Any organization (regardless of where it is located) that processes the personal data of California consumers needs to comply with the CCPA if they fall within the law’s scope. That is, if they meet at least one of the following criteria:
1. Has annual gross revenues in excess of twenty-five million dollars.
2. Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Critically, under the CCPA, California defines “personal data” broadly, so that the law generally covers any information relating to an identified or identifiable individual.