CCPA and CPRA: Why do they even matter for EU companies?

The CCPA data privacy law was established in California to criminalize data theft and provide more control for its residents over their collected personal data by companies that fall under its jurisdiction. The CCPA was updated and amended, thus creating the CPRA proposition,  which came into effect on January 1, 2023. This new law is similar to CCPA but includes several improved adjustments.

Your company is located in EU and you think CCPA doesn’t impact you?

Guess wrong. Read on, and we'll explain why your European business probably needs to be CCPA and CPRA compliant, too.

How does the CCPA affect European companies?

Although these regulations are based in California, they have global effects and may also apply to companies in the European Union (EU). This is because CCPA and CPRA cover companies that collect and process personal data of California residents, regardless of where the company is located.

The EU has its own data privacy law, the General Data Protection Regulation (GDPR),  which applies to companies that process personal data of EU citizens. CCPA and CPRA are similar to the GDPR in many ways and share many of the same principles, such as data privacy, data security and data safety.

When your European company should be CCPA compliant

However, GDPR is applied on a much bigger scale and includes all organizations handling EU citizens' data, irrespective if the business is based in Europe or outside. There are no other criteria for assessing whether one must comply with the law.

The CCPA, on the other hand, is enforced if a company collects data from California citizens AND falls under the following criteria:

  1. If a company has revenue of more than $25 million or gains 50% from selling personal data. 

  2. If a company processes data of more than 50,000 users, it is upgraded to 100,000 users with CPRA

The CCPA and CRPA apply to any businesses operating in California or anywhere in the world that meet the threshold and profit from collecting data on California residents and meet the revenue and data processing threshold. 

Read a comparison of different worldwide regulations in our article: Data Privacy Laws explained. 

Both regulations are equivalent to the European privacy law GDPR that the European Union drafted on May 25, 2018. Although CCPA and GDPR share the same purpose, their principles and regulations differ. 

What do the guidelines look like?

In order to comply with the CCPA and CPRA, companies must follow certain guidelines, as we already described in our latest article.  These include, for example, providing California residents with clear and concise information about their data privacy rights, giving them access to their data and accurate statistics of the data collected and processed.

For non-compliance, CCPA and CPRA fines range from $100 to $7,500 per violation.

How to comply with CCPA in Europe

Suppose your company is located in Europe and sells, shares, or collects personal data of California residents; in that case, it is crucial to be aware of the CCPA and CPRA regulations.

  • Assess whether your business falls under both laws' standards to prepare your organization for compliance.

  • Conducting a thorough plan and training your team for cybersecurity will help process sensitive information without committing severe violations and risking penalties.

  • In addition, update your business policies and database strategies to protect consumer rights. In prioritizing security, you're protecting users and preventing damage to your company.

  • Constantly keep up with the latest updates concerning data privacy laws to stay on track.

  • Finally, ditching old and complicated systems and replacing them with applications that regulate and manage data processing will ensure compliance with CCPA and any other data privacy law.

3 comments

Comment

Log in or Sign up to comment
Gaby
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 3, 2023

Hallo Andreas,
vielen Dank für diese ausführliche Information.

Eine Frage: Beziehen sich die in den Kriterien genannten Schwellenwerte auf das Jahr (Jahreswert) oder auf den Monat (Monatswert)?

Grüße aus Deutschland - Gaby

Andreas Springer _Actonic_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
February 16, 2023

Hallo Gabby,

die Schwellenwerte sind auf das Jahr bezogen, es handelt sich immer um den Jahresumsatz.

Hier noch zusätzliche Informationen: https://oag.ca.gov/privacy/ccpa#:~:text=The%20CCPA%20applies%20to%20for,%2C%20households%2C%20or%20devices%3B%20or

Ich hoffe, wir konnten dir weiterhelfen!

Gaby
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 16, 2023

Hallo Andreas,

Ja - danke für deine Antwort und den erweiterten Link. Das genügt uns. MERCI

TAGS
AUG Leaders

Atlassian Community Events