Self-hosted / no managed regions
Applies to businesses meeting revenue or data volume thresholds that handle California residents' data.
Any US-incorporated provider or subsidiary may be compelled to disclose data regardless of where it is stored.
US providers may be subject to surveillance orders targeting non-US persons, creating risk for EU data subjects.