Despite being passed by the EU and California, these laws affect businesses that reside or operate in other jurisdictions.
For the GDPR, any firm that’s located outside the European Union but “offers free or paid goods and services or monitors the behavior of European Union residents” is subject to the regulations. Therefore, a business that doesn’t even operate in the European Union but gets web traffic from European countries falls under GDPR jurisdiction.
It’s less clear whether the CCPA applies to entities outside of California as the language specifies “any organization that conducts business in the state of California.” However, there is some ambiguity regarding whether businesses that merely collect data on California residents are subject to the CCPA as they would be under the GDPR.
Some criteria for judging whether a business is subject to the CCPA include having gross revenue over $25 million, transacting with personal information of greater than 50,000 individuals, or earning more than 50% of revenue by selling consumer personal information and data.
In any case, all organizations based in North Carolina or other states should carefully examine whether they are in compliance with both the GDPR and CCPA. Companies that fail to comply or enforce these regulations may face fines and other consequences.