Last updated on 16 September 2022 by Stephen Titcombe (Legal writer at TermsFeed)
In short, the CCPA does apply outside the United States. This is because the California Consumer Privacy Act (CCPA) applies to all entities that collect or process the personal information of Californians, regardless of where such entities are located.
Of course, there are several other criteria you need to consider to be certain if the CCPA applies to your business. But, in any case, the CCPA's scope is not limited by geographical or territorial boundaries.
This article will examine the extraterritorial application of the CCPA and help you determine if the CCPA applies to your business. We'll also discuss what steps you can take to comply if your business falls under its scope.
The CCPA was signed into law by California State Governor Jerry Brown on June 28, 2018, and became effective on January 1, 2020. The law gives residents of California more control over their personal information by granting them several consumer privacy rights.
As the first law of its kind in the United States, the CCPA serves as a model data protection regulation, opening the door to a nationwide campaign to protect the online privacy of consumers.
It's worth noting that the CCPA shares quite a few similarities with the gold standard of privacy laws, the EU General Data Protection Regulation (GDPR). And while the CCPA is less stringent than its European equivalent, it features an identical set of objectives.
To sum it up, the CCPA:
Now that we understand what the CCPA aims to accomplish, let's examine how the law defines certain terms.
To get a good grasp of what the CCPA entails and how your business can comply appropriately, you need to understand how the law defines its terms. Let's briefly go over the essentials.
A consumer under the CCPA refers to a "natural person" who is a resident of California, as defined in Cal. Code Regs. tit. 18, § 17014:
"(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose."
Notably, the CCPA's definition of consumers doesn't include visitors to California. Moreover, the law covers California residents even when they are temporarily outside of California.
The CCPA defines personal information as:
"any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The CCPA goes on to provide a comprehensive list of data types that may constitute personal information. Some of the more common ones include:
Other categories of data that can constitute personal information include but aren't restricted to:
However, personal information does not include publicly available information.
A service provider refers to any entity that receives and processes personal information on behalf of a business.
Essentially, a service provider operates exclusively under the direction and supervision of a business. Service providers may include analytics platforms, payment processors, marketing agencies, and so on.
It's important to note that the CCPA does not apply to service providers.
For more information on service providers, check out our article: The Complete Guide to CCPA Service Providers.
Now that we understand the purpose of the CCPA as well as its key terms, let's go over the extraterritorial application of the law.
Businesses may assume that since the CCPA is a state law, it doesn't apply outside California or the United States. This assumption is not only incorrect, but it could also lead to enforcement actions and substantial fines for such businesses.
Much like the GDPR, the CCPA's scope isn't limited to businesses within its geographic jurisdiction. In other words, your business doesn't need to be physically present in California to be bound by the CCPA.
The CCPA can apply to businesses anywhere in the world as long as they "do business" in California or collect consumers' personal information and meet one of the CCPA's thresholds (as we'll see in the next section).
Although the CCPA doesn't clarify what "doing business" means, the California Attorney General stated that this phrase should be interpreted "according to the plain language of the words and other California law."
Based on this statement, any entity that "does business" in California does at least one of the following:
In the next section, we'll discuss (in more detail) the factors determining whether your business is subject to the CCPA.
The bottom line here is that the CCPA isn't restricted by geographical boundaries. Consequently, the law applies to businesses anywhere in the world as long as they fall under its jurisdiction.
The CCPA is quite comprehensive and includes several factors to determine whether businesses must comply with its provisions. To help you find out if your business falls under the CCPA's scope, consider this three-part question:
Based on its primary definition of a business, the CCPA applies exclusively to for-profit entities that "do business" in California.
If your business is a non-profit entity, you will likely not need to comply with the CCPA.
However, an exception may apply in some instances, thanks to the CCPA's secondary definition of a business.
Essentially, any entity (including a non-profit) that controls or is controlled by a for-profit business and "shares common branding" with such a business may fall under the CCPA's scope.
Simply put, your business may fall under the CCPA's scope if you collect the personal information of consumers (aka California residents). Alternatively, the CCPA may apply to you if personal information is collected on your behalf.
To provide additional context, if you (independently or jointly with others) decide the "purposes and means" of processing consumers' personal information, then you may also be subject to the CCPA.
This provision is notably identical to the GDPR's definition of a controller.
If your business meets at least one of the following thresholds, the CCPA may apply to your business:
If you answered yes to all three questions, the CCPA undoubtedly applies to your business.
To summarize, the CCPA applies to any for-profit entities that "does business" in California or collects consumers' personal information and meets at least one of the CCPA's thresholds.
Next, we'll briefly discuss what steps you can take to comply with the CCPA if your business falls under its scope.
Once you've established that the CCPA applies to your business, you're required to comply with certain obligations as stipulated under the law.
For more in-depth coverage of the CCPA requirements, check out our article: CCPA Compliance Requirements.
Here's a brief overview of your major CCPA responsibilities.
The CCPA grants consumers certain privacy rights over their personal information. As a CCPA-covered business, you are obligated to observe and help consumers exercise these rights at their request.
Briefly, CCPA consumer rights are as follows:
For more information about the CCPA rights, check out our article Consumer Rights Under the CCPA.
Here's how Netflix discloses the CCPA consumer rights in the CCPA section of its Privacy Statement:
The CCPA requires you to set up a "Do Not Sell My Personal Information" page if you sell personal information. This helps consumers exercise their right to opt out of the sale of their information.
If you're unclear about what constitutes a sale of personal information, check out our article: CCPA: What Constitutes a "Sale" of Personal Information.
Even if you don't sell personal information, it's a good idea to set up this page anyway and simply let consumers know that you don't sell their information.
You can also include this link in your website footer like AGCO does here:
When consumers click the link, they are directed to a webpage that explains how they can opt out of the sale of personal information:
Under the CCPA, you must maintain reasonable security safeguards to protect personal information and avoid data breaches from unauthorized access, exfiltration, disclosure, and theft of personal information.
Employing safeguards like data encryption, staff training, two-factor authentication, and firewalls will be considered reasonable.
Keep in mind that consumers have the right to bring a civil action against your business if this provision is violated.
The CCPA requires businesses to provide a "Notice at Collection" before or when they collect personal information.
According to California's Attorney General, this notice must include the following:
Here's a good example from AGCO:
For more information about the "notice at collection" and other important CCPA notices, check out our article: CCPA Notices.
Despite being a state privacy law, the CCPA has quite an extensive reach as it can apply to businesses outside California and even the United States.
You don't need a physical presence (e.g., an office or store) in California to be subject to the CCPA. The law can apply to your business regardless of where you are based as long as you:
If the CCPA applies to you, then you'll have to comply with the following responsibilities:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
16 September 2022