Security compliance Designing security programs CPRA

Who needs to comply with the CCPA?

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 — and ever since it has only become stricter. In fact, each CCPA violation can incur a penalty of up to $7,500.

In order to ensure your business is CCPA compliant, let’s first take a look at some of the basics: what CCPA is, who needs to comply, what happens if businesses aren’t compliant, and more.

What is the CCPA?

Simply put, the CCPA gives consumers more control over the personally identifiable information (PII) that businesses collect about them.

What is considered PII?

According to the CCPA, PII is defined as information that identifies, describes, relates to, could be reasonably linked to (both directly or indirectly), or is capable of being associated with a particular consumer or household. Some examples of PII include biometric data, internet activity (like your IP address), education- and employment-related information, geolocation data, and other personal identifiers.

PII is not publicly available information, which is information that is lawfully made available from federal, state, or local government records.

Consumer rights

The CCPA secures new privacy rights for California consumers when it comes to PII, including the right to know:

    • Whether personal data is collected
    • Which personal data is being collected
    • Specific categories of data a business collects
    • Categories of third parties with whom personal data is shared
    • Categories of sources of personal data
    • The business or commercial purpose of collecting personal information

Consumers also have the right to move or port PII, delete PII that’s been collected, opt out of the sale or exchange of their PII, and not be discriminated against for exercising their CCPA  rights.

The six articles of the CCPA

The CCPA regulations consist of six articles, each providing guidance on how to implement it.

Article 1: General provisions — includes the title, scope, and definitions of the CCPA

Article 2: Notices to consumers includes an overview of required notices, notice at collection of personal information, notice of right to opt out of the sale of personal information, notice of financial incentive, and privacy policy

Article 3: Business practices for handling consumer requests — includes methods for submitting requests to know and requests to delete, responding to requests to know and requests to delete, service providers, requests to opt out, requests to opt in after opting out of the sale of personal information, training, record-keeping, and requests to know or delete household information.

Article 4: Verification of requests — includes general rules regarding verification, verification for password-protected accounts, verification for non-account holders, and authorized agents.

Article 5: Special rules regarding consumers under 16 years of age — includes consumers under 13 years of age, consumers 13 to 15 years of age, and notices to consumers under 16 years of age.

Article 6: Non-discrimination — includes discriminatory practices and calculating the value of consumer data.

Which companies are affected by the CCPA ? 

The CCPA and its regulations apply to any entity that engages in transactions with Californians for the purpose of financial gain or collects any information from California residents — whether the entity is located in California or not. It also applies to any business that meets one or more of the following thresholds:

  • Derives 50% or more of its annual revenues from selling consumers’ personally identifiable information
  • Holds data containing PII of 50,000 or more Californian consumers, households, or devices
  • Has an annual gross revenue of over $25 million USD

If your business doesn’t meet the above thresholds, doesn’t engage in transactions with Californians for the purpose of financial gain, and doesn’t collect any information from California residents, then your organization is not required to adhere to CCPA. The CCPA also doesn’t apply to government agencies or nonprofit organizations.

However, even if CCPA is not explicitly required for your organization, it may be a good business decision to adhere to CCPA, as this will demonstrate your company’s commitment to privacy.

Who in my company is responsible for ensuring CCPA compliance and the safety of personal information?

The CCPA impacts the entire organization. Therefore, any group within your company that collects or uses PII will need to ensure they’re safely and responsibly handling it.

Instead of having one person try to ensure compliance across multiple departments, it makes sense to choose a platform — like Strike Graph — that allows responsibility to be distributed across all the teams in your company:

  • HR can ensure your employee data — as well as any third-party vendors that process it — is CCPA compliant.
  • Sales and Marketing can take responsibility for PII, including knowing which cookies and other tracking technologies are associated with a particular person.
  • Customer Service can register Data Subject Access Requests (DSAR) and respond accordingly.
  • IT can document internal assets and systems, carry out data mapping exercises, and manage any incidents.
  • Leadership and/or legal can monitor it all at a bird's eye level, ensuring your organizations’ privacy policies follow CCPA requirements, make any necessary adjustments, manage updates, and more.

What happens if my company is not in compliance with the CCPA?

Starting on July 1, 2020, the California Attorney-General began enforcing the California Consumer Privacy Act.

The CCPA states that companies have 30 days to comply with the law once regulators notify them of a violation. Should they fail to respond to consumer requests and/or have not responded to notifications within those 30 days, they may be penalized for up to $2,500 per unintentional violation, or $7,500 per intentional violation. These fines apply to a violation of any section of the CCPA.

And, not only businesses can be liable for a penalty. The CCPA’s section 1798.155 states that “any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty.”

When consumers can sue

If there is a data breach, consumers can also take action against companies to recover damages of up to $750 per violation. 

For example, CCPA specifies that companies must have a clearly visible footer on their website(s) that offer consumers the option to opt out of data sharing. If they don’t, consumers can sue. They can also sue if they can't find out how their information has been collected or get copies of that information.

CCPA also assigns specific penalties should unauthorized access occur, whether through exfiltration, theft, a breach, or “disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Such violations allow for penalties of $100 to $750 per consumer per incident — or actual damages — whichever is greater.

How to become CPRA / CCPA compliant

With a compliance platform like Strike Graph’s, you can know for certain you’re in compliance with complex CPRA / CCPA regulations. We can help you simplify the process so you have confidence you’re safe from fines while building trust with your customers. Here’s how we do it:

1. Set a foundation for your security and compliance posture.

An initial risk assessment will identify security and privacy gaps. Our platform will then walk you through every aspect of CPRA / CCPA compliance.

2. Review controls and attach evidence.

Strike Graph comes preloaded with the controls you need based on your risk assessment. Use them as is or customize them for your company’s unique context.

3. Maintain CPRA / CCPA compliance.

Our dashboard gives you peace of mind that you’re maintaining your company's CPRA / CCPA compliance with automatic notifications and status updates.

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Are you ready to build trust through cybersecurity?