Timelex
Leading law firm
Menu

Can organisations be subject to both the GDPR and CCPA simultaneously?

Author info
Silke FIers
Silke Fiers
Bernd Fiten
Bernd Fiten
29/03/2023
Privacy & data protection

EU-based or EEA-based organisations or companies are in most cases subject to the GDPR when processing personal data, but non-EU-based or non-EEA-based organisations may be subject to the GDPR too. On the other hand, companies doing business in California may be subject to the CCPA. But can organisations be subject to both data protection laws at the same time? And when does only one of these data protection laws apply? How should international companies deal with this?

What is the scope of the CCPA?

While the US still lacks an overarching national privacy law, California introduced the Consumer Privacy Act (CCPA) in 2020. The CCPA was amended in 2022 by the California Privacy Rights Act (CPRA). “CCPA” in this blog refers to the newest version of the CCPA – so, the one amended by the CPRA. In short, the CPRA broadened the data protection rights of California consumers and adapted the CCPA’s scope of application. Companies that are subject to the CCPA have several responsibilities, like responding to consumer requests to exercise their rights and explaining their privacy practices to consumers. 

In general, the CCPA applies to for-profit companies doing business in California and collecting personal information of California residents. It does generally not apply to companies that conduct all of their business outside of California or that are not-for-profit.

More specifically, the CCPA applies to any business that:

  • determines the purpose and means of the processing of California residents’ personal information,
  • does business in the State of California, and
  • satisfies at least one economic threshold:
    • gross revenues over $25 million in the preceding calendar year,
    • buys, sells or shares for commercial purposes, the personal information of over 100,000 consumers or households, or
    • derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

But keep in mind that the CCPA’s concept of a business is quite large. It also includes:

  • entities that control or are controlled by, share common branding with, and share consumers’ personal information with a business, and
  • joint ventures or partnerships in which each business has at least a 40 percent interest.

What is the scope of the GDPR?

In general, the GDPR applies to EU organisations, and to organisations not established in the EU but offering goods or services or monitoring behaviour of data subjects in the EU.

More specifically, the GDPR applies to:

  • the processing of personal data by a controller or processor established in the EU, regardless of whether the processing itself takes place in the EU or not.
  • the processing of personal data of data subjects who are in the EU, by a controller or processor not established in the EU, where the processing activities are related to:
    • the offering of goods or services to data subjects in the EU, or
    • the monitoring of their behaviour as far as their behaviour takes place within the EU.

For a detailed explanation of the concepts “establishment in the EU”, “offering goods or services in the EU” or “behavioural monitoring of data subjects in the EU”, please see our earlier blog about the extraterritorial scope of the GDPR. In general, these concepts are interpreted quite broadly.

How do the GDPR and the CCPA compare in terms of scope?

There are some clear differences in the scope of application between the CCPA and the GDPR. Here are three key differences: 

  1. CCPA applies to for-profit businesses: first, the CCPA in principle only applies to for-profit businesses (meeting specific revenues thresholds) that determine the purpose and means of processing of personal data, while the GDPR also applies to processors and non-profit entities.
  2. CCPA applies to the processing of personal data of “consumers”: second, the CCPA only applies when personal data of California residents (“consumers”) is involved, while the GDPR applies to businesses established in the EU regardless of whose data they are processing. Even for businesses not established in the EU the criterion is broader. The GDPR applies to these organisations if they’re targeting data subjects located in the EU(even temporarily) ,  the data subjects do not have to be EU citizens or residents.
  3. CCPA applies to companies “doing business in California”: the third difference lies in the territorial scope: while the GDPR can apply to organisations that are not established in the EU, the CCPA only applies to companies doing business in California. But keep in mind that the CCPA’s territorial scope is broader than one might think. It applies even if not every aspect of a business’ commercial conduct takes place entirely outside of California. 

The third difference mentioned above is particularly important in answering the question of whether a company can be subject to GDPR and CCPA at the same time. Below, we will take a closer look at this with some examples.

A closer look at the difference in territorial scope between the GDPR and CCPA

We’ll look at some specific examples below to illustrate the difference in territorial scope between the GDPR and the CCPA, in order to determine whether both data protection laws can apply at the same time.

Example 1: a California based company processing personal information – Which law applies? 

Only the CCPA applies if this California based company determines the purpose and means of the processing of California residents’ personal information and meets one of the economic thresholds – and if it doesn’t have an EU establishment and it doesn’t target EU data subjects (or users). 

  • If the California based company has an EU establishment: see example 3.
  • If the California based company targets EU data subjects: see example 5.

Example 2: an EU-based company processing personal data – Which law applies?

Only the GDPR applies if this company isn’t doing business in California. Even if the company has a US branch and the processing actually takes place within that branch, the company is still subject to the GDPR if the processing is taking place in the context of the activities of the EU company. We’re assuming here that every aspect of the company’s commercial conduct takes place outside of California – otherwise, the CCPA might be applicable too.

Example 3: a California based company with an EU establishment – Which law applies?

The GDPR applies if the California based company (or headquarters) has an EU establishment and is processing personal data in the context of that establishment’s activities. It is important to stress that an EU establishment does not require having a legal entity (e.g., a branch) in the EU. In certain cases, an employee with a laptop can also be considered an “EU establishment”. 

Assuming the California based company meets the criteria to be subject to the CCPA, both the GDPR and CCPA may apply to that company:

  • If the data processed in the EU establishment is personal data of California residents, both the CCPA and GDPR apply to the processing.
  • If the EU branch only processes data of data subjects other than California residents, the GDPR applies to the processing by the EU branch and the CCPA applies to the activities of the Californian headquarters.

Example 4: an EU-based company doing business in California – Which law applies?

Both the CCPA and GDPR may apply. The CCPA applies if the EU-based company does business in California, controlling the processing of California residents’ personal information and meeting the economic thresholds above. The GDPR applies because the company is processing personal data in the context of its EU establishment – regardless of whether any processing is actually taking place there or whether any personal data of people located in the EU is being processed.

Example 5: a California based company targeting EU data subjects – Which law applies?

The GDPR applies if the California based company “targets” EU data subjects, meaning that the processing activities of the California based company are related to offering goods or services in the EU, or monitoring behaviour in the EU. For example, the California based company has a website selling goods with possible delivery in at least one of the EU Member States, prices listed in euro and options to view the website in the language of an EU Member State. 

Only the GDPR applies if the company doesn’t meet the CCPA criteria. If the company meets the CCPA criteria, both the GDPR and CCPA may be applicable (see example 3).

In this case, the California company must appoint a GDPR representative! Appointing a GDPR representative is mandatory if the GDPR applies without an EU establishment. Timelex acts as GDPR representative for several international clients. If you are looking for a GDPR representative, please contact us or book a call.

Conclusion

Yes, the GDPR and CCPA may apply simultaneously

The CCPA’s territorial scope is mostly based on the location of the company’s activities and on residence of the users (consumers or data subjects) whose personal information is collected. The GDPR, on the other hand, has a larger extraterritorial application. As the examples above show, this means that some companies can be simultaneously subject to both of these laws.

So, what do I need to do if the GDPR and CCPA apply simultaneously?

The GDPR and the CCPA certainly share a common basis, but there are differences. For example, the way in which data subjects’ opt-out or access requests are handled may be different under the GDPR and the CCPA. 

So, how should your organisation deal with these regulatory differences? 

Your organisation may decide to bring all of its data processing practices into compliance with both the CCPA and the GDPR, or it may choose to apply only the GDPR to all or part of its processing activities, or it may choose to apply the GDPR in its EU establishment and the CCPA in its California establishment… 

An organisation’s data protection compliance strategy should be tailored to its commercial and data processing activities. It is therefore advisable to seek the advice of a specialist legal adviser who understands the needs of your organisation and who is familiar with both sets of legislation (the GDPR and the CCPA).

Do you still have questions or would you like an introductory meeting? Book a free 15-minute call with Bernd at bernd.lawyer.brussels (reserved for organizations).

Related posts