collected in the past 12 months
- Your sources for each of those categories of information
- Your purposes for collecting each category of information
- How each category of information is shared or disclosed, and why
- Whether or not you sell personal information for business purposes
- Your contact information to receive consumer requests
Observe CCPA (CPRA) Consumer Rights
The CCPA (CPRA) grants consumers certain privacy rights over their personal information. As a CCPA/CPRA-covered business, you are obligated to observe and help consumers exercise these rights at their request.
Briefly, CCPA (CPRA) consumer rights are as follows:
- The right to know: Disclose the categories of data you collect, use, and share about consumers.
- The right to access: Upon request, provide consumers with copies of the personal information that your business holds about them.
- The right to delete: Delete a consumer's personal information at their request (subject to certain exceptions).
- The right to opt out: Upon request, stop selling the personal information of consumers.
- The right to non-discrimination: Don't discriminate against consumers (e.g., through higher prices or poorer goods and services) when they exercise their CCPA rights.
- The right to opt in (for minors): Obtain opt-in consent before selling the personal information of children under 16. Additionally, you must get parental consent before selling the personal information of children under 13.
For more information about the CCPA (CPRA) rights, check out our article Consumer Rights Under the CCPA.
Here's how Netflix discloses the CCPA consumer rights in the CCPA section of its Privacy Statement:
Create a "Do Not Sell My Personal Information" Page
The CCPA (CPRA) requires you to set up a "Do Not Sell My Personal Information" page if you sell personal information. This helps consumers exercise their right to opt out of the sale of their information.
If you're unclear about what constitutes a sale of personal information, check out our article: CCPA: What Constitutes a "Sale" of Personal Information.
Even if you don't sell personal information, it's a good idea to set up this page anyway and simply let consumers know that you don't sell their information.
After setting up your "Do Not Sell My Personal Information" page, you should provide links to this page in prominent places around your website or app and in your Privacy Policy.
For example, here's how Coca-Cola links this page in its Privacy Policy:
You can also include this link in your website footer like AGCO does here:
When consumers click the link, they are directed to a webpage that explains how they can opt out of the sale of personal information:
Maintain Reasonable Security Safeguards
Under the CCPA (CPRA), you must maintain reasonable security safeguards to protect personal information and avoid data breaches from unauthorized access, exfiltration, disclosure, and theft of personal information.
Employing safeguards like data encryption, staff training, two-factor authentication, and firewalls will be considered reasonable.
Keep in mind that consumers have the right to bring a civil action against your business if this provision is violated.
Once your security safeguards are in place, you should disclose them in your Privacy Policy like Tesla does here:
Provide a Notice at Collection
The CCPA (CPRA) requires businesses to provide a "Notice at Collection" before or when they collect personal information.
According to California's Attorney General, this notice must include the following:
- The categories of personal information you collect about consumers
- Your purposes for collecting each category of information
- A link to your "Do Not Sell My Personal Information" page (if applicable)
- A link to your Privacy Policy for a better description of your privacy practices
You can insert this notice in a section of your Privacy Policy or host it on a separate webpage, depending on your preference.
Here's a good example from AGCO:
For more information about the "notice at collection" and other important CCPA notices, check out our article: CCPA Notices.
Summary
Despite being a state privacy law, the CCPA (CPRA) has quite an extensive reach as it can apply to businesses outside California and even the United States.
You don't need a physical presence (e.g., an office or store) in California to be subject to the CCPA (CPRA). The law can apply to your business regardless of where you are based as long as you:
- Are a for-profit entity
- "Do business" in California or collect consumers' personal information, and
- Meet one of the CCPA's thresholds (as described above)
If the CCPA (CPRA) applies to you, then you'll have to comply with the following responsibilities:
- Provide a CCPA/CPRA-compliant Privacy Policy
- Observe and help exercise consumer rights
- Set up a "Do Not Sell My Personal Information" page and provide links in conspicuous places
- Maintain reasonable security safeguards
- Provide a Notice at Collection
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.