We have outsourced our Atlassian licensing and services business to the newly founded Seibert Solutions GmbH. Actonic's products will be further developed under the usual name.

CCPA and CPRA: Why do they even matter for EU companies?


The CCPA data privacy law was established in California to criminalize data theft and provide more control for its residents over their collected personal data by companies that fall under its jurisdiction. The CCPA was updated and amended, thus creating the CPRA proposition, which came into effect on January 1, 2023. This new law is similar to CCPA but includes several improved adjustments.

Found this topic helpful?

If you want to learn more about it,
don't miss what's coming. Get updates here:

Thank you! Please confirm your e-mail address using the link we just sent you.

Sorry, but something went wrong. Please contact us here: actonic.de/en/contact

Your company is located in EU and you think CCPA doesn’t impact you?

Guess wrong. Read on, and we’ll explain why your European business probably needs to be CCPA and CPRA compliant, too.

How does the CCPA affect European companies?

Although these regulations are based in California, they have global effects and may also apply to companies in the European Union (EU). This is because CCPA and CPRA cover companies that collect and process personal data of California residents, regardless of where the company is located.

The EU has its own data privacy law, the General Data Protection Regulation (GDPR), which applies to companies that process personal data of EU citizens. CCPA and CPRA are similar to the GDPR in many ways and share many of the same principles, such as data privacy, data security and data safety.

When your European company should be CCPA compliant

However, GDPR is applied on a much bigger scale and includes all organizations handling EU citizens’ data, irrespective if the business is based in Europe or outside. There are no other criteria for assessing whether one must comply with the law.

The CCPA, on the other hand, is enforced if a company collects data from California citizens AND falls under the following criteria:

  1. If a company has revenue of more than $25 million or gains 50% from selling personal data.

  2. If a company processes data of more than 50,000 users, it is upgraded to 100,000 users with CPRA.

The CCPA and CRPA apply to any businesses operating in California or anywhere in the world that meet the threshold and profit from collecting data on California residents and meet the revenue and data processing threshold.

Read a comparison of different worldwide regulations in our article: Data Privacy Laws explained.

Both regulations are equivalent to the European privacy law GDPR that the European Union drafted on May 25, 2018. Although CCPA and GDPR share the same purpose, their principles and regulations differ.

What do the guidelines look like?

In order to comply with the CCPA and CPRA, companies must follow certain guidelines, as we already described in our latest article. These include, for example, providing California residents with clear and concise information about their data privacy rights, giving them access to their data and accurate statistics of the data collected and processed.

For non-compliance, CCPA and CPRA fines range from $100 to $7,500 per violation.

How to comply with CCPA in Europe

Suppose your company is located in Europe and sells, shares, or collects personal data of California residents; in that case, it is crucial to be aware of the CCPA and CPRA regulations.

  • Assess whether your business falls under both laws’ standards to prepare your organization for compliance.

  • Conducting a thorough plan and training your team for cybersecurity will help process sensitive information without committing severe violations and risking penalties.

  • In addition, update your business policies and database strategies to protect consumer rights. In prioritizing security, you’re protecting users and preventing damage to your company.

  • Constantly keep up with the latest updates concerning data privacy laws to stay on track.

  • Finally, ditching old and complicated systems and replacing them with applications like Data Protection and Security Toolkit for Jira and Data Protection and Security Toolkit for Confluence that regulate and manage data processing will ensure compliance with CCPA and any other data privacy law.

Want to continue reading?

There’s more where this came from. To receive related content, sign up below and get updates whenever we have new insights for you to share.

Thank you! Please confirm your e-mail address using the link we just sent you.

Sorry, but something went wrong. Please contact us here: actonic.de/en/contact

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.