If you're preparing an AI service, you absolutely cannot overlook international privacy laws, especially GDPR (Europe) and CCPA (California, USA). You might think, "It was made in Korea, so why should I care about foreign laws?" But GDPR and CCPA apply based on the location of the user. In this article, we'll cover the applicability criteria, fines, and preparation strategies for GDPR and CCPA all at once.
💥 Helpful Tip
AI services are governed by the user's location, not the service's country of origin. Even a single user in Europe or the US can make your service subject to GDPR and CCPA.
- Problem: Skipping initial preparation leads to skyrocketing development, legal, and marketing costs when fixing issues later.
- Solution: Prepare from the start using a GDPR/CCPA readiness checklist. This article covers the essentials, so read it through to the end!
🇺🇸 CCPA (California Consumer Privacy Act)
CCPA is California's personal information protection law, effective since January 2020. It is considered the strongest personal information protection law in the U.S. and is a regulation that companies operating global services must strictly adhere to.
CCPA Application Criteria
- Annual revenue of $25 million (approx. 34 billion KRW) or more: Based on global revenue; includes any entity with annual revenue exceeding $25 million, regardless of location (Korea, US, Japan, etc.).
-
However, final applicability requires meeting one of the following additional conditions:
- Possession of data on 50,000 or more California residents
- Data sales revenue constitutes 50% or more of total revenue
The applicability criteria are: global annual revenue of $25 million (approximately KRW 34 billion) or more, holding data on 50,000 or more California residents, or data sales revenue constituting 50% or more of total revenue. If any one of these applies, the entity is subject to the CCPA.
CCPA Application Example
- Korean SaaS company, global revenue $30 million, 50,000 California users → ✅ CCPA applies
- Same revenue, 10 California users → ❌ CCPA does not apply
Simply having high revenue isn't enough; the key is the connection to California residents' data. A defining feature of the CCPA is its 'opt-out' approach, granting consumers the right to refuse data sales, access their collection and sharing history, and request deletion.
🌍 GDPR (General Data Protection Regulation, European General Data Protection Regulation)
GDPR is the European Union (EU) and European Economic Area (EEA) personal data protection law implemented since May 2018. It is one of the world's strongest personal data protection regulations, centered on "user consent" and "personal data sovereignty."
GDPR Applicability Criteria
-
No revenue threshold! What
matters is:- Services targeting EU/EEA residents
- Providing 'goods or services' within the EU or 'targeting users'
Notably, regardless of revenue scale, GDPR applies unconditionally if EU users utilize your service or if you track user behavior within the EU. For example, an AI app developed in Korea becomes subject to GDPR if European users download and use it.
- Korean startup, 1 European sign-up → ✅ GDPR applies
- Korean influencer sends DM to 1 EU fan → ✅ GDPR likely applies
It applies if even one European user signs up or their behavior is analyzed. Small startups, even with zero revenue, are subject without exception.
GDPR·CCPA Violation Fines
🌍 GDPR Fines
The reason GDPR is so daunting is the scale of its fines. Violations can incur a maximum fine of 20 million euros (approx. 29 billion KRW) or 4% of global annual revenue, whichever is greater.
- Up to €20 million (approx. ₩29 billion)
- or 4% of global revenue → whichever is greater
- GDPR Fine Example:
- Annual revenue 10 billion KRW → 10 billion × 4% = 400 million → Maximum 400 million KRW fine
- Annual revenue 1 trillion won → 1 trillion × 4% = 40 billion → capped at 20 million euros (29 billion)
Applies equally to small startups and large corporations, with fines increasing exponentially as revenue grows. It particularly guarantees strong user rights like the right to access, delete, and transfer data, as well as the right to be forgotten. Processing data without consent can lead to serious legal risks.
The higher the revenue, the higher the fines.
🇺🇸 CCPA Fines
- $2,500 per violation (approx. 3.4 million KRW) → General violations
- $7,500 (approx. 10.2 million KRW) for intentional violations
- Individual/class action lawsuits possible → Bankruptcy risk if cases accumulate
Approximately 3.4 million won per violation, with intentional violations incurring fines of about 10.2 million won. As individual and class action lawsuits accumulate, the total litigation costs increase exponentially.
- CCPA Fine Example:
- 1,000 instances of personal data breach, intentional violation → 1,000 × $7,500 = $7.5M (approx. 10.2 billion KRW)
Fines range from a maximum of $2,500 (approx. 3.4 million won) per violation to $7,500 (approx. 10.2 million won) for intentional violations. As violations accumulate, they can lead to class action lawsuits, posing significant risk. For example, if 1,000 pieces of personal information are leaked, the total fine could soar to approximately 10.2 billion won if it's an intentional violation.
👉 CCPA is scary because of the 'number of cases', while GDPR is scary because of 'revenue'.
GDPR vs CCPA Key Comparison
| Item | GDPR | CCPA |
|---|---|---|
| Applicability Criteria | No revenue threshold; applies to EU/EEA users | Global revenue ≥ $25M + Relevance to CA residents required |
| User Rights | Right to access, delete, and transfer data; right to be forgotten | Right to access, delete, or refuse sale of data |
| Fines | Up to €20 million or 4% of global revenue (whichever is greater) | $2,500 per violation (general), $7,500 (intentional) |
| The scary part | The higher the revenue, the bigger the fine bomb | Accumulating violations leads to lawsuits + massive fines |
GDPR is scary because it's "user-based, regardless of revenue," while CCPA's scary point is "large corporations + California resident data."
In conclusion
- GDPR: Prepare if you have even one European user!
- CCPA: Global corporations + California user data, take note!
If violations occur involving tens of thousands of users, fines will be imposed at an unimaginable scale. Preparing early can reduce future risks and costs by 99%.
관련 콘텐츠:
SEO Tutorial: SEO Master Class for WordPress and AdSense
how to Protect Your WordPress AdSense Revenue: Allow Visitors with Ad Blocker Detection
SEO Lesson: Learn the rel=”nofollow” concept and use cases and when to use it and when not to use it
Learn the top 6 reasons for AdSense account suspension and termination