Privacy Compliance

US Privacy Compliance for Australian Businesses.

Selling to US customers? The CCPA — the California Consumer Privacy Act — and other US state privacy laws may apply to your business, even if you're based in Australia. We help you understand your obligations and get compliant.

Get a Compliance AssessmentDoes CCPA apply to me? ↓

Does the CCPA apply to Australian businesses?

Yes — if you meet the thresholds. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to any for-profit business that collects personal information from California residents, regardless of where the business is physically located. There is no exemption for foreign companies.

The CCPA applies to your Australian business if you meet any one of these three thresholds:

  1. Revenue: Your annual gross revenue exceeds US$25 million
  2. Data volume: You buy, sell, or share the personal information of 100,000 or more California residents, households, or devices annually
  3. Revenue from data: You derive 50% or more of your annual revenue from selling or sharing California residents' personal information

The second threshold is the one that catches many Australian businesses by surprise. If your website or app has 100,000 unique visitors from California per year — which is roughly 275 visitors per day — and you collect any personal information from them (including through cookies and analytics tools), you likely meet this threshold.

"Personal information" under the CCPA is broadly defined. It includes names, email addresses, IP addresses, browsing history, purchase history, geolocation data, and any information that can be linked to a particular consumer or household. If you use Google Analytics, Meta Pixel, or similar tracking tools, you are collecting personal information from California residents.

Key CCPA requirements you need to know.

If the CCPA applies to your business, here are the core obligations you must meet:

Right to know

California consumers have the right to request that you disclose what personal information you have collected about them, the sources of that information, the purposes for collection, and the third parties with whom you have shared it. You must respond to these requests within 45 days.

Right to delete

Consumers can request that you delete their personal information. You must comply and direct any service providers or third parties who received the data to delete it as well, subject to certain exceptions (e.g., completing a transaction, legal obligations, security purposes).

Right to opt out of sale or sharing

This is one of the CCPA's most distinctive requirements. If you "sell" or "share" personal information — which under the CCPA includes sharing data with third-party advertisers and analytics providers — you must provide a "Do Not Sell or Share My Personal Information" link on your website. "Sharing" includes cross-context behavioural advertising, which means that if you use retargeting ads or share data with ad networks, this requirement likely applies.

Right to correct

Added by the CPRA, consumers can request that you correct inaccurate personal information. You must use commercially reasonable efforts to correct the information within 45 days.

Right to limit use of sensitive personal information

Also added by the CPRA, consumers can direct you to limit the use of sensitive personal information (such as precise geolocation, racial or ethnic origin, religious beliefs, health information, and financial account details) to only what is necessary for the services they requested.

Privacy policy disclosures

Your privacy policy must include specific CCPA-required disclosures: categories of personal information collected, purposes for collection, categories of third parties receiving data, consumer rights under the CCPA, and how to submit requests. This goes well beyond what the Australian Privacy Act requires.

Penalties for non-compliance.

CCPA enforcement is real, and the penalties are significant:

  • Civil penalties: The California Attorney General and CalPrivacy can impose fines of up to US$2,500 per unintentional violation and US$7,500 per intentional violation. These are assessed per violation, per consumer — meaning a single non-compliant practice affecting thousands of California users can result in millions of dollars in fines.
  • Private lawsuits (data breaches): The CCPA provides a private right of action for data breaches resulting from a business's failure to maintain reasonable security measures. Consumers can sue for statutory damages of US$100–750 per consumer per incident. A breach affecting 10,000 California users could mean exposure of US$1M–7.5M in statutory damages alone.
  • Enforcement actions: CalPrivacy has been actively investigating and enforcing since 2023. Recent enforcement actions have targeted companies of all sizes, including those outside the US. The agency has signalled that foreign companies are not exempt from enforcement.

Beyond financial penalties, non-compliance creates reputational risk. California consumers are increasingly privacy-aware, and a publicised enforcement action can damage trust with your US customer base.

Our CCPA compliance service.

  1. Compliance assessment.

    We assess which CCPA requirements apply to your business.

  2. Gap analysis & roadmap.

    We compare your current practices against CCPA requirements, identify gaps, and deliver a prioritised compliance roadmap with clear action items.

  3. Implementation support.

    We draft your CCPA-compliant privacy policy, create internal processes for handling consumer requests, and advise on technical implementation.

HIPAA compliance for business associates.

Generally speaking, a non-healthcare business is only required to comply with HIPAA when it handles 'protected health information' on behalf of a 'covered entity'.

A 'covered entity' is:

  • health care providers that transmit information in electronic form (doctors, clinics, psychologists, dentists, etc.);
  • health plan providers (health insurance companies, company health plans, Medicaid/Medicare); and
  • health care clearinghouses.

If you are handling protected health information on behalf of any of the above, then you are a 'business associate' and must do the following:

  • sign and comply with a Business Associate Agreement with the covered entity (that complies with HIPAA rules);
  • comply with the 'Security Rule', which means that you need to:
    • appoint a security officer to oversee compliance;
    • perform and document a risk assessment;
    • implement administrative, physical and technical safeguards of protected health information;
    • have Business Associate Agreements in place with any subcontractors who will have access to protected health information;
    • maintain written policies and procedures in relation to security compliance; and
    • provide on-going training to your personnel on HIPAA compliance.
  • must only deal with the minimum amount of protected health information necessary to perform your obligations; and
  • report breaches of protected health information.

We can assist in preparing a Business Associate Agreement for covered entities to accept when working with you, and for your contractors/subprocessors to accept when working for you, along with a security and breach policy. There are also online HIPAA compliance providers that you might find helpful, particularly in respect of workforce training or data safeguards compliance (which are operational matters we cannot assist with).

US privacy compliance packages. Fixed fee — no hourly surprises.

All prices in AUD. 3–5 business day standard turnaround.

US Privacy Policy

AU$499

one-off

  • US privacy policy tailored to your business (addressing state privacy rights)
Get Started
Most Popular

CCPA Compliance

AU$1,999

one-off

  • US privacy policy tailored to your business (addressing state privacy rights)
  • CCPA-compliant data processing agreement
  • CCPA-compliance assessment support
  • Guidance memo
Get Started

HIPAA Compliance

AU$1,999

for business associates

  • Business associate agreements
  • Compliance and security policy
  • Guidance memo
  • 3–5 business day turnaround
Get Started

Custom

Contact Us

  • Multi-regulation compliance
  • Ongoing advisory support
  • Vendor agreement review
Book a Call

Need US contracts too? Contract drafting from AU$499 →

Why work with us on CCPA compliance.

Stephen Drysdale is a California-admitted US attorney (Bar #354071) based in Sydney, also admitted in NSW and New Zealand. He understands both US privacy law and Australian privacy law — which means he can identify the gaps between what your Australian compliance covers and what the CCPA additionally requires, without starting from scratch.

Most Australian privacy consultants lack deep US legal expertise. Most US privacy attorneys do not understand the Australian Privacy Act. Stephen bridges both.

  • California Bar #354071
  • NSW Admitted
  • NZ Admitted

Related services.

US Commercial Contracts

Include privacy terms in your contracts

US Company Formation

Set up your US entity

US Trademark Registration

Protect your brand in the US

Common questions about CCPA compliance.

Not sure if the CCPA applies to your business?

Start with a free compliance assessment. We'll review your situation and tell you exactly where you stand.

Get a Free Assessment