EU-based or EEA-based organisations or companies are in most cases subject to the GDPR when processing personal data, but non-EU-based or non-EEA-based organisations may be subject to the GDPR too. On the other hand, companies doing business in California may be subject to the CCPA. But can organisations be subject to both data protection laws at the same time? And when does only one of these data protection laws apply? How should international companies deal with this?
While the US still lacks an overarching national privacy law, California introduced the Consumer Privacy Act (CCPA) in 2020. The CCPA was amended in 2022 by the California Privacy Rights Act (CPRA). “CCPA” in this blog refers to the newest version of the CCPA – so, the one amended by the CPRA. In short, the CPRA broadened the data protection rights of California consumers and adapted the CCPA’s scope of application. Companies that are subject to the CCPA have several responsibilities, like responding to consumer requests to exercise their rights and explaining their privacy practices to consumers.
In general, the CCPA applies to for-profit companies doing business in California and collecting personal information of California residents. It does generally not apply to companies that conduct all of their business outside of California or that are not-for-profit.
More specifically, the CCPA applies to any business that:
But keep in mind that the CCPA’s concept of a business is quite large. It also includes:
In general, the GDPR applies to EU organisations, and to organisations not established in the EU but offering goods or services or monitoring behaviour of data subjects in the EU.
More specifically, the GDPR applies to:
For a detailed explanation of the concepts “establishment in the EU”, “offering goods or services in the EU” or “behavioural monitoring of data subjects in the EU”, please see our earlier blog about the extraterritorial scope of the GDPR. In general, these concepts are interpreted quite broadly.
There are some clear differences in the scope of application between the CCPA and the GDPR. Here are three key differences:
The third difference mentioned above is particularly important in answering the question of whether a company can be subject to GDPR and CCPA at the same time. Below, we will take a closer look at this with some examples.
We’ll look at some specific examples below to illustrate the difference in territorial scope between the GDPR and the CCPA, in order to determine whether both data protection laws can apply at the same time.
Only the CCPA applies if this California based company determines the purpose and means of the processing of California residents’ personal information and meets one of the economic thresholds – and if it doesn’t have an EU establishment and it doesn’t target EU data subjects (or users).
Only the GDPR applies if this company isn’t doing business in California. Even if the company has a US branch and the processing actually takes place within that branch, the company is still subject to the GDPR if the processing is taking place in the context of the activities of the EU company. We’re assuming here that every aspect of the company’s commercial conduct takes place outside of California – otherwise, the CCPA might be applicable too.
The GDPR applies if the California based company (or headquarters) has an EU establishment and is processing personal data in the context of that establishment’s activities. It is important to stress that an EU establishment does not require having a legal entity (e.g., a branch) in the EU. In certain cases, an employee with a laptop can also be considered an “EU establishment”.
Assuming the California based company meets the criteria to be subject to the CCPA, both the GDPR and CCPA may apply to that company:
Both the CCPA and GDPR may apply. The CCPA applies if the EU-based company does business in California, controlling the processing of California residents’ personal information and meeting the economic thresholds above. The GDPR applies because the company is processing personal data in the context of its EU establishment – regardless of whether any processing is actually taking place there or whether any personal data of people located in the EU is being processed.
The GDPR applies if the California based company “targets” EU data subjects, meaning that the processing activities of the California based company are related to offering goods or services in the EU, or monitoring behaviour in the EU. For example, the California based company has a website selling goods with possible delivery in at least one of the EU Member States, prices listed in euro and options to view the website in the language of an EU Member State.
Only the GDPR applies if the company doesn’t meet the CCPA criteria. If the company meets the CCPA criteria, both the GDPR and CCPA may be applicable (see example 3).
In this case, the California company must appoint a GDPR representative! Appointing a GDPR representative is mandatory if the GDPR applies without an EU establishment. Timelex acts as GDPR representative for several international clients. If you are looking for a GDPR representative, please contact us or book a call.
Yes, the GDPR and CCPA may apply simultaneously
The CCPA’s territorial scope is mostly based on the location of the company’s activities and on residence of the users (consumers or data subjects) whose personal information is collected. The GDPR, on the other hand, has a larger extraterritorial application. As the examples above show, this means that some companies can be simultaneously subject to both of these laws.
So, what do I need to do if the GDPR and CCPA apply simultaneously?
The GDPR and the CCPA certainly share a common basis, but there are differences. For example, the way in which data subjects’ opt-out or access requests are handled may be different under the GDPR and the CCPA.
So, how should your organisation deal with these regulatory differences?
Your organisation may decide to bring all of its data processing practices into compliance with both the CCPA and the GDPR, or it may choose to apply only the GDPR to all or part of its processing activities, or it may choose to apply the GDPR in its EU establishment and the CCPA in its California establishment…
An organisation’s data protection compliance strategy should be tailored to its commercial and data processing activities. It is therefore advisable to seek the advice of a specialist legal adviser who understands the needs of your organisation and who is familiar with both sets of legislation (the GDPR and the CCPA).
Do you still have questions or would you like an introductory meeting? Book a free 15-minute call with Bernd at bernd.lawyer.brussels (reserved for organizations).