California cracked down on data privacy — and it’s about to get even stricter.
Don’t risk CCPA penalties.
Not sure if your company is subject to the CCPA? Know it is but procrastinating on implementation? You could end up owing business-destroying fines.
Get CCPA compliant with Strike Graph.
With our platform, you can know for certain you’re in compliance with complex CCPA regulations — and rest easy knowing you won’t be slammed with unexpected penalties.
Strike Graph makes it easy to stay ahead of expanding privacy protections.
Be confident you’re doing it right.
The fact that there are different penalties for intentional and unintentional CCPR violations says it all — it’s tough to know exactly how to stay in CCPR compliance. Strike Graph’s platform simplifies the process so you know with certainty you’re safe from fines and building trust with your customers.
Save time with pre-loaded controls and policies.
Strike Graph’s library of CCPA-specific policies and controls means you don’t have to write a ton of documentation from scratch. Choose the parts that work for your situation and customize the rest — saving hours of work.
Easily transition from CCPA to CPRA.
Because Strike Graph’s platform functions across multiple frameworks and regulations, you won’t have to start from the ground up when California shifts to CPRA in 2023. Easily attach existing controls to the new CPRA framework, and you’ll be on your way to CPRA certification, too!
Here’s how it works.
Strike Graph simplifies the CCPA compliance process.
Set a foundation for your security and compliance posture.
Review controls and attach evidence.
Maintain CCPA compliance.
More and more companies are turning to Strike Graph for privacy support.
CCPA: Dig into the details.
Wondering exactly what the California Consumer Protection Act requires of businesses? Read on to get all the details.
What is the California Consumer Protection Act (CCPA)?
The California Consumer Privacy Act (CCPA) gives consumers more control over the personally identifiable information (PII) that businesses collect about them. CCPA secures new privacy rights for California consumers, including the right to know about the PII a business collects about them, the right to delete PII collected, the right to opt out of the sale of their PII, and the right to non-discrimination for exercising their CCPA rights.
The CCPA gives consumers a number of rights in regard to their PII:
- Know whether personal data is collected
- Know which personal data is being collected
- Know specific categories of data a business collects
- Know categories of third parties with whom personal data is shared
- Know categories of sources of personal data
- Know the business or commercial purpose of collecting personal information
- Move (port) personal data
- Say no to the sale (or exchange) of personal data
- Delete personal data
Who needs to comply with CCPA?
The CCPA and its regulations apply to entities within California, as well as those located outside of California that engage in transactions with Californians for the purpose of financial gain OR collect any information from California residents. It also applies to any business that meets one or more of the following thresholds:
- Has an annual gross revenue of over $25 million USD
- Holds data containing personally identifiable information of 50,000 or more Californian consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers’ PII
What are the specific requirements for CCPA compliance?
In order to be compliant, your business should disclose your CCPA obligations front and center on your website (and wherever else you collect consumer data). Ask consumers to opt in or out of sharing some or all aspects of their personal data, including information collected by pixels, cookies, and other tracking technologies.
Additionally, you need to share all privacy information with consumers in a central place on your website. This information should include the following:
- An opt out button
- A way for consumers to submit a Data Subject Access Request (DSAR)
- A way to capture, validate, and retain DSARs and enact Do Not Sell requests
When responding to a DSAR, you’ll typically need to access, modify, and delete data from your backend data management systems that host personal data.
How can my company demonstrate CCPA compliance?
You’ll need to create internal reports that demonstrate your compliance and — if you disclose personal information to third parties — show that you can send deletion requests and ensure they’re being followed. You’ll also need to maintain updated suppression lists and demonstrate they are being applied both internally and by third parties.
What are CCPA regulations and how many are there?
CCPA regulations provide guidance on how to implement the CCPA. These regulations consist of six articles.
Includes title and scope and definitions
Includes methods for submitting requests to know and requests to delete, responding to requests to know and requests to delete, service providers, requests to opt out, requests to opt in after opting out of the sale of personal information, training, record-keeping, and requests to know or delete household information
Includes general rules regarding verification, verification for password-protected accounts, verification for non-account holders, and authorized agents
Includes consumers under 13 years of age, consumers 13 to 15 years of age, and notices to consumers under 16 years of age
Includes discriminatory practices and calculating the value of consumer data
What is a Data Subject Access Request (DSAR)?
A Data Subject Access Request (DSAR) allows people to make their desire to access, change, and control the data businesses collect about them known. Your company will need to provide methods for people to register these requests and respond accordingly. Such disclosures include data covered 12 months before the request.
DSARs include people seeking to know what data your organization holds about them, your intentions for collecting and using that data, to correct their data preferences, to exercise their “right to be forgotten” (to have an organization erase their records), and more.
What is the Do Not Sell Requirement?
When it comes to the consumer right to opt out of the sale of personal information, businesses are required to provide two or more methods for submitting such requests. These methods should require minimal steps to allow consumers to opt out and be easy for them to execute.
How do I get ready for the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act (CPRA) will take effect on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the GDPR. It gives consumers more control over their personal data and holds businesses more accountable for protecting the data they collect and process.
The CPRA will apply to any legal entity that
- Does business in the State of California, regardless of where the entity is located
- Collects consumers’ personal information
- Buys, sells, or shares the personal information of 100,000 or more consumers or households in a year OR derives 50% or more of its annual revenue from selling or sharing consumers’ data.
The Act also requires regulated businesses to provide CPRA training to employees dealing with consumer inquiries related to company privacy practices, as well as anyone responsible for the organization’s CPRA compliance.
Can’t find the answer you’re looking for? Contact our team!
Want to learn more about how Strike Graph can help with CCPR compliance?
Fill out the form below and one of our privacy experts will be in touch ASAP. We’re looking forward to showing you around.