Applies to businesses meeting revenue or data volume thresholds that handle California residents' data.
Any US-incorporated provider or subsidiary may be compelled to disclose data regardless of where it is stored.
Cross-border transfers to non-adequate countries require SCCs, BCRs, or other safeguards.
US providers may be subject to surveillance orders targeting non-US persons, creating risk for EU data subjects.
Organizations must take reasonable steps to ensure overseas recipients handle personal information in accordance with the APPs.