Cybersecurity is evolving — Strike Graph is leading the way.
Check out our newest resources.
Find answers to all your questions about security, compliance, and certification.
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 — and ever since it has only become stricter. In fact, each CCPA violation can incur a penalty of up to $7,500.
In order to ensure your business is CCPA compliant, let’s first take a look at some of the basics: what CCPA is, who needs to comply, what happens if businesses aren’t compliant, and more.
Simply put, the CCPA gives consumers more control over the personally identifiable information (PII) that businesses collect about them.
According to the CCPA, PII is defined as information that identifies, describes, relates to, could be reasonably linked to (both directly or indirectly), or is capable of being associated with a particular consumer or household. Some examples of PII include biometric data, internet activity (like your IP address), education- and employment-related information, geolocation data, and other personal identifiers.
PII is not publicly available information, which is information that is lawfully made available from federal, state, or local government records.
The CCPA secures new privacy rights for California consumers when it comes to PII, including the right to know:
Consumers also have the right to move or port PII, delete PII that’s been collected, opt out of the sale or exchange of their PII, and not be discriminated against for exercising their CCPA rights.
The CCPA regulations consist of six articles, each providing guidance on how to implement it.
Article 1: General provisions — includes the title, scope, and definitions of the CCPA
Article 2: Notices to consumers — includes an overview of required notices, notice at collection of personal information, notice of right to opt out of the sale of personal information, notice of financial incentive, and privacy policy
Article 3: Business practices for handling consumer requests — includes methods for submitting requests to know and requests to delete, responding to requests to know and requests to delete, service providers, requests to opt out, requests to opt in after opting out of the sale of personal information, training, record-keeping, and requests to know or delete household information.
Article 4: Verification of requests — includes general rules regarding verification, verification for password-protected accounts, verification for non-account holders, and authorized agents.
Article 5: Special rules regarding consumers under 16 years of age — includes consumers under 13 years of age, consumers 13 to 15 years of age, and notices to consumers under 16 years of age.
Article 6: Non-discrimination — includes discriminatory practices and calculating the value of consumer data.
The CCPA and its regulations apply to any entity that engages in transactions with Californians for the purpose of financial gain or collects any information from California residents — whether the entity is located in California or not. It also applies to any business that meets one or more of the following thresholds:
If your business doesn’t meet the above thresholds, doesn’t engage in transactions with Californians for the purpose of financial gain, and doesn’t collect any information from California residents, then your organization is not required to adhere to CCPA. The CCPA also doesn’t apply to government agencies or nonprofit organizations.
However, even if CCPA is not explicitly required for your organization, it may be a good business decision to adhere to CCPA, as this will demonstrate your company’s commitment to privacy.
The CCPA impacts the entire organization. Therefore, any group within your company that collects or uses PII will need to ensure they’re safely and responsibly handling it.
Instead of having one person try to ensure compliance across multiple departments, it makes sense to choose a platform — like Strike Graph — that allows responsibility to be distributed across all the teams in your company:
Starting on July 1, 2020, the California Attorney-General began enforcing the California Consumer Privacy Act.
The CCPA states that companies have 30 days to comply with the law once regulators notify them of a violation. Should they fail to respond to consumer requests and/or have not responded to notifications within those 30 days, they may be penalized for up to $2,500 per unintentional violation, or $7,500 per intentional violation. These fines apply to a violation of any section of the CCPA.
And, not only businesses can be liable for a penalty. The CCPA’s section 1798.155 states that “any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty.”
If there is a data breach, consumers can also take action against companies to recover damages of up to $750 per violation.
For example, CCPA specifies that companies must have a clearly visible footer on their website(s) that offer consumers the option to opt out of data sharing. If they don’t, consumers can sue. They can also sue if they can't find out how their information has been collected or get copies of that information.
CCPA also assigns specific penalties should unauthorized access occur, whether through exfiltration, theft, a breach, or “disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Such violations allow for penalties of $100 to $750 per consumer per incident — or actual damages — whichever is greater.
With a compliance platform like Strike Graph’s, you can know for certain you’re in compliance with complex CPRA / CCPA regulations. We can help you simplify the process so you have confidence you’re safe from fines while building trust with your customers. Here’s how we do it:
An initial risk assessment will identify security and privacy gaps. Our platform will then walk you through every aspect of CPRA / CCPA compliance.
Strike Graph comes preloaded with the controls you need based on your risk assessment. Use them as is or customize them for your company’s unique context.
Our dashboard gives you peace of mind that you’re maintaining your company's CPRA / CCPA compliance with automatic notifications and status updates.
The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.
Strike Graph offers an easy, flexible security compliance solution that scales efficiently with your business needs — from SOC 2 to ISO 27001 to GDPR and beyond.
© 2024 Strike Graph, Inc. All Rights Reserved • Privacy Policy • Terms of Service
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?