For any business serving customers in the United States, California’s privacy law is often the one that bites first. The California Consumer Privacy Act, strengthened by the California Privacy Rights Act, gives California residents extensive rights over their personal information — and places enforceable duties on the businesses that handle it. Because California is such a vast and influential market, these rules reach far beyond the state’s borders, including to Indian and other overseas companies that serve US consumers.
Who is covered
The law applies to for-profit businesses that handle the personal information of California residents and meet certain thresholds — based on annual revenue, the sheer volume of personal information handled, or how much of the business’s revenue derives from selling or sharing personal information. Many businesses outside California, including overseas firms serving US consumers online, comfortably cross those thresholds without realising it. The first practical task, therefore, is simply to work out honestly whether you are in scope, rather than assuming a California law cannot reach a company on another continent.
The rights it grants
- Know and access. Consumers can learn what personal information is collected about them and how it is used.
- Delete. They can request deletion of their personal information, subject to some defined exceptions.
- Correct. They can ask you to fix inaccurate information you hold about them.
- Opt out of sale or sharing. They can stop the sale or sharing of their personal information — including through a browser-level Global Privacy Control signal that you are expected to honour automatically.
- Limit sensitive data use. They can restrict how their sensitive personal information is used.
- Non-discrimination. They cannot be penalised or offered a materially worse service for exercising any of these rights.
What it asks of businesses
Meeting these rights in practice requires real operational plumbing rather than a policy statement. You need clear notices at the point of collection, a working mechanism to receive and honour rights requests within the required timeframes, systems that actually recognise and respect opt-out signals including the Global Privacy Control, and the right contractual terms with your service providers and contractors so that data passed to them stays properly governed. The “Do Not Sell or Share” obligation, and the requirement to honour the Global Privacy Control automatically, are among the most distinctive elements and the easiest to overlook — and they are exactly the areas regulators have shown interest in.
How it compares
The CCPA and CPRA differ from the GDPR and the DPDPA in structure and emphasis. Where the GDPR centres on having a lawful basis for all processing, California law leans heavily on transparency and the right to opt out of the sale or sharing of data. That difference in emphasis means you cannot simply copy your GDPR programme across and assume you are compliant — the opt-out mechanics in particular need specific attention. But the underlying discipline — knowing what personal data you hold, why, and being able to act on individuals’ requests — is the same across all of these regimes, which is what makes a unified approach possible.
If you already map your data and honour rights requests for other privacy laws, CCPA and CPRA compliance is an extension of that work, not a fresh start. The opt-out and Global Privacy Control obligations are the parts most worth checking specifically, because they are where California law is genuinely distinctive.
What to do
- Determine scope. Check the thresholds honestly against your revenue and data handling.
- Reuse your data map and rights-handling processes from your other privacy work.
- Build the opt-out mechanics — including honouring the Global Privacy Control — which are the CCPA-specific piece most programmes miss.
- Get your service-provider contracts right so data you share stays governed.
The takeaway
For US-facing businesses, California privacy law is frequently the first serious privacy obligation to arrive — and increasingly the one that customers and partners ask about directly. Fold it into a single, well-run privacy programme alongside your other obligations, pay particular attention to the opt-out and sensitive-data handling that make it distinctive, and it becomes another mapped-and-managed regime rather than a separate headache demanding its own dedicated effort.