First of all, the effects of the law are limited to California residents. However, this does not mean that businesses outside of California will not have to comply with the law, if they deal with customers from this state. Since residents of California can access any website, regardless of where it is being operated from, it basically means that all website owners, in the US and abroad, should take steps towards CCPA compliance.
We have seen this before with the GDPR law in Europe, that was aimed at all companies handling the personal information of EU citizens. At the time the GDPR went into effect, website owners in the US and elsewhere either complied to GDPR for all of their customers, or decided to simply block access to their websites if the visit was being performed from an IP in the European Union.
If you run a website in any of the other American states, you might be facing a similar choice here. If you can afford to leave out your customers living in California, there is the option of blocking visits from Californian IPs. However, data privacy laws are likely to be on the agenda of legislators in the future, too. It is not unforeseeable that more, if not all states, will pass similar legislation in the future. So, instead of progressively blocking out potential customers, it may be wiser to comply now, regardless of where your business is located.
Secondly, unlike GDPR, the effects of the law are somwhat limited. CCPA will concern only the following companies:
- those with gross revenues of at least $25 million
- those who have personal information on at least 50,000 California residents / households / devices per year
- at least 50% of their annual revenue is generated from selling the personal data of Californians
If your website collects personal information, but does not fall under one of the above categories, then you are free to do business as usual. These caveats are a clear sign that the law was not designed with small business owners in mind, but rather that it targets corporations who are profiting from selling large sets of personal information. However, make sure to check the number of unique visitors from California you have on your website. If that number exceeds 50,000 in a year, then you will have to consider CCPA compliance.