- International businesses are subject to the California Consumer Privacy Act (CCPA) if they meet specific revenue or data processing thresholds, regardless of physical presence in the United States.
- The 2026 compliance cycle emphasizes strict transparency regarding "Sensitive Personal Information" (SPI) and the use of automated decision-making technologies.
- Non-compliant entities face administrative fines of up to $7,500 per intentional violation and risk statutory damages through private class-action litigation in the event of a data breach.
- Statutory response times are firm; companies must acknowledge consumer requests within 10 business days and fulfill them within 45 calendar days.
- Implementing Global Privacy Control (GPC) signals is no longer optional but a mandatory technical requirement for businesses that sell or share data.
Does your non-US business meet California's revenue or data thresholds?
A non-US business must comply with the CCPA if it "does business" in California, collects personal information from California residents, and meets at least one of three specific triggers. You do not need a physical office, warehouse, or employees in California to fall under the jurisdiction of the California Privacy Protection Agency (CPPA).
Your international entity is legally obligated to comply if it meets any of the following criteria:
- Annual Gross Revenue: The business had annual gross revenues in excess of $25 million in the preceding calendar year.
- Data Volume: The business annually buys, sells, or shares the personal information of 100,000 or more California residents or households.
- Revenue Percentage: The business derives 50% or more of its annual revenue from selling or sharing the personal information of California residents.
| Criterion | Threshold | Application for Foreign Firms |
|---|---|---|
| Revenue | >$25 Million USD | Includes global revenue, not just California-derived revenue. |
| Data Processing | 100,000+ Consumers | Includes IP addresses, cookies, and device IDs of CA visitors. |
| Data Monetization | 50% of Revenue | Applies to data brokers and ad-tech dependent models. |
Updated privacy notice requirements for the 2026 compliance cycle
By 2026, privacy notices must move beyond generic disclosures to provide granular transparency about data retention and automated processing. Businesses must provide a "Notice at Collection" that informs consumers exactly which categories of personal information are being gathered and for what specific purpose.
To meet the 2026 standards, your privacy policy must include:
- Categories of Sensitive Personal Information (SPI): You must explicitly list if you collect social security numbers, precise geolocation, racial or ethnic origin, or genetic data.
- Data Retention Schedule: You must disclose the length of time you intend to retain each category of personal information or the specific criteria used to determine that period.
- Automated Decision-Making Technology (ADMT): If you use AI or algorithms to profile consumers for financial, employment, or healthcare purposes, you must explain the logic and allow consumers to opt-out.
- Third-Party Disclosures: You must identify the specific categories of third parties to whom data is "sold" or "shared" (the latter referring to cross-context behavioral advertising).
Implementing 'Do Not Sell or Share My Personal Information' links for global sites
The CCPA requires a "clear and conspicuous" link on your website homepage that allows California residents to opt-out of the sale or sharing of their data. For international businesses, this often requires geo-fencing the link so it only appears to users with California-based IP addresses, or adopting a "Global Privacy" standard for all users to simplify tech stacks.
The implementation must follow these technical and legal requirements:
- Specific Language: The link must be titled exactly "Do Not Sell or Share My Personal Information" or "Your Privacy Choices" accompanied by a specific opt-out icon designed by the State of California.
- Global Privacy Control (GPC): Your website must be configured to automatically recognize GPC signals sent by browser settings. If a user has GPC enabled, you must treat it as a valid request to opt-out of data sales/sharing without requiring them to click a link.
- Frictionless Experience: You cannot require a user to create an account or provide additional personal information just to opt-out.
Managing consumer data requests within the 45-day legal window
The CCPA grants California residents the right to know, delete, correct, and limit the use of their data, and businesses must respond within 45 calendar days. This timeframe is rigid, and failing to meet it is one of the most common triggers for regulatory audits.
To manage Data Subject Access Requests (DSARs) effectively, follow this workflow:
- Intake and Acknowledgment: Provide at least two methods for requests (e.g., a toll-free number and a web form). Acknowledge receipt within 10 business days.
- Identity Verification: Match the requester's information against your existing records to prevent data fraud. Use a "reasonably high" degree of certainty for sensitive requests like deletion.
- Internal Data Map: Query all departments (marketing, sales, HR, customer support) to locate every instance of the consumer's data.
- The 45-Day Fulfillment: Deliver the requested data in a portable, readily usable format or confirm the deletion/correction.
- Extensions: If necessary, you may extend the deadline by an additional 45 days, but you must notify the consumer and provide a reason for the delay within the initial 45-day period.
Penalties for non-compliance and recent class-action litigation trends
Financial penalties for CCPA violations are calculated per violation, meaning a single data mishandling incident affecting 1,000 customers could result in catastrophic totals. The California Attorney General and the CPPA have significantly ramped up enforcement against international retail and tech firms.
- Administrative Fines: $2,500 for each non-intentional violation and $7,500 for each intentional violation or those involving minors.
- Private Right of Action: While most of the CCPA is enforced by the state, consumers can sue for statutory damages ($100 to $750 per consumer per incident) if their unencrypted or unredacted personal information is breached due to a failure to maintain reasonable security.
- Litigation Trends: We are seeing a surge in "pixel litigation," where plaintiffs' attorneys file class actions against companies using tracking pixels (like Meta or Google pixels) without proper "Do Not Sell" disclosures, claiming these tools constitute an illegal "sale" of data.
Common Misconceptions about CCPA for Foreign Entities
Myth 1: "We are GDPR compliant, so we are CCPA compliant." While GDPR and CCPA share similarities, they have different definitions of "personal information" and different requirements for opt-out vs. opt-in. GDPR focuses on a "legal basis" for processing, whereas CCPA focuses heavily on the right to opt-out of data monetization and the specific "sale/share" definitions.
Myth 2: "If we don't have a US bank account or entity, they can't fine us." The CPPA has the authority to seek enforcement of judgments through international legal cooperation. Furthermore, failing to comply can lead to your website being blocked or your US-based service providers (like payment processors or cloud hosts) being legally forced to terminate your contracts to avoid their own liability.
FAQ
Does the CCPA apply to B2B data?
Yes. Since 2023, the exemptions for business-to-business (B2B) personal information and employee data have expired. International companies must now treat the data of their California-based employees and business contacts with the same protections as individual consumers.
What is the difference between "selling" and "sharing" data?
"Selling" involves the exchange of personal information for monetary or other valuable consideration. "Sharing" refers specifically to disclosing personal information to a third party for cross-context behavioral advertising, regardless of whether money changes hands.
Do I need a Data Protection Officer (DPO) for CCPA?
The CCPA does not explicitly mandate a DPO role like the GDPR does, but it does require that the individuals responsible for handling consumer inquiries are informed of the law's requirements. Large entities often appoint a privacy lead to ensure the 45-day response window is met.
Can I charge a fee for fulfilling a data request?
No. You must provide the information and perform deletions or corrections free of charge. You can only charge a "reasonable fee" or refuse a request if it is "manifestly unfounded or excessive," which is a very high legal bar to meet.
When to Hire a Lawyer
Compliance with California law from abroad involves significant risk. You should consult a US-based privacy attorney if:
- You are unsure if your global revenue or data collection meets the $25M or 100k-consumer thresholds.
- You utilize complex tracking technologies, AI, or automated profiling on your website or app.
- You have received a "Notice of Violation" from the California Privacy Protection Agency.
- You have experienced a data breach involving California residents.
- You are entering into contracts with US vendors who require CCPA-compliant "Service Provider" language.
Next Steps
- Audit your data: Determine exactly how many California residents' records you process annually.
- Update your tech: Implement Global Privacy Control (GPC) recognition and update your footer with the mandatory "Your Privacy Choices" link.
- Review vendor contracts: Ensure your US partners are classified as "Service Providers" under CCPA to avoid their data use being classified as an unauthorized "sale."
- Train your team: Ensure your customer service or IT team understands how to verify a consumer's identity and fulfill a request within the 45-day window.
