The CCPA data privacy law was established in California to criminalize data theft and provide more control for its residents over their collected personal data by companies that fall under its jurisdiction. The CCPA was updated and amended, thus creating the CPRA proposition, which came into effect on January 1, 2023. This new law is similar to CCPA but includes several improved adjustments.
Your company is located in EU and you think CCPA doesn’t impact you?
Guess wrong. Read on, and we'll explain why your European business probably needs to be CCPA and CPRA compliant, too.
Although these regulations are based in California, they have global effects and may also apply to companies in the European Union (EU). This is because CCPA and CPRA cover companies that collect and process personal data of California residents, regardless of where the company is located.
The EU has its own data privacy law, the General Data Protection Regulation (GDPR), which applies to companies that process personal data of EU citizens. CCPA and CPRA are similar to the GDPR in many ways and share many of the same principles, such as data privacy, data security and data safety.
However, GDPR is applied on a much bigger scale and includes all organizations handling EU citizens' data, irrespective if the business is based in Europe or outside. There are no other criteria for assessing whether one must comply with the law.
The CCPA, on the other hand, is enforced if a company collects data from California citizens AND falls under the following criteria:
If a company has revenue of more than $25 million or gains 50% from selling personal data.
If a company processes data of more than 50,000 users, it is upgraded to 100,000 users with CPRA.
The CCPA and CRPA apply to any businesses operating in California or anywhere in the world that meet the threshold and profit from collecting data on California residents and meet the revenue and data processing threshold.
Read a comparison of different worldwide regulations in our article: Data Privacy Laws explained.
Both regulations are equivalent to the European privacy law GDPR that the European Union drafted on May 25, 2018. Although CCPA and GDPR share the same purpose, their principles and regulations differ.
In order to comply with the CCPA and CPRA, companies must follow certain guidelines, as we already described in our latest article. These include, for example, providing California residents with clear and concise information about their data privacy rights, giving them access to their data and accurate statistics of the data collected and processed.
For non-compliance, CCPA and CPRA fines range from $100 to $7,500 per violation.
Suppose your company is located in Europe and sells, shares, or collects personal data of California residents; in that case, it is crucial to be aware of the CCPA and CPRA regulations.
Assess whether your business falls under both laws' standards to prepare your organization for compliance.
Conducting a thorough plan and training your team for cybersecurity will help process sensitive information without committing severe violations and risking penalties.
In addition, update your business policies and database strategies to protect consumer rights. In prioritizing security, you're protecting users and preventing damage to your company.
Constantly keep up with the latest updates concerning data privacy laws to stay on track.
Finally, ditching old and complicated systems and replacing them with applications that regulate and manage data processing will ensure compliance with CCPA and any other data privacy law.
Andreas Springer _Actonic_
Head of Marketing
Actonic GmbH
Germany
2 accepted answers
3 comments