Foundations

Table of Content

Table of Content

Table of Content

Who must comply

GDPR and CPRA both apply broadly to organizations handling personal data, but the exact thresholds differ. Knowing whether your business falls under these laws is the first step in building a compliance strategy.

Who Must Comply

GDPR and CPRA both apply broadly to organizations handling personal data, but the exact thresholds differ. Knowing whether your business falls under these laws is the first step in building a compliance strategy.

GDPR Scope

  • Applies to any organization worldwide that processes the personal data of individuals in the EU.

  • Applies regardless of company size, revenue, or location.

  • Covers both data controllers (deciding how/why data is used) and processors (handling data on behalf of controllers).

CPRA Scope

  • Applies to for-profit businesses that handle California residents’ personal information and meet one or more of these thresholds:

    • Gross annual revenue of $25 million or more.

    • Buy, sell, or share personal data of 100,000 or more consumers/households.

    • Derive 50% or more of annual revenue from selling or sharing personal data.

  • Applies to businesses outside California if they handle California consumer data.

Exemptions

  • GDPR: Some exemptions for personal/household use and law enforcement activities.

  • CPRA: Some exemptions for nonprofit organizations and certain regulated data (e.g., already covered by HIPAA or GLBA).

Example: SaaS Platform with Global Users

  • A startup in the U.S. offering a SaaS tool to EU customers must comply with GDPR, even if it has no European office.

  • If the same company has 120,000 California users and $15M revenue, CPRA applies because of the user threshold.

Quick Compliance Scope Checklist

  • Determine whether you process EU resident data (GDPR)

  • Check if you meet CPRA thresholds for revenue, user count, or revenue from data sales

  • Clarify your role: controller/business vs processor/service provider

  • Review exemptions to confirm if any apply

  • Document scope assessment for auditors or regulators

Conclusion

Compliance obligations are not limited by geography—GDPR and CPRA both reach beyond their borders. Any business handling EU or California resident data may be subject to these laws, making early scope assessment essential to avoid fines and ensure readiness.

What is CPRA compliance

What is CPRA compliance

What is CPRA compliance

Key definitions and rights

Key definitions and rights

Key definitions and rights