Do Turkish Companies Have to Comply With the California Consumer Privacy Act (“CCPA”)?

2 min read

Your business complies with the General Data Protection Regulation ("GDPR") and/or Turkish Personal Data Protection Law numbered 6698 and its secondary legislation ("PDPL"); but does it comply with the California Consumer Privacy Act ("CCPA"), which took effect on January 1, 2020? If your company needs to comply with the CCPA, some crucial differences should be taken into account in privacy compliance management.

Many businesses are in the process of complying with the GDPR and/or the PDPL; however, some of these businesses might need to comply with the CCPA, as well. When exactly would that be necessary? Compliance with the CCPA might especially be triggered for Turkish businesses providing cross-border services directly to California residents, such as E-commerce, gaming, streaming or payment services. In substance, if a Turkish business is doing business in the State of California and collects the personal information of a person residing in the State of California; it might need to comply with the CCPA, irrespective of the location of its main place of business. While the CCPA is not explicit as to the meaning of "doing business in the State of California", it can be interpreted by a reference to "consumer" and thus, any business collecting and/or selling information of California residents can be considered as "doing business in the State of California". A Turkish business may be subject to the CCPA if it meets any of the following criteria: (i) has annual gross revenue over USD 25,000,000, (ii) annually buys, sells, receives or shares for commercial purposes, the personal information of 50,000 or more consumers, devices or households, or (iii) derives 50 percent or more of their annual revenue from selling consumers' personal information.

Moreover, CCPA, GDPR and PDPL differ in terms of several concepts and scope of application. Therefore, if a Turkish business wishes to comply with the CCPA, it is important to know these differences. Hence, we have prepared the table below to demonstrate some of these differences. In order to get detailed information on the application of the CCPA, please refer to our client alert.


Click here to download full 'Do Turkish Companies Have to Comply With the California Consumer Privacy Act ("CCPA")?' PDF.


Selin Kaledelen (Associate) and Damla Çay (Associate) and Lidya Ercan (Legal Intern) of GKC Partners contributed to the development of this publication.


White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2020 White & Case LLP