It applies, but California has effectively zero enforcement capability if you're operating out of say, Rhode Island.
The only outside scenario is if you get really large, and become a juicy target for the state to go after (and or eg you're large and doing something particularly aggressive in violation). The state simply could never afford the massive enforcement costs to go after every web site owner on earth external to California, so they'll obviously only target the big prizes.
Yes, the law applies to any "operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service."
The underlying logic is the following "An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site". Basically what states/legislations are doing is protecting their citizens, therefore reversing that logic. So in theory I'd say yes.
I'm not too familiar with the extent of California's "long arm" with respect to websites, but CA tends to take the position that most any contact with the state gives CA jurisdiction (I'm probably a bit broad here). So, a website that collects info from CA residents could be seen as conducting business in the state and would be subject to this law. Physical presence is usually not a requirement.
The only outside scenario is if you get really large, and become a juicy target for the state to go after (and or eg you're large and doing something particularly aggressive in violation). The state simply could never afford the massive enforcement costs to go after every web site owner on earth external to California, so they'll obviously only target the big prizes.