California — International Data Transfers

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), does not impose GDPR Chapter V–style restrictions on international data transfers. The statute contains no provisions analogous to the EU's adequacy decisions (GDPR Art. 44–45), standard contractual clauses (Art. 46(2)(c)), binding corporate rules (Art. 47), or derogations for specific situations (Art. 49). A business subject to the CCPA may transfer personal information of California residents to processors, service providers, contractors, or third parties located outside the United States without obtaining prior authorization, executing transfer instruments, or conducting a transfer impact assessment.

Territorial scope, not transfer restrictions. California regulates by resident nexus, not data location. The CCPA applies to for-profit entities doing business in California that meet revenue, data-volume, or data-sale thresholds and that collect personal information of California residents (Cal. Civ. Code § 1798.140(d)). Once the business threshold is met, the Act's obligations—transparency, access, deletion, opt-out of sale/sharing, limitation of sensitive personal information use—attach to the personal information of California consumers regardless of where that data is stored or processed. A California resident's right to deletion under § 1798.105, for example, binds the business and requires the business to direct service providers and contractors to delete (§ 1798.105(c)), but the statute does not condition the legitimacy of the transfer itself on contractual safeguards or supervisory-authority approval.

"Sale" and "sharing" definitions apply globally. The CCPA regulates certain disclosures—"sale" (disclosure for monetary or other valuable consideration, § 1798.140(ad)) and "sharing" (disclosure for cross-context behavioral advertising, § 1798.140(ah))—by granting consumers an opt-out right under §§ 1798.120 and 1798.135. These definitions capture transfers to third parties wherever located, but the regulatory trigger is the nature of the disclosure (consideration; behavioral advertising purpose), not the geographic destination. A business that discloses California-resident personal information to a data broker in the EU, a marketing platform in Singapore, or an analytics vendor in Japan must honor an opt-out request, but the cross-border character of the transfer does not, by itself, impose additional compliance steps under California law.

Service provider and contractor framework, not transfer adequacy. The CCPA distinguishes service providers (§ 1798.140(ag)) and contractors (§ 1798.140(j)) from third parties; businesses may share personal information with these entities without triggering sale/sharing opt-out rights if a written contract restricts the recipient's use to the business purposes specified in § 1798.140(e) and prohibits retention, use, or disclosure outside the contract (§ 1798.100(d); CPPA Regulations § 7002). The contract must grant the business audit rights and require the service provider or contractor to notify the business if it can no longer meet its obligations (§ 1798.100(d)(3)–(4)). These contractual requirements apply regardless of the service provider's or contractor's location; California law does not exempt domestic transfers or impose heightened standards for transfers to non-US jurisdictions. An Irish cloud-services provider, a Brazilian call center, and a Toronto analytics firm are all governed by the same contractual framework if engaged as service providers or contractors.

No supervisory-authority transfer tools or enforcement decisions. The California Privacy Protection Agency (CPPA), established by the CPRA and vested with administrative enforcement authority (§ 1798.199.55), has not promulgated regulations addressing international data transfers. The CPPA's adopted regulations (effective January 1, 2026) implement cybersecurity audits, risk assessments, and automated-decisionmaking-technology safeguards, but do not create transfer-adequacy lists, model clauses, or supplementary-measure guidance comparable to the European Data Protection Board's recommendations on Schrems II (EDPB Recommendations 01/2020). No published CPPA enforcement action has alleged a violation predicated solely on the cross-border movement of data.

Contrast with GDPR and other comprehensive regimes. Businesses accustomed to GDPR compliance should note that California does not require a lawful transfer mechanism as a precondition to moving California-resident data offshore. The GDPR prohibits transfers to third countries absent adequacy, appropriate safeguards, or a derogation (Art. 44); the CCPA has no parallel prohibition. Similarly, Brazil's LGPD (Lei nº 13.709/2018) enumerates transfer bases in Articles 33–36, China's PIPL requires security assessments or standard contracts for outbound transfers under Articles 38–40, and the UK Data Protection Act 2018 transplants GDPR Chapter V with a UK-specific adequacy bridge. California law is silent.

Practical implication: focus on substantive obligations, not transfer formalities. The absence of transfer restrictions does not exempt California-resident data from CCPA protections. A business that sends personal information to an overseas processor must still ensure that processor acts as a service provider or contractor under a compliant written agreement (if it wishes to avoid triggering sale/sharing obligations), must still honor deletion requests that cascade to that processor (§ 1798.105(c)), and must still implement reasonable security procedures appropriate to the nature of the information (§ 1798.100(e), incorporating § 1798.81.5 by reference). The legal risk lies in substantive noncompliance—failure to honor an opt-out, unlawful retention after a deletion request, inadequate security leading to a breach under § 1798.150—not in the act of transferring data across a border.

Legislative silence is deliberate. California's Legislature and voters have amended the CCPA multiple times—AB 1355 (2019), AB 713 (2019), Proposition 24 (2020), SB 1096 (2021), AB 1490 (2021), AB 3286 (2024)—without adding transfer-specific provisions. The statute's focus on consumer rights (opt-out, deletion, access, correction, limitation of sensitive-PI use) and business-practice transparency (notice at collection, privacy policy, disclosure of sales/sharing) reflects a regulatory model that travels with the consumer, not with the data's physical or virtual location.

Interaction with federal and sectoral laws. Certain cross-border transfers of California-resident data may implicate federal restrictions—ITAR export controls on defense articles (22 C.F.R. Part 120 et seq.), EAR controls on dual-use technology (15 C.F.R. Part 730 et seq.), OFAC sanctions prohibiting transactions with designated persons or countries (31 C.F.R. Chapter V), or HIPAA Business Associate Agreement requirements for covered entities and business associates (45 C.F.R. § 164.308(b))—but these are independent of, and not incorporated by reference into, the CCPA. Similarly, the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) imposes safeguards on financial institutions but does not create California-specific transfer rules.

Unable to confirm as of 2026-05-29 any pending California legislative proposal to adopt GDPR-style transfer mechanisms, any CPPA pre-rulemaking notice on international transfers, or any enforcement action alleging a transfer violation absent an underlying substantive CCPA breach.

Source: Cal. Civ. Code §§ 1798.100–1798.199.100 (CCPA as amended) Source: California Privacy Protection Agency FAQ Source: CPPA CCPA Regulations (effective January 1, 2026)

A California business that discloses consumer personal information to a service provider (an entity that processes personal information on behalf of the business, Cal. Civ. Code § 1798.140(ag)) or a contractor (an entity to which the business makes personal information available for a business purpose, § 1798.140(j)) must enter into a written agreement meeting the specifications of § 1798.100(d), whether the service provider or contractor is located inside or outside the United States. The CCPA/CPRA does not exempt domestic transfers or impose heightened contractual requirements for offshore transfers; the same contract terms apply to a data center in Oregon, a call center in Manila, an Irish cloud-storage provider, or a Brazilian analytics firm.

Statutory contract requirements — five mandatory elements. Section 1798.100(d)(1)–(5) requires the written agreement to:

1. Specify limited and specified purposes for the disclosure of personal information by the business (§ 1798.100(d)(1)).

1. Obligate the service provider or contractor to comply with applicable CCPA/CPRA obligations and to provide the same level of privacy protection as is required of the business by the Act (§ 1798.100(d)(2)).

1. Grant the business rights to take reasonable and appropriate steps to help ensure that the service provider or contractor uses the personal information in a manner consistent with the business's CCPA/CPRA obligations (§ 1798.100(d)(3)).

1. Require the service provider or contractor to notify the business if it determines that it can no longer meet its obligations under the Act (§ 1798.100(d)(4)).

1. Grant the business the right, upon receiving notice under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information (§ 1798.100(d)(5)).

These provisions create a contractual chain of responsibility: the business remains accountable for CCPA/CPRA compliance obligations—transparency, deletion, opt-out, limitation of sensitive personal information—and the service provider or contractor must assist the business in meeting those obligations and mirror the Act's privacy safeguards.

Service provider vs. contractor — definitions and data-handling distinctions. A service provider is a person that processes personal information on behalf of a business and receives that information from or on behalf of the business pursuant to a written contract, provided the contract prohibits the service provider from retaining, using, or disclosing the personal information outside the direct business relationship, from selling or sharing it, and from combining it with data from other sources except as permitted by CPPA regulations for specified business purposes (§ 1798.140(ag)(1)–(3)). A contractor is a person to which the business makes available personal information for a business purpose pursuant to a written contract, under similar restrictions (§ 1798.140(j)). The definitions overlap substantially; the contractor category was introduced by the CPRA to capture entities that receive personal information but may not strictly "process on behalf of" the business. In practice, the distinction is less important than the shared contractual obligation: both statuses prevent the disclosure from triggering sale/sharing opt-out rights under §§ 1798.120 and 1798.135, but only if the written agreement complies with § 1798.100(d) and the definitions in § 1798.140.

CPPA Regulations § 7051 — additional contract specifications. The California Privacy Protection Agency's regulations, which became effective January 1, 2026, elaborate on the statutory requirements. CPPA Reg. § 7051(a) lists permissible contract terms, including that the business may require the service provider or contractor to:

• Cooperate with the business in responding to and complying with consumer requests (access, deletion, correction, opt-out of sale/sharing, limitation of sensitive personal information use) made pursuant to the CCPA/CPRA;

• Assist the business in completing the business's cybersecurity audit pursuant to CPPA regulations Article 9 (§§ 7120–7124), if the business is subject to that requirement;

• Assist the business in conducting the business's risk assessment pursuant to Article 10, if applicable;

• Implement reasonable security procedures and practices appropriate to the nature of the personal information, in accordance with Cal. Civ. Code § 1798.81.5; and

• Permit the business to monitor the service provider's or contractor's compliance with the contract through ongoing manual reviews, automated scans, regular assessments, audits, or other technical and operational testing (§ 1798.140(ag)(2)(C), § 1798.140(j)(2)(C)).

CPPA Reg. § 7050(h)(1)–(2) (effective January 1, 2026) requires service providers and contractors to make available to the business's cybersecurity auditor all relevant information the auditor requests to complete the business's audit, and prohibits the service provider or contractor from misrepresenting any fact relevant to the audit or risk assessment.

No geographic carve-outs or transfer-specific clauses. Neither the statute nor the CPPA regulations distinguish between in-state, out-of-state, or international service providers and contractors. A business engaged in a cloud-storage relationship with an Irish provider, an outsourced customer-support arrangement with a Philippine call center, or an analytics engagement with a Brazilian firm applies the same § 1798.100(d) contract template it would use for a California-based vendor. The CCPA/CPRA regulates resident nexus and disclosure purposes, not data location. If the overseas entity qualifies as a service provider or contractor under § 1798.140(ag) or (j) and the written contract satisfies § 1798.100(d), the disclosure is not a "sale" or "share" for purposes of the consumer's opt-out rights, and the business may lawfully transfer California-resident personal information to that entity without additional approvals, adequacy findings, or transfer-impact assessments.

Contrast with GDPR Chapter V and other comprehensive regimes. The CCPA/CPRA service-provider and contractor framework is not a transfer-adequacy mechanism. The EU GDPR prohibits transfers to third countries absent an adequacy decision (Art. 45), appropriate safeguards such as standard contractual clauses (Art. 46), or a derogation (Art. 49). The UK Data Protection Act 2018 replicates that structure with a UK-specific adequacy bridge. Brazil's LGPD enumerates transfer bases in Articles 33–36, China's PIPL requires security assessments or standard contracts for outbound transfers under Articles 38–40, and Singapore's PDPA imposes accountability obligations on cross-border transfers under Section 26. California has no parallel prohibition on international data movement. The § 1798.100(d) contract does not authorize or validate a transfer; it characterizes the disclosure for CCPA/CPRA purposes—transforming what would otherwise be a "sale" or "share" triggering opt-out rights into a permissible business-purpose disclosure. The geographic destination of the data is irrelevant to that characterization.

Practical implication for cross-border data flows. A business subject to both the GDPR and the CCPA/CPRA and transferring California-resident personal information to an EEA-based processor must satisfy both legal regimes: the GDPR requires a Chapter V transfer mechanism (typically EU standard contractual clauses, as supplemented post-Schrems II by transfer-impact assessment and, where necessary, supplementary measures per EDPB Recommendations 01/2020), and the CCPA/CPRA requires a written agreement meeting § 1798.100(d) if the business wishes to avoid triggering sale/sharing obligations. The two contracts serve different functions—GDPR SCCs validate the lawfulness of the transfer to a third country; the CCPA/CPRA service-provider agreement clarifies that the disclosure is not a sale/share and obligates the recipient to assist with consumer rights and provide equivalent privacy protection—but they often coexist in the same vendor relationship. Many businesses combine the two sets of clauses into a single data-processing agreement (DPA) covering both GDPR controller-processor obligations and CCPA/CPRA service-provider duties.

Enforcement and remediation rights. If a service provider or contractor notifies the business under § 1798.100(d)(4) that it can no longer meet its CCPA/CPRA obligations—for instance, because a foreign government has issued a data-access order incompatible with California consumer rights, or because the service provider has suffered a breach—the business must exercise its § 1798.100(d)(5) right to take reasonable and appropriate steps to stop and remediate the unauthorized use. Such steps may include suspending data transfers to that service provider, directing the service provider to return or destroy the personal information, conducting an investigation, notifying affected consumers if a breach triggers the § 1798.150 private right of action (unauthorized access to nonencrypted personal information due to failure to implement reasonable security), or terminating the relationship. The statute does not specify a timeline for remediation, but the CPPA has administrative enforcement authority under § 1798.199.55, and the California Attorney General retains concurrent enforcement power. As of May 2026, no published CPPA or AG enforcement action has alleged a violation predicated solely on the absence of a compliant § 1798.100(d) service-provider or contractor agreement in a cross-border context, but non-compliance exposes the business to the risk that disclosures to the overseas entity will be recharacterized as sales or shares, triggering penalties for failure to honor opt-out requests under § 1798.155(b) (civil penalties up to $7,500 per intentional violation, as adjusted annually for inflation under § 1798.199.90) and potential CPPA enforcement under § 1798.199.55.

Interaction with deletion and opt-out cascades. A service provider or contractor that has received California-resident personal information under a compliant § 1798.100(d) agreement must assist the business in honoring consumer rights. Section 1798.105(c)(1) requires the business receiving a verified deletion request to direct any service providers or contractors to delete the consumer's personal information from their records unless an exception applies. Section 1798.130(a)(2) requires service providers and contractors to provide assistance to the business in responding to verifiable consumer requests, including by providing the consumer's personal information in the service provider's or contractor's possession to the business and correcting inaccurate information or enabling the business to do so. These obligations apply regardless of the service provider's or contractor's location. A business cannot lawfully invoke the offshore location of a service provider as a basis for refusing to honor a deletion request; the § 1798.100(d) contract must give the business the contractual right to compel the overseas processor to delete, and the service provider or contractor is obligated under the statute to comply.

Unable to confirm as of 2026-05-30 any pending California legislative proposal to add GDPR Chapter V–style transfer restrictions, any CPPA pre-rulemaking notice on international data transfers, or any published CPPA or Attorney General guidance on the application of § 1798.100(d) to cross-border service-provider and contractor relationships.

Source: Cal. Civ. Code § 1798.100 (General Duties of Businesses That Collect Personal Information) Source: Cal. Civ. Code § 1798.140 (Definitions — Service Provider, Contractor, Business Purpose) Source: CPPA CCPA Regulations § 7051 (Contract Requirements for Service Providers and Contractors), effective January 1, 2026 Source: CPPA CCPA Regulations § 7050 (Service Providers and Contractors), effective January 1, 2026

The California Consumer Privacy Act (CCPA/CPRA) regulates certain disclosures of personal information to third parties by granting consumers an opt-out right under Cal. Civ. Code §§ 1798.120 and 1798.135. The two regulated disclosure categories—"sale" (§ 1798.140(ad)) and "sharing" (§ 1798.140(ah))—apply regardless of the third party's geographic location. A business that discloses California-resident personal information to a third party located in the European Union, Singapore, Brazil, Japan, or any other non-US jurisdiction must honor the consumer's opt-out request if the disclosure meets the statutory definition of a sale or share. The CCPA/CPRA does not exempt cross-border transfers from opt-out obligations, nor does it impose heightened requirements for offshore disclosures. The legal trigger is the nature and purpose of the disclosure, not the data's destination.

"Sale" defined — disclosure for monetary or other valuable consideration. Section 1798.140(ad)(1) defines "sale" as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration." The definition is technology-neutral and geography-neutral. A California business that discloses consumer personal information to an Irish advertising network in exchange for a revenue-share agreement, to a Brazilian analytics firm in exchange for free analytics services (other valuable consideration), or to a Singapore data broker in exchange for a per-record fee engages in a "sale" triggering the consumer's opt-out right under § 1798.120, unless an exception applies.

Statutory exceptions to "sale." Section 1798.140(ad)(2) enumerates exceptions. A disclosure is not a sale if:

• The consumer uses or directs the business to intentionally disclose personal information, or intentionally interacts with a third party, provided the third party does not also sell the information unless that sale is permitted by the Act (§ 1798.140(ad)(2)(A));

• The business discloses personal information to a service provider or contractor pursuant to a written contract meeting the requirements of § 1798.100(d), and the service provider or contractor does not further sell the information except as permitted by CPPA regulations for specific business purposes (§ 1798.140(ad)(2)(B));

• The business discloses personal information to a third party as an asset in a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided the third party uses the information in a manner consistent with the Act (§ 1798.140(ad)(2)(C));

• The disclosure is otherwise permitted by § 1798.140(ad)(2)(D)–(J) (consumer direction, limited processing by service providers, certain alert services, business transfers, and fraud prevention).

The exceptions apply equally to domestic and cross-border disclosures. If a California business engages a Philippine call center under a compliant § 1798.100(d) service-provider agreement, the disclosure to Manila is not a sale even though it crosses an international border. Conversely, if the business sells a customer list to a London-based marketing firm for monetary consideration and none of the exceptions apply, the transaction is a sale triggering the consumer's opt-out right, and the overseas location of the buyer does not exempt the business from § 1798.120 compliance.

"Sharing" defined — disclosure for cross-context behavioral advertising. Section 1798.140(ah) defines "sharing" as "sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration." "Cross-context behavioral advertising" means the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacted (§ 1798.140(k)).

The geographic location of the third-party advertising platform, data broker, or demand-side platform is irrelevant. A California e-commerce business that discloses consumer browsing data to a Dublin-based advertising-exchange platform for real-time bidding on cross-context behavioral ads engages in "sharing" subject to the consumer's opt-out right under § 1798.120(b) and the notice and opt-out-link requirements of § 1798.135, even though the platform is located in the EU and operates under GDPR. Similarly, a disclosure to a Tokyo adtech vendor or a São Paulo data broker for cross-context behavioral advertising purposes triggers the same CCPA/CPRA obligations as would a disclosure to a US-based firm. The statute regulates the purpose of the disclosure, not the data flow's physical path.

Opt-out rights apply globally — §§ 1798.120 and 1798.135. Section 1798.120(a) grants California consumers the right to direct a business that sells or shares personal information to third parties to stop selling or sharing. Section 1798.135(a) requires businesses that sell or share personal information to provide a clear and conspicuous link on the internet homepage titled "Do Not Sell or Share My Personal Information" (or alternative compliant phrasing under CPPA Regulations § 7013). When a consumer exercises the opt-out right, the business must stop selling or sharing the consumer's personal information to all third parties, domestic and foreign, unless the consumer later provides express authorization to resume (§ 1798.135(a)(4)).

Global Privacy Control (GPC) as a universal opt-out signal. Effective January 1, 2026, businesses that sell or share personal information and collect it online must treat an opt-out preference signal (OOPS) meeting the requirements of § 1798.135(b)(2) as a valid consumer request to opt out of sale/sharing. The Global Privacy Control (GPC) is a recognized OOPS (CPPA Regulations § 7025). A consumer who enables GPC in their browser and visits a California-business website transmits a legally binding opt-out request that applies to all sales and shares, including to cross-border third parties. The CPPA's September 2025 investigative sweep with California, Colorado, and Connecticut enforcement agencies targeted businesses that failed to honor GPC requests; the CPPA's enforcement stance is that GPC compliance is mandatory for businesses engaged in sales or shares, and the third party's location provides no exemption.

Practical implications for cross-border data monetization. A California business engaged in international data partnerships must:

1. Determine whether each cross-border disclosure is a sale or share. Ask: Is the business receiving monetary or other valuable consideration for the disclosure (sale)? Is the third party using the data for cross-context behavioral advertising (share)? If either answer is yes, and no exception applies, the disclosure triggers opt-out obligations.

1. Provide compliant opt-out notice and mechanism. Businesses must post the "Do Not Sell or Share My Personal Information" link and honor consumer opt-out requests (including GPC signals) before continuing to disclose to any third party, foreign or domestic.

1. Apply opt-out requests universally. An opt-out request stops sales and shares to all third parties globally. A business cannot honor an opt-out with respect to US-based buyers but continue selling or sharing to offshore buyers; the consumer's exercise of the opt-out right under § 1798.120 binds the business for all third-party disclosures meeting the sale or share definitions.

1. Distinguish third parties from service providers. The offshore location of a recipient does not, by itself, determine whether the recipient is a third party or a service provider. Classification depends on contractual restrictions and use limitations under § 1798.100(d) and the definitions in § 1798.140(ag) (service provider) and (j) (contractor). If the business wishes to avoid triggering sale/share obligations when disclosing to an overseas processor, it must enter into a compliant written agreement restricting the recipient's use to specified business purposes and prohibiting retention, use, or disclosure outside the contract.

Contrast with GDPR and other transfer-adequacy regimes. The CCPA/CPRA does not regulate data transfers as such; it regulates disclosures to third parties for specified high-risk purposes (monetization, cross-context behavioral advertising). The European Union's GDPR Chapter V prohibits transfers to third countries unless the transfer satisfies adequacy, appropriate safeguards (standard contractual clauses, binding corporate rules), or a derogation (Art. 44–49). The UK Data Protection Act 2018 replicates that framework with a UK-specific adequacy bridge. Brazil's Lei Geral de Proteção de Dados (LGPD) lists permissible transfer bases in Articles 33–36, and China's Personal Information Protection Law (PIPL) requires security assessments or standard contracts for outbound transfers under Articles 38–40.

California takes a different regulatory approach: the CCPA/CPRA imposes no transfer-approval or transfer-mechanism requirement. A business may lawfully send California-resident personal information to any country without obtaining supervisory-authority approval or executing transfer instruments. The Act instead regulates the characterization and purpose of the disclosure. If the overseas recipient is a service provider or contractor operating under a compliant § 1798.100(d) agreement, the disclosure is not a sale or share and does not trigger opt-out rights (though the business remains responsible for honoring deletion requests that cascade to the overseas processor, § 1798.105(c)). If the overseas recipient is a third party receiving the data for monetary consideration or cross-context behavioral advertising, the consumer has an opt-out right, and the business must comply with §§ 1798.120 and 1798.135. The third party's location—inside or outside the United States—does not change the analysis.

Enforcement examples — CPPA cross-border collaboration but no transfer-specific violations. The California Privacy Protection Agency (CPPA) has signed declarations of cooperation with the French Commission nationale de l'informatique et des libertés (CNIL) in June 2024, the Korean Personal Information Protection Commission (PIPC) in January 2025, and the UK Information Commissioner's Office (ICO), reflecting recognition that privacy enforcement increasingly involves cross-border data flows. As of June 2026, however, no published CPPA enforcement action has alleged a violation predicated solely on the cross-border character of a sale or share. The CPPA's enforcement priorities have focused on substantive noncompliance with opt-out rights (failure to honor GPC signals, failure to provide the required "Do Not Sell or Share" link, unlawful continuation of sales/shares after a consumer opt-out request) and breach of service-provider obligations, without regard to whether the third party or service provider is located domestically or abroad.

Interaction with federal and sectoral restrictions. Certain cross-border data disclosures may implicate federal export controls or sanctions—International Traffic in Arms Regulations (ITAR) restricting defense articles (22 C.F.R. Part 120 et seq.), Export Administration Regulations (EAR) controlling dual-use technology (15 C.F.R. Part 730 et seq.), or Office of Foreign Assets Control (OFAC) sanctions prohibiting transactions with designated persons or jurisdictions (31 C.F.R. Chapter V)—but these are independent of, and not incorporated into, CCPA/CPRA sale and share definitions. A business selling consumer data to a third party in a sanctioned country may violate OFAC prohibitions even if the consumer has not exercised an opt-out right, and conversely, compliance with CCPA/CPRA opt-out obligations does not exempt the business from federal export-control or sanctions compliance.

Unable to confirm as of 2026-06-01 any pending California legislative proposal to add geographic carve-outs to the sale or share definitions, any CPPA pre-rulemaking notice on international aspects of sales and shares, or any published CPPA guidance distinguishing cross-border from domestic sales or shares for purposes of §§ 1798.120 or 1798.135.

Source: Cal. Civ. Code § 1798.140 (Definitions — "Sale," "Sharing," "Third Party," "Service Provider") Source: Cal. Civ. Code § 1798.120 (Right to Opt-Out of Sale or Sharing of Personal Information) Source: Cal. Civ. Code § 1798.135 (Methods of Limiting Sale, Sharing, and Use of Personal Information) Source: CPPA CCPA Regulations § 7025 (Opt-Out Preference Signals), effective January 1, 2026 Source: CPPA announcement: Joint Investigative Privacy Sweep on GPC Noncompliance (Sept. 9, 2025)

A California business that receives a verified consumer deletion request under Cal. Civ. Code § 1798.105(a) must delete the consumer's personal information from its records and notify any service providers or contractors to delete the consumer's personal information from their records (§ 1798.105(c)(1)). This notification obligation applies regardless of the service provider's or contractor's geographic location. A business engaged with an Irish cloud-storage provider, a Philippine call center, a Brazilian analytics firm, or a Tokyo-based data processor must issue the same deletion directive to those offshore entities that it would issue to a California-based vendor. The CCPA/CPRA regulates resident nexus and data-handling relationships, not data location; the statute contains no exemption, reduced-obligation carve-out, or heightened-approval requirement for cross-border deletion cascades.

Statutory deletion-cascade requirements — § 1798.105(c)(1). Section 1798.105(c)(1), as amended by SB 923 (effective 2026), requires the business to take three actions upon receiving a verified deletion request:

1. Delete the consumer's personal information from its records unless an exception applies under § 1798.105(d) (reasonably necessary for specified purposes such as completing the transaction, detecting security incidents, complying with legal obligations, or enabling solely internal uses reasonably aligned with consumer expectations);

1. Notify any service providers or contractors to delete the consumer's personal information from their records—this is a mandatory notification duty, not conditioned on technical feasibility, and applies to all service providers and contractors that received the consumer's personal information from the business under a § 1798.100(d) written agreement; and

1. Notify all third parties to whom the business has sold or shared the personal information to delete the consumer's personal information unless this proves impossible or involves disproportionate effort.

The distinction between service providers/contractors and third parties is critical. The business must notify service providers and contractors; the statute imposes no "impossible or disproportionate effort" exception for this category. The business must notify third parties to whom it sold or shared personal information, but may invoke impossibility or disproportionate effort as a defense for that subset. The rationale is contractual: service providers and contractors operate under written agreements meeting § 1798.100(d) that obligate them to assist the business in meeting CCPA/CPRA obligations and to provide the same level of privacy protection as required of the business (§ 1798.100(d)(2)). Third parties, by contrast, are independent recipients who may have no ongoing relationship with the business.

No geographic carve-out for offshore service providers or contractors. Neither § 1798.105(c) nor any CPPA regulation distinguishes between in-state, out-of-state, or international service providers and contractors. A business that has disclosed California-resident personal information to a Manila-based customer-support processor under a compliant § 1798.100(d) service-provider agreement must notify that Manila processor to delete upon receiving a verified consumer deletion request, just as it would notify a Sacramento-based processor. The business cannot lawfully invoke the offshore location of the service provider as a basis for refusing to honor the deletion request or for failing to issue the deletion directive. Section 1798.105(c)(1) creates an absolute notification duty for service providers and contractors, and the service provider's or contractor's location—whether Dublin, São Paulo, Singapore, or Toronto—is irrelevant to the business's statutory obligation.

Service provider and contractor assistance obligation — § 1798.130(a)(2). Section 1798.130(a)(2) requires service providers and contractors to provide assistance to the business in responding to verifiable consumer requests, including deletion requests. This assistance includes providing the consumer's personal information in the service provider's or contractor's possession to the business, correcting inaccurate information or enabling the business to do so, and implementing technical and organizational measures to help the business comply with consumer-rights obligations. The assistance duty applies regardless of the service provider's or contractor's location. A business engaged with an offshore processor must ensure that its § 1798.100(d) written agreement with that processor includes an enforceable contractual provision requiring the processor to delete California-resident personal information upon receiving the business's deletion directive.

CPPA Regulations § 7051 — contract requirements for service providers and contractors. CPPA Regulations § 7051, effective January 1, 2026, elaborates on the § 1798.100(d) statutory contract requirements. The regulation confirms that businesses may (and should) require service providers and contractors to cooperate with the business in responding to and complying with consumer deletion requests. The contract may grant the business audit rights, monitoring rights, and remediation rights, including the right to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information if the service provider or contractor notifies the business that it can no longer meet its CCPA/CPRA obligations (§ 1798.100(d)(4)–(5)).

These contractual obligations apply uniformly to domestic and offshore service providers and contractors. The CPPA regulations do not create a separate, weaker set of contract requirements for cross-border relationships, nor do they permit businesses to exempt offshore processors from deletion-assistance obligations. If a business wishes to avoid triggering sale/sharing opt-out obligations when disclosing California-resident personal information to an overseas entity, it must enter into a compliant § 1798.100(d) / CPPA Reg. § 7051 service-provider or contractor agreement, and that agreement must include enforceable deletion-cascade provisions that allow the business to meet its § 1798.105(c)(1) notification duty.

Practical implications for cross-border deletion workflows. A business subject to the CCPA/CPRA and relying on international service providers or contractors must implement technical and contractual mechanisms to cascade deletion requests across borders:

• Contractual deletion clauses. The § 1798.100(d) written agreement with the offshore service provider or contractor must explicitly require the processor to delete California-resident personal information upon receiving the business's deletion directive, subject only to the statutory exceptions in § 1798.105(d). The contract should specify a timeline (many businesses adopt 30 or 45 days to align with the business's own response obligation under § 1798.130(a)(3)), define "deletion" (permanent erasure vs. de-identification, consistent with § 1798.105(c) and CPPA guidance), and grant the business audit and verification rights.

• Technical deletion APIs or protocols. Businesses that disclose large volumes of California-resident personal information to offshore processors often implement automated deletion workflows—API calls, batch-file transfers, or secure data-exchange protocols that allow the business to transmit verified deletion-request identifiers (e.g., hashed email addresses, internal consumer IDs) to the service provider or contractor without manual intervention. The CCPA/CPRA does not mandate a particular technical architecture, but the business bears the compliance risk if the deletion cascade fails. If the overseas processor does not delete and a consumer later discovers their personal information remains in the processor's records, the business (not the processor) faces CPPA enforcement exposure under § 1798.199.55 and potential civil penalties under § 1798.155(b) for violating § 1798.105.

• Verification of deletion. Section 1798.105(c) does not explicitly require the business to verify that the service provider or contractor has completed deletion, but the business's § 1798.100(d)(3) contract right to "take reasonable and appropriate steps to help ensure that the service provider or contractor uses the personal information in a manner consistent with the business's obligations under this title" supports a verification obligation. Many businesses require service providers and contractors to provide deletion-completion attestations, audit logs, or periodic compliance certifications. When the service provider or contractor is located in a jurisdiction with weak data-subject rights or limited supervisory-authority enforcement (e.g., no comprehensive privacy law, no private right of action), contractual verification and audit rights become the business's primary enforcement tool.

Cross-border deletion conflicts — foreign retention obligations. A service provider or contractor located outside the United States may be subject to conflicting retention obligations under local law. For example:

• An EU-based processor subject to the GDPR may be required to retain personal data for tax, accounting, or employment-law purposes under member-state law (GDPR Art. 17(3)(b) exempts retention necessary for compliance with a legal obligation). If the EU processor receives a CCPA deletion directive from the California business and simultaneously holds the same data under an EU retention mandate, the processor faces a legal conflict.

• A Chinese processor subject to the Cybersecurity Law, Data Security Law, or Personal Information Protection Law (PIPL) may be prohibited from deleting data that Chinese authorities have designated for security review or retention under PIPL Art. 28 (data localization) or CSL Art. 37 (critical information infrastructure).

• A Brazilian processor subject to the Lei Geral de Proteção de Dados (LGPD) may be required to retain personal data for compliance with legal or regulatory obligations under LGPD Art. 16, II, or for the exercise of rights in judicial, administrative, or arbitral proceedings (Art. 16, VI).

California law provides no derogation for foreign retention obligations. Section 1798.105(c)(1) requires the business to notify the service provider or contractor to delete; it does not condition that notification duty on the service provider's or contractor's ability to comply. If the offshore service provider or contractor determines that it cannot delete because of a conflicting foreign legal obligation, the service provider or contractor must notify the business under § 1798.100(d)(4) (the service provider or contractor must notify the business if it determines that it can no longer meet its obligations under the Act). Upon receiving that notice, the business must exercise its § 1798.100(d)(5) remediation right—reasonable and appropriate steps may include suspending further data transfers to that service provider or contractor, terminating the relationship, or engaging a different processor not subject to the conflicting retention obligation.

The business cannot invoke the overseas processor's legal conflict as a basis for refusing the consumer's deletion request. Section 1798.105 grants the deletion right to the consumer and binds the business; the statute contains no exception for "foreign legal impediments." If the business cannot ensure deletion across its entire processing ecosystem, including offshore service providers and contractors, the business faces substantive CCPA/CPRA noncompliance and potential CPPA enforcement under § 1798.199.55. The compliance choice is binary: either structure cross-border service-provider relationships so that deletion can cascade reliably (through contractual override of the processor's default retention posture, through processor selection—choosing processors in jurisdictions with GDPR-compatible erasure rights and limited mandatory retention rules—or through data minimization and localization strategies that avoid the conflict), or accept the enforcement risk of partial deletion.

Deletion cascade and the GDPR Chapter V interaction. A business subject to both the CCPA/CPRA and the EU GDPR that transfers California-resident personal information to an EEA-based processor must satisfy both legal regimes' deletion obligations:

• GDPR Art. 17 right to erasure. If the California consumer is also an EU data subject (e.g., a California resident who is also a French national or who was in France when the data was collected), the GDPR grants the data subject a right to erasure under Art. 17, subject to exceptions (e.g., compliance with a legal obligation, establishment/exercise/defense of legal claims, public-interest archiving or research). The GDPR controller must erase and direct processors to erase under Art. 28(3)(e) (the processor must delete or return personal data at the end of the provision of services or upon the controller's instruction, subject to legal retention requirements).

• CCPA/CPRA § 1798.105 deletion right. Regardless of the consumer's EU data-subject status, if the consumer is a California resident and the business is subject to the CCPA/CPRA, the consumer has a deletion right under § 1798.105, and the business must notify the EEA processor to delete under § 1798.105(c)(1).

In most cases the two obligations align: both GDPR Art. 17 and CCPA § 1798.105 require erasure upon a valid data-subject request, and both allow exceptions for legal-compliance obligations. The business's GDPR Art. 28 data-processing agreement (DPA) with the EEA processor and its CCPA § 1798.100(d) service-provider agreement typically coexist in a single contract, and the deletion clause covers both regimes. Many businesses use a unified "Data Subject Rights" contract provision that obligates the processor to assist the controller/business in responding to GDPR access/erasure/portability requests and CCPA deletion/correction/access requests without distinguishing the legal source.

Unable to confirm as of 2026-06-01 any published CPPA enforcement action alleging a violation predicated on failure to cascade a deletion request to an offshore service provider or contractor, any CPPA guidance on cross-border deletion-cascade mechanics, or any CPPA advisory opinion on the treatment of foreign legal retention obligations that conflict with CCPA deletion directives. The CPPA's enforcement priorities (as reflected in the GPC investigative sweep of September 2025, the data-broker registration enforcement advisory of January 2025, and the agency's public statements) have focused on consumer-facing opt-out compliance (failure to honor GPC signals, missing "Do Not Sell or Share" links) and data-broker Delete Act registration rather than on service-provider deletion-cascade failures. However, the statutory text of § 1798.105(c)(1) is unambiguous, and businesses bear the legal risk of noncompliance.

Contrast with GDPR Chapter V and other transfer-adequacy regimes. The CCPA/CPRA deletion-cascade obligation is not a transfer-approval mechanism or a transfer-adequacy assessment; it is a substantive consumer right that travels with the data regardless of the data's location. The GDPR prohibits transfers to third countries absent adequacy, appropriate safeguards (standard contractual clauses, binding corporate rules), or a derogation (Arts. 44–49), and imposes additional processor obligations under Art. 28, but the GDPR does not condition the right to erasure on the processor's location. Similarly, Brazil's LGPD grants data subjects a deletion right under Art. 18, VI, and China's PIPL grants a deletion right under Art. 47, both of which apply regardless of where the processor is located (subject to local retention exceptions).

California's approach is substantively identical: the deletion right under § 1798.105 applies to California-resident personal information wherever it is held, and the business's obligation to notify processors to delete applies uniformly to domestic and offshore processors. The geographic neutrality of the deletion-cascade rule reflects the CCPA/CPRA's broader regulatory architecture: California does not regulate transfers as such; it regulates data-handling relationships (service provider vs. contractor vs. third party) and substantive consumer rights (deletion, access, opt-out). The cross-border movement of data does not trigger additional compliance steps under California law, but it also does not exempt the business from honoring deletion requests that reach across international boundaries.

Source: Cal. Civ. Code § 1798.105 (Consumers' Right to Delete Personal Information) Source: Cal. Civ. Code § 1798.130 (Notice, Disclosure, and Delivery Requirements for Businesses) Source: Cal. Civ. Code § 1798.100 (General Duties of Businesses That Collect Personal Information) Source: CPPA CCPA Regulations § 7051 (Contract Requirements for Service Providers and Contractors), effective January 1, 2026

The California Consumer Privacy Act (CCPA/CPRA) does not regulate international data transfers, but federal law imposes independent restrictions on certain cross-border data movements. A California business that lawfully transfers California-resident personal information under state law may still violate federal export-control or sanctions prohibitions if the data qualifies as controlled technical data, dual-use technology, or involves a sanctioned person or destination. The CCPA's silence on transfers does not exempt businesses from compliance with the International Traffic in Arms Regulations (ITAR) (22 C.F.R. Part 120 et seq.), the Export Administration Regulations (EAR) (15 C.F.R. Part 730 et seq.), or Office of Foreign Assets Control (OFAC) sanctions (31 C.F.R. Chapter V). These federal regimes operate in parallel with, not in lieu of, California privacy law, and violations carry civil and criminal penalties independent of CCPA/CPRA enforcement.

ITAR — defense articles and technical data (22 C.F.R. Part 120 et seq.). The International Traffic in Arms Regulations, administered by the U.S. Department of State's Directorate of Defense Trade Controls (DDTC), control the export and deemed export of defense articles and defense services, including technical data related to items on the U.S. Munitions List (USML) (22 C.F.R. § 121.1). Technical data is defined as information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles, including software directly related to defense articles (22 C.F.R. § 120.33). The USML includes military and space-related articles, from firearms and explosives (Category I) to military electronics and spacecraft (Categories XI and XV).

An "export" under ITAR includes the release or transfer of technical data to a foreign person (any natural person who is not a U.S. citizen, lawful permanent resident, or protected individual under 8 U.S.C. § 1324b(a)(3), and any foreign corporation or government) in the United States (22 C.F.R. § 120.50(a)(2))—a deemed export. Any release of ITAR-controlled technical data to a foreign person is deemed an export to all countries in which the foreign person has held or holds citizenship or permanent residency (22 C.F.R. § 120.50(b)). Thus, a California aerospace or defense contractor that discloses technical drawings, design specifications, or test results related to a USML item to a foreign-national employee or contractor—even if the disclosure occurs entirely within California and the data never leaves the United States—conducts an export requiring a license or exemption from DDTC unless the data is in the public domain (22 C.F.R. § 120.34) or falls within a statutory exemption (22 C.F.R. § 120.54).

The CCPA/CPRA regulates the personal information of California residents (Cal. Civ. Code § 1798.140(v)), which may overlap with ITAR technical data when the data identifies or is linked to an individual. For example, a California defense contractor's employee roster (names, work emails, job titles) may be California-resident personal information subject to CCPA deletion and opt-out rights, while simultaneously being technical data subject to ITAR if the roster reveals which foreign nationals have access to USML-controlled information. The CCPA imposes no transfer restrictions, but ITAR prohibits the release of that roster to a foreign person or the transmission of the roster to an overseas affiliate without a DDTC license or exemption (22 C.F.R. § 123.1). A California business that honors a CCPA deletion request by instructing a foreign service provider to delete employee data may satisfy California law but still violate ITAR if the deletion directive itself discloses technical data (e.g., revealing that a particular foreign national had access to USML-controlled projects).

Stored technical data and encryption. ITAR permits sending, taking, or storing technical data outside the United States if the data is encrypted using FIPS 140-2 or successor-compliant cryptographic modules, supplemented by key management and procedures in accordance with NIST guidance or providing at least 128 bits of security strength (AES-128 or equivalent), and if the originator and intended recipient are authorized to receive the data (22 C.F.R. § 120.54(a)(5)). The ability to access encrypted technical data in compliant encrypted form does not constitute release or export (22 C.F.R. § 120.54(c)). A California business storing ITAR-controlled technical data containing California-resident personal information in an encrypted cloud environment (AWS, Azure, Google Cloud) with servers in Ireland or Singapore may satisfy ITAR's encryption safe harbor if the encryption meets FIPS 140-2 and the foreign cloud provider cannot decrypt the data without the business's active involvement. However, if the cloud provider or any foreign-national employee of the provider gains plaintext access to the data, the business has effected an export to the provider's country of incorporation or the employee's country of citizenship, requiring a license unless an exemption applies.

EAR — dual-use items, deemed exports, and encryption controls (15 C.F.R. Part 730 et seq.). The Export Administration Regulations, administered by the U.S. Department of Commerce's Bureau of Industry and Security (BIS), control the export, reexport, and in-country transfer of items subject to the EAR, including dual-use commodities, software, and technology with both civilian and military applications, as well as certain purely civilian items and items listed on the Wassenaar Arrangement Munitions List not controlled under ITAR (15 C.F.R. § 730.3). Items subject to the EAR are listed on the Commerce Control List (CCL) (15 C.F.R. Part 774, Supplement No. 1), classified by Export Control Classification Number (ECCN), or designated EAR99 (items subject to the EAR but not listed on the CCL).

Like ITAR, the EAR define "export" to include the release of technology (information necessary for the development, production, or use of a product, including software source code and technical data) to a foreign person in the United States (15 C.F.R. § 772.1, defining "foreign person"; 15 C.F.R. § 730.5(c))—a deemed export. A California technology company that employs foreign-national engineers and grants them access to encryption source code classified under ECCN 5D002 (information security software) or semiconductor design software classified under ECCN 3D001 effects a deemed export to the engineer's country of citizenship, potentially requiring a BIS license depending on the destination and the ECCN's export-control reason (national security, anti-terrorism, regional stability, or other).

Personal data as EAR-controlled technology. The EAR generally do not control the export of personal information in the ordinary commercial sense (customer names, addresses, purchase histories) unless that information also qualifies as technology or is embedded in controlled software or hardware. However, certain datasets containing technical information may be EAR-controlled. For example, a California semiconductor manufacturer's employee access logs showing which foreign nationals accessed which chip-design files may qualify as technology related to ECCN 3E001 (technology for the development or production of electronic components) if the logs reveal proprietary design methodologies. The CCPA grants California-resident employees a right to access their personal information (Cal. Civ. Code § 1798.110) and to delete it (§ 1798.105), but if honoring the access request requires transmitting the employee's technical work history to the employee's home country (e.g., emailing a Chinese national employee a ZIP file of their work product, which includes EAR-controlled semiconductor design files), the business conducts an export under the EAR and may require a BIS license unless the export qualifies for a license exception (15 C.F.R. Part 740).

Encryption and EAR. Unlike ITAR's FIPS 140-2 safe harbor for stored encrypted technical data, the EAR regulate the export of encryption items themselves. Mass-market encryption software and certain open-source encryption code are eligible for license exceptions (15 C.F.R. § 740.17, License Exception ENC), but encryption items with key lengths above specified thresholds or designed for military or government end-users may require a license. A California business that transfers California-resident personal information to a foreign service provider and encrypts the transfer using AES-256 does not require an EAR license for the act of encrypting or transmitting the data if the encryption software itself is either publicly available encryption (not subject to the EAR under the "publicly available" exclusion, 15 C.F.R. § 734.7) or mass-market under License Exception ENC. However, if the business exports the encryption software itself to the foreign service provider to enable the provider to decrypt locally, and the software is EAR-controlled, the business may require a license.

OFAC sanctions — prohibited transactions with blocked persons and embargoed destinations (31 C.F.R. Chapter V). The Office of Foreign Assets Control, within the U.S. Department of the Treasury, administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals. OFAC sanctions programs prohibit U.S. persons from engaging in transactions involving blocked persons (individuals and entities on OFAC's Specially Designated Nationals and Blocked Persons (SDN) List and other sanctions lists) or certain embargoed or comprehensively sanctioned countries (as of June 2026, programs include Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine, among others). Most OFAC programs are promulgated under the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. § 1701 et seq., which grants the President authority to regulate transfers of property in which a foreign country or national has an interest when a national emergency is declared.

"U.S. person" for OFAC purposes includes any U.S. citizen or permanent resident, any entity organized under U.S. law (including a California corporation or LLC), and any person in the United States (31 C.F.R. § 510.329, definition under the North Korea Sanctions Regulations; similar definitions appear in other OFAC program regulations). A U.S. person is generally prohibited from engaging in transactions involving blocked property or interests in property, and from providing services to blocked persons or in connection with embargoed destinations, unless authorized by a general license or specific license issued by OFAC (31 C.F.R. § 501.801).

Personal data transfers and OFAC. The CCPA/CPRA regulates the processing of California-resident personal information without regard to the resident's nationality or sanction status. A California business subject to the CCPA may collect personal information from a California resident who is also a blocked person (e.g., a resident who appears on the SDN List, or a U.S. subsidiary of a blocked foreign entity), and the CCPA grants that person deletion, access, and opt-out rights. However, OFAC sanctions prohibit the business from engaging in transactions involving the blocked person's property or interests in property unless OFAC has authorized the transaction. "Property" includes information and data (31 C.F.R. § 501.603(b)(1), definition of "property" for blocking purposes in the context of OFAC reporting).

If a California e-commerce business collects personal information (name, address, payment information) from a blocked person and that personal information constitutes property or an interest in property of the blocked person, the business must block (freeze) the information and report it to OFAC within 10 business days (31 C.F.R. § 501.603). The business is prohibited from transferring, paying out, withdrawing, or otherwise dealing in the blocked property (31 C.F.R. § 501.603(a)). If the blocked person submits a CCPA deletion request under Cal. Civ. Code § 1798.105, the business faces a conflict: California law requires deletion, but OFAC prohibits any dealing in blocked property, including deletion. The business must notify OFAC and seek guidance or a specific license; OFAC has authority to authorize certain otherwise-prohibited transactions on a case-by-case basis (31 C.F.R. § 501.801). OFAC prohibitions override state-law obligations when the two conflict, as federal law is supreme under the Supremacy Clause (U.S. Const. art. VI, cl. 2).

Cross-border data transfers to sanctioned destinations. A California business that discloses California-resident personal information to a service provider, contractor, or third party located in a comprehensively sanctioned country (e.g., a data center in Iran, a call center in North Korea, an analytics vendor in Syria) generally violates OFAC prohibitions unless the transaction is authorized by a general license or the transaction falls within an IEEPA carve-out. IEEPA prohibits the President from regulating or prohibiting "any postal, telegraphic, telephonic, or other personal communication, which does not involve a transfer of anything of value" (50 U.S.C. § 1702(b)(1)), and IEEPA protects the importation or exportation of "information or informational materials" (50 U.S.C. § 1702(b)(3)). OFAC's Iran Sanctions Regulations contain a general license authorizing certain telecommunications and internet services (31 C.F.R. § 560.540), but that authorization is narrowly scoped to specified software and services and does not create a blanket exemption for all data transfers to Iran.

A California SaaS company that transfers California-resident personal information to an Iranian user (e.g., by hosting the user's account data on servers accessible to Iranian IP addresses) must determine whether the transfer qualifies as an authorized "informational materials" transaction, an authorized telecommunication service, or a prohibited dealing in property. As of June 2026, OFAC has not published comprehensive guidance on the application of sanctions to cloud-stored personal data accessible from sanctioned destinations, and businesses face significant interpretive risk.

Interaction with CCPA sale, sharing, and deletion obligations. The CCPA/CPRA treats disclosures to third parties as sales or shares triggering consumer opt-out rights (Cal. Civ. Code §§ 1798.120, 1798.140(ad), (ah)), and requires businesses to notify service providers and contractors to delete upon receiving a verified deletion request (§ 1798.105(c)(1)). Federal export controls and sanctions apply independently:

• If the third party, service provider, or contractor is a blocked person, the business must comply with OFAC blocking requirements and may not transfer data without authorization, regardless of whether the consumer has exercised a CCPA opt-out right.

• If the disclosure involves ITAR technical data or EAR-controlled technology, the business must obtain the required DDTC or BIS license or qualify for an exemption before transferring, even if the transfer is to a CCPA-compliant service provider under a § 1798.100(d) written agreement.

• If the disclosure is to a service provider located in a sanctioned destination (e.g., an Indian subsidiary operating a data center in Iran), the business must obtain OFAC authorization before transferring, notwithstanding the existence of a CCPA-compliant service-provider agreement.

Deemed exports and foreign-national employees in California. The ITAR and EAR deemed-export rules create compliance obligations within California for businesses that employ foreign-national workers. A California AI company that grants foreign-national engineers access to training datasets may effect a deemed export if the datasets include EAR-controlled technology (e.g., semiconductor design data classified under ECCN 3E001) or ITAR-controlled technical data (e.g., satellite imagery analysis tools related to USML Category XV). The datasets may simultaneously be California-resident personal information if they include identifiers or are linked to California residents. The CCPA regulates the use and disclosure of that personal information (notice, access, deletion, opt-out rights), but ITAR and the EAR regulate the release to foreign persons, and the two regimes impose overlapping but distinct obligations. A business that collects biometric data from California-resident employees under the CPRA's heightened notice and consent requirements for sensitive personal information (Cal. Civ. Code § 1798.121) and grants foreign-national engineers access to the biometric training dataset may satisfy CCPA/CPRA but still violate the EAR if the dataset qualifies as technology and no license exception applies.

Penalties and enforcement coordination. Violations of ITAR, the EAR, and OFAC sanctions carry civil and criminal penalties administered by different federal agencies. ITAR violations are enforced by the Department of State and may result in civil penalties (22 C.F.R. § 127.1, up to $1,235,281 per violation as of 2024, adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015) and criminal penalties under the Arms Export Control Act, 22 U.S.C. § 2778 (fines and imprisonment up to 20 years per violation). EAR violations are enforced by the Department of Commerce and may result in civil penalties (15 C.F.R. § 764.3, up to the greater of $364,992 per violation or twice the transaction value, as adjusted) and criminal penalties under the Export Control Reform Act of 2018, 50 U.S.C. § 4819 (fines and imprisonment up to 20 years per violation). OFAC violations are enforced by the Department of the Treasury and may result in civil penalties (31 C.F.R. Part 501, Appendix A, varying by program; IEEPA civil penalties are the greater of $368,136 per violation or twice the transaction value, as adjusted annually) and criminal penalties under IEEPA, 50 U.S.C. § 1705 (fines up to $1 million and imprisonment up to 20 years).

Federal enforcement agencies do not coordinate with the California Privacy Protection Agency (CPPA) or the California Attorney General on privacy-law compliance. A California business that violates OFAC sanctions by transferring personal information to a blocked person may face parallel enforcement: OFAC administrative penalties under 31 C.F.R. Part 501, and CPPA or Attorney General enforcement under Cal. Civ. Code § 1798.155 and § 1798.199.55 if the business also failed to honor a consumer opt-out request or deletion request in connection with the same transaction. The federal violation does not excuse CCPA/CPRA noncompliance, and CCPA/CPRA compliance does not exempt the business from federal export-control or sanctions obligations.

Practical compliance steps for California businesses handling cross-border personal data. Businesses subject to the CCPA/CPRA and engaged in international data transfers should:

1. Screen recipients against OFAC sanctions lists (SDN List, other OFAC lists) before disclosing California-resident personal information to third parties, service providers, or contractors, and implement ongoing monitoring to detect if a recipient becomes blocked after the initial transfer. If a recipient is blocked, freeze the relationship and consult OFAC.

1. Classify data for export-control purposes. Determine whether California-resident personal information also qualifies as ITAR technical data (defense-related) or EAR-controlled technology (dual-use, national security, or other CCL-listed items). If yes, obtain required DDTC or BIS licenses or confirm availability of an exemption before transferring to foreign persons or foreign destinations.

1. Review deemed-export risks for foreign-national employees and contractors. If the business employs or engages foreign nationals in California and grants them access to ITAR or EAR-controlled data that also qualifies as California-resident personal information, ensure that the release is covered by a license, exemption, or fundamental research exclusion (15 C.F.R. § 734.8, EAR fundamental research exclusion for published and shared research; ITAR has no comparable research exclusion but exempts public-domain information).

1. Draft service-provider agreements addressing both CCPA and federal restrictions. The CCPA § 1798.100(d) service-provider agreement should include representations and warranties that the service provider is not a blocked person, is not located in a sanctioned destination, will comply with applicable export-control and sanctions laws, and will notify the business if it becomes subject to blocking or export-control restrictions. The agreement should grant the business the right to suspend transfers or terminate the relationship if compliance with federal law conflicts with CCPA obligations.

1. Document exemptions and authorizations. If the business relies on an ITAR or EAR exemption (e.g., ITAR public-domain exemption, 22 C.F.R. § 120.11; EAR License Exception ENC for encryption, 15 C.F.R. § 740.17), maintain records demonstrating the basis for the exemption. ITAR requires retention of exemption certifications for five years (22 C.F.R. § 120.15(f)); the EAR require retention of export records for five years (15 C.F.R. § 762.2); OFAC requires retention of records for five years for most programs, extended to ten years for certain transactions as of March 2025 (31 C.F.R. § 501.601, as amended).

1. Monitor regulatory changes. OFAC sanctions programs, ITAR controls, and EAR controls are updated frequently by Executive Order, Federal Register notice, and regulatory amendment. A California business that established a service-provider relationship with an overseas processor in a non-sanctioned country may face sudden compliance disruption if OFAC adds the processor's country to a sanctions program or if DDTC or BIS adds the processor's technology to a controlled list.

Unable to confirm as of 2026-06-02 any published CPPA, California Attorney General, OFAC, DDTC, or BIS guidance specifically addressing the interaction of CCPA/CPRA obligations with federal export controls or sanctions in the context of cross-border personal-data transfers, any enforcement action alleging parallel CCPA and export-control violations arising from the same transfer, or any OFAC general license authorizing transactions involving California-resident personal information stored in or transferred to comprehensively sanctioned destinations.

Source: 22 C.F.R. Part 120 (International Traffic in Arms Regulations — Purpose and Definitions) Source: 15 C.F.R. Part 730 (Export Administration Regulations — General Information) Source: 31 C.F.R. Part 501 (OFAC Reporting, Procedures and Penalties Regulations) Source: 50 U.S.C. § 1702 (International Emergency Economic Powers Act — Presidential Authorities) Source: OFAC FAQs — Basic Information on OFAC and Sanctions

California law imposes mandatory security obligations on businesses that own, license, or maintain personal information about California residents, and these obligations apply regardless of where the personal information is stored or processed. A business that transfers California-resident personal information to an offshore cloud-storage provider, an overseas call center, or a foreign analytics processor remains responsible for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the information under Cal. Civ. Code § 1798.81.5 and § 1798.100(e). The CCPA/CPRA does not exempt cross-border data flows from security requirements, nor does it create heightened security standards for international transfers. The legal trigger is resident nexus and data sensitivity, not the data's geographic destination.

Cal. Civ. Code § 1798.81.5 — reasonable security obligation for businesses that own, license, or maintain personal information. Section 1798.81.5(b), enacted in 2003 and amended multiple times (most recently by AB 825 in 2021, effective January 1, 2022), requires "a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." The statute defines three relationships to personal information:

• "Own" and "license" include personal information that a business retains as part of its internal customer account or for the purpose of using that information in transactions with the person to whom the information relates (§ 1798.81.5(a)(2)).

• "Maintain" includes personal information that a business maintains but does not own or license—covering service providers, contractors, and other processors that hold California-resident personal information on behalf of another entity (§ 1798.81.5(a)(2)).

The statute applies regardless of the physical or virtual location of the information. A California business that licenses customer data and stores it in an Irish data center owns or licenses that information within the meaning of § 1798.81.5(b) and must implement reasonable security. A Philippine call-center operator that maintains California-resident personal information under a service-provider agreement with a California business maintains that information and is separately subject to the § 1798.81.5(b) security obligation, even though the call center's servers are located offshore and the entity itself may not be subject to the CCPA/CPRA's consumer-rights provisions.

CCPA/CPRA § 1798.100(e) — incorporation by reference into the CCPA/CPRA. Section 1798.100(e), added by the CCPA and operative since January 1, 2020, provides that "a business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5." This provision brings the pre-existing § 1798.81.5 security standard into the CCPA/CPRA framework and ties it to the Act's definition of "business" (§ 1798.140(d): entities meeting revenue, data-volume, or data-sale thresholds and doing business in California). The security obligation under § 1798.100(e) applies to all personal information the business collects, processes, or maintains, including California-resident personal information transferred to or stored with overseas processors.

"Reasonable security" is a flexible, risk-based standard. Neither § 1798.81.5 nor § 1798.100(e) prescribes specific technical controls or security frameworks. The statute requires security "appropriate to the nature of the information"—implicitly recognizing that the reasonable safeguards for a database of Social Security numbers and financial account credentials differ from those for a marketing email list. Courts and regulators interpreting "reasonable security" in data-breach litigation have looked to industry standards such as the NIST Cybersecurity Framework, the CIS Critical Security Controls, the ISO/IEC 27001/27002 series, and the OWASP Top Ten for web-application security. The California Attorney General's 2016 publication, California Data Breach Report, stated that failure to implement the 20 CIS Critical Security Controls may constitute lack of reasonable security, though that guidance predates the CCPA and was not issued as a formal regulation. As of June 2026, the California Privacy Protection Agency (CPPA) has not promulgated regulations defining "reasonable security" for purposes of § 1798.100(e) or § 1798.81.5.

Cross-border transfers do not lower the security standard; in some contexts they raise it. A business that discloses California-resident personal information to an offshore service provider or contractor must ensure that the overseas entity implements security measures meeting the § 1798.81.5 standard. Section 1798.81.5(c) specifically addresses this scenario: "A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) [i.e., not itself a business that owns, licenses, or maintains personal information under California law] shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." This contractual-security obligation is independent of the CCPA/CPRA § 1798.100(d) service-provider and contractor contract requirements, though in practice many businesses combine both into a single data-processing agreement.

Example application: transfer to an offshore cloud-storage provider. A California-based SaaS business stores California-resident customer account data—names, email addresses, hashed passwords, payment-card tokens, and usage logs—with a Dublin-based cloud-infrastructure provider under an Infrastructure-as-a-Service (IaaS) contract. The California business owns or licenses the customer data (it retains the data as part of internal customer accounts, § 1798.81.5(a)(2)), and the Irish cloud provider maintains that data (it maintains but does not own or license the information). Both entities are subject to § 1798.81.5(b):

• The California business must implement and maintain reasonable security procedures appropriate to payment-card and authentication data—at a minimum, encryption at rest and in transit, access controls restricting employee access to customer databases, multi-factor authentication for administrative access, regular security patching, logging and monitoring for unauthorized access attempts, and incident-response procedures.

• The Irish cloud provider must implement equivalent security controls. The California business satisfies its § 1798.81.5(c) contractual-security obligation by including in its IaaS agreement enforceable provisions requiring the cloud provider to maintain SOC 2 Type II certification (or ISO/IEC 27001 certification, or equivalent third-party security audit), to encrypt all data at rest using AES-256 or stronger, to implement network segmentation and access logging, and to notify the California business of any security incidents or government data-access orders within a specified timeframe.

If the Irish cloud provider suffers a breach—unauthorized access to the California business's customer database due to a misconfigured S3 bucket, a SQL injection vulnerability in the provider's management portal, or a phishing attack compromising an administrator account—the California business faces liability under § 1798.150 (discussed below) if the breach resulted from the business's failure to implement reasonable security. The business cannot invoke the offshore location of the cloud provider as a defense; the business's § 1798.81.5 and § 1798.100(e) obligations require it to ensure reasonable security across the entire processing chain, including overseas processors.

Cal. Civ. Code § 1798.150 — private right of action for data breaches caused by unreasonable security. Section 1798.150(a)(1), added by the CCPA in 2018 and operative January 1, 2020, creates a consumer private right of action for data breaches: "Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action" for statutory damages of $100 to $750 per consumer per incident (or actual damages, whichever is greater), injunctive or declaratory relief, and any other relief the court deems proper. The amounts are inflation-adjusted annually under § 1798.199.95.

Covered personal information under § 1798.150 — high-sensitivity credentials and identifiers. The private right of action applies only to breaches of:

• Personal information defined in § 1798.81.5(d)(1)(A): an individual's first name or first initial and last name in combination with any one or more of the following unencrypted/unredacted data elements: (i) Social Security number, (ii) driver's license or California ID number, tax ID, passport number, military ID, or other unique government-issued ID, (iii) account number or credit/debit card number in combination with any required security code or password permitting account access, (iv) medical information, (v) health insurance information, (vi) unique biometric data (fingerprint, retina, iris image, or digital photograph used for facial recognition), or (vii) genetic data; or

• Email address in combination with a password or security question/answer that would permit access to an online account (added by AB 3286, effective January 1, 2025).

The private right of action does not extend to breaches of personal information that fall outside this definition—standalone email addresses, browsing histories, purchase histories, or IP addresses not combined with authentication credentials—though such breaches may trigger California's breach-notification statute (§ 1798.82) and may be subject to CPPA administrative enforcement under § 1798.199.55.

Causation and the "reasonable security" defense. Section 1798.150(a)(1) requires the breach to occur "as a result of the business's violation of the duty to implement and maintain reasonable security." The business can defeat a § 1798.150 claim by demonstrating that it did implement reasonable security, even if a breach occurred. A zero-day exploit against fully patched systems, a sophisticated nation-state attack that defeated multifactor authentication and intrusion-detection systems, or an insider threat by a rogue employee with legitimate access credentials may not support a finding that the business violated § 1798.81.5, because reasonable security does not guarantee perfect security. Conversely, a breach resulting from unpatched known vulnerabilities, lack of encryption, absence of access controls, or failure to follow basic security hygiene (default passwords, no logging, no incident-response plan) will typically satisfy the causation element.

Geographic irrelevance: offshore breaches trigger the same liability. Section 1798.150 applies without regard to where the breach occurred. A California business that stores California-resident personal information with a Brazilian cloud provider, a Singapore data processor, or a Tokyo-based analytics firm faces the same § 1798.150 exposure as if the data were stored in a Sacramento data center. If a consumer's Social Security number and name are exfiltrated from a São Paulo server due to the Brazilian processor's failure to patch a known vulnerability, and the California business had contracted with that processor without requiring reasonable security procedures (violating § 1798.81.5(c)) or had failed to audit the processor's security posture (failing to implement reasonable security appropriate to the sensitivity of SSNs), the California business is subject to a private right of action under § 1798.150. The offshore location of the breach does not insulate the business from liability; the statutory duty runs to the California consumer, and the business is responsible for ensuring reasonable security across its entire data ecosystem.

30-day cure notice for statutory damages. Section 1798.150(b) requires a consumer, before initiating an action for statutory damages, to provide the business 30 days' written notice identifying the specific CCPA/CPRA provisions allegedly violated. If the business cures the violation within 30 days and provides an express written statement that the violation has been cured and no further violations will occur, no action for statutory damages may be initiated. However, § 1798.150(b) explicitly provides that "the implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach." A business cannot avoid § 1798.150 liability by patching its systems or adopting new security controls after the breach has already occurred; the cure opportunity applies only to ongoing or prospective violations (e.g., missing privacy-policy disclosures, failure to provide a "Do Not Sell or Share" link), not to completed data breaches. Consumers initiating actions solely for actual pecuniary damages (not statutory damages) are not required to provide 30-day notice (§ 1798.150(b)).

CPPA cybersecurity audit regulations — heightened obligations for high-risk businesses, effective January 1, 2026. On July 24, 2025, the California Privacy Protection Agency Board adopted regulations implementing annual cybersecurity audit requirements for certain businesses, which became effective January 1, 2026 following approval by the Office of Administrative Law on September 22, 2025. CPPA Regulations Article 9 (§§ 7120–7124) requires businesses whose processing of consumers' personal information presents significant risk to consumers' security to complete an annual cybersecurity audit. A business must complete a cybersecurity audit if:

1. The business meets the CCPA/CPRA revenue or data-volume thresholds under § 1798.140(d)(1)(A) or (B) (gross annual revenues exceeding $25 million as adjusted for inflation, or annual buy/sell/share of personal information of 100,000+ consumers or households, or 200,000+ consumers or devices); and

1. The business meets any one of the following risk triggers (CPPA Reg. § 7120(b)):

• Derives 50% or more of annual revenues from selling or sharing consumers' personal information (§ 1798.140(d)(1)(C)); or

• Processes sensitive personal information (as defined in § 1798.140(ae), including SSN, driver's license number, financial account data, precise geolocation, health information, biometric/genetic data, and personal information of consumers under age 16) of 500,000 or more consumers, households, or devices annually; or

• Operates a large online platform meeting additional criteria specified in § 7120(b)(2) (as of June 2026, that subsection remains under regulatory development).

Businesses subject to the cybersecurity audit requirement have 24 months from January 1, 2026 (i.e., until December 31, 2027) to complete their first audit (CPPA Reg. § 7121(a)), and annually thereafter. The audit must be conducted by a qualified independent auditor (internal auditor or external third party, but with independence and expertise requirements under § 7122). The audit scope must assess the business's information systems that process personal information, including service providers' and contractors' systems to the extent they process California-resident personal information on behalf of the business (CPPA Reg. § 7123).

Cross-border implications of CPPA cybersecurity audit requirements. CPPA Reg. § 7050(h), effective January 1, 2026, requires service providers and contractors to make available to the business's cybersecurity auditor all relevant information the auditor requests to complete the audit, and prohibits the service provider or contractor from misrepresenting any fact relevant to the audit. This obligation applies regardless of the service provider's or contractor's location. A California business subject to the cybersecurity audit requirement and relying on an offshore processor (e.g., an Irish cloud-storage provider, a Philippine call center, a Brazilian analytics firm) must include that processor within the audit scope if the processor handles California-resident personal information, and the offshore processor must cooperate with the auditor—providing system architecture documentation, security-control matrices, penetration-test results, access logs, and incident-response records. If the overseas processor refuses to cooperate or claims that local data-protection law (GDPR, LGPD, PIPL) prohibits disclosure of audit materials to a California auditor, the California business faces a compliance gap: the CPPA regulations require audit coverage of the offshore processor's systems, and failure to complete the audit exposes the business to CPPA enforcement under § 1798.199.55.

Practical implication: security due diligence and contractual audit rights in cross-border engagements. Businesses subject to the CCPA/CPRA and transferring California-resident personal information to offshore processors should implement layered security and audit controls:

• Pre-engagement security assessment. Before disclosing California-resident personal information to an overseas service provider or contractor, conduct a security due-diligence review: request SOC 2 Type II reports, ISO/IEC 27001 certificates, penetration-test summaries, and evidence of security-incident history. Evaluate the processor's jurisdiction for legal and operational risks—government surveillance laws (CLOUD Act, national-security letters, Chinese Cybersecurity Law data-retention mandates), political stability, rule-of-law maturity, and enforceability of California contractual judgments.

• Contractual security and audit clauses. The § 1798.100(d) service-provider or contractor agreement (required to avoid triggering sale/sharing obligations) and the § 1798.81.5(c) contractual-security requirement should include enforceable audit rights: annual or on-demand security audits by the business or its designee, right to inspect the processor's facilities and systems, obligation to remediate identified vulnerabilities within specified timeframes, breach-notification timelines (typically 24–72 hours), and indemnification for breaches caused by the processor's security failures. If the business is subject to the CPPA cybersecurity audit requirement, the contract must grant the business's auditor access to all relevant information and systems under CPPA Reg. § 7050(h).

• Encryption and data minimization. Encrypt California-resident personal information at rest and in transit (AES-256 or stronger for data at rest, TLS 1.3 for data in transit). Encryption mitigates both the § 1798.150 private-right-of-action exposure (the statute applies only to "nonencrypted and nonredacted" personal information) and the California breach-notification obligation under § 1798.82 (notification not required if encryption key was not compromised). Minimize data transfers: disclose only the personal information necessary for the service provider or contractor to perform the specified business purpose, and configure systems to delete or anonymize California-resident data after the retention period expires.

• Ongoing monitoring and incident response. Implement logging, intrusion detection, and security-information-and-event-management (SIEM) systems that monitor access to California-resident personal information across domestic and offshore processors. Establish incident-response playbooks that cover cross-border breach scenarios: Which jurisdiction's breach-notification law applies? (California § 1798.82 applies to any business conducting business in California, regardless of incorporation or headquarters location.) What is the notification timeline? (§ 1798.82 requires "most expedient time possible and without unreasonable delay.") Who notifies the CPPA and California Attorney General if 500+ California residents are affected? (The California business, not the offshore processor, bears that obligation if it is the entity that owns or licenses the data.)

Contrast with GDPR Chapter V and other transfer-security regimes. The CCPA/CPRA does not regulate data transfers as such; it regulates security obligations that apply uniformly to domestic and offshore data. The EU GDPR imposes both transfer restrictions (Chapter V—adequacy, SCCs, BCRs, derogations) and security obligations (Art. 32—security of processing, appropriate technical and organizational measures). A California business subject to both regimes and transferring personal information to an offshore processor must satisfy both sets of requirements: GDPR Chapter V for the transfer mechanism (typically EU standard contractual clauses plus transfer-impact assessment and supplementary measures under Schrems II), and GDPR Art. 32 for security measures appropriate to the risk. The CCPA/CPRA adds the § 1798.81.5 reasonable-security obligation and the § 1798.150 private right of action but imposes no transfer-approval or transfer-mechanism requirement. The two regimes overlap on security but diverge on transfer governance.

Similarly, China's Personal Information Protection Law (PIPL) requires both a cross-border transfer mechanism (Art. 38–40: security assessment, standard contract, or certification) and security protections appropriate to the personal information being processed (Art. 51). Brazil's Lei Geral de Proteção de Dados (LGPD) enumerates transfer bases (Art. 33) and separately requires security measures (Art. 46–49). California law is substantively equivalent on security (the "reasonable security" standard under § 1798.81.5 and GDPR Art. 32's "appropriate technical and organizational measures" converge in practice on encryption, access control, logging, and incident response) but substantively different on transfer regulation: California has no transfer-adequacy framework, no standard contractual clauses, and no supervisory-authority approval process.

Enforcement landscape and § 1798.150 class-action litigation. As of June 2026, § 1798.150 has generated substantial class-action litigation. Plaintiffs have filed dozens of breach-related CCPA actions in California state and federal courts alleging unreasonable security under § 1798.81.5 and § 1798.100(e). Early dispositive-motion rulings have turned on pleading standards (whether plaintiffs adequately alleged that the breach resulted from unreasonable security, not merely that a breach occurred), standing (whether plaintiffs suffered concrete injury sufficient for Article III standing in federal court), and the "per incident" damages multiplier (whether "per incident" means per breach event or per affected consumer per breach). No appellate court has yet definitively interpreted "reasonable security" or the causation element, though trial courts have referenced industry frameworks (CIS, NIST, ISO 27001) as benchmarks. The California Attorney General has not issued formal guidance on what security measures are "reasonable" for cross-border data flows, and the CPPA's cybersecurity audit regulations (effective January 1, 2026) create audit obligations but do not define a safe-harbor set of security controls that would immunize a business from § 1798.150 liability.

Unable to confirm as of 2026-06-02 any published CPPA enforcement action alleging a violation predicated solely on failure to implement reasonable security for California-resident personal information stored or processed offshore, any CPPA advisory opinion on the extraterritorial reach of § 1798.81.5(c)'s contractual-security requirement, or any California appellate decision interpreting "reasonable security" in the context of cross-border service-provider relationships under § 1798.150.

Source: Cal. Civ. Code § 1798.81.5 (Reasonable Security Procedures and Practices) Source: Cal. Civ. Code § 1798.100 (General Duties of Businesses That Collect Personal Information) Source: Cal. Civ. Code § 1798.150 (Private Right of Action — Personal Information Security Breaches) Source: CPPA CCPA Regulations Article 9 (Cybersecurity Audits), §§ 7120–7124, effective January 1, 2026 Source: CPPA Announcement: California Finalizes Regulations on Cybersecurity Audits, Risk Assessments, ADMT, Insurance (Sept. 23, 2025)