.jpg?width=1448&height=726&name=Screen%20Shot%202023-02-09%20at%202.57.5-min%20(1).jpg)
February 9, 2023
Your company can’t afford to ignore the California Privacy Rights Act.
The deadline to transition from CCPA to CPRA has passed. Need to make the switch? Not sure if you have to? Strike Graph can help.
California cracked down on data privacy — and now it's even stricter.
Don’t risk CPRA penalties.
Not sure if your company is subject to the CPRA? Know it is but procrastinating on implementation? You could end up owing business-destroying fines.
Get CPRA compliant with Strike Graph.
With our platform, you can know for certain you’re in compliance with complex CPRA regulations — and rest easy knowing you won’t be slammed with unexpected penalties.
WHAT IS CCPA / CPRA?
Why CPRA matters.
The California Privacy Rights Act (CPRA) is an extension and modification of the California Consumer Privacy Act (CCPA) that enhances data privacy rights and consumer protection for California residents. CPRA introduces new provisions, expands individual rights, and creates more stringent data protection standards. It requires businesses to adhere to strict guidelines regarding the collection, use, and disclosure of personal information. Compliance with CPRA is vital for businesses operating in California, as it not only ensures adherence to state law but also signifies a commitment to robust data privacy practices, enhancing consumer trust in the evolving digital economy.
-min.png?width=2000&height=900&name=Rectangle_20451_20(1)-min.png)
Strike Graph makes it easy to stay ahead of expanding privacy protections.
Be confident you’re doing it right.
The fact that there are different penalties for intentional and unintentional CPRA violations says it all — it’s tough to know exactly how to stay in compliance. Strike Graph’s platform simplifies the process so you know with certainty you’re safe from fines and building trust with your customers.
Save time with pre-loaded controls and policies.
Strike Graph’s library of CCPA- and CPRA-specific policies and controls means you don’t have to write a ton of documentation from scratch. Choose the parts that work for your situation and customize the rest — saving hours of work.
.webp?width=1184&height=844&name=Policy%20Template%20(1).webp)
Easily transition from CCPA to CPRA.
Because Strike Graph’s platform functions across multiple frameworks and regulations, you won’t have to start from the ground up to shift from CCPA to CPRA. Easily attach existing controls to the new CPRA framework, and you’ll be on your way to CPRA certification, too!
Packed with
useful features
In-house
penetration testing
penetration testing
Cross-framework support
55+ policy templates
Easy integrations
Step 1
Set a foundation for your security and compliance posture.
You’ll complete an initial risk assessment to identify security and privacy gaps. Then, our platform walks you through every aspect of CPRA compliance.
Step 2
Review controls and attach evidence.
Strike Graph comes preloaded with the controls you need based on your risk assessment. Use them as is or customize them for your company’s unique context.
Step 3
Maintain CPRA compliance.
Strike Graph’s dashboard gives you peace of mind that you’re maintaining your company's CPRA compliance with automatic notifications and status updates.
See what our customers have to say
Say goodbye to compliance stress
The team at Strike Graph is very hands-on, making my job a lot easier. From SOC 2 to ISO 27001, compliancy can be confusing, but Strike Graph provides the confidence that I have set my team up for success. Read more on G2.com
- Ben W., Partnerships and growth specialist
Strike Graph has quickly become core to our compliance efforts
The platform makes managing your controls and evidence so easy, especially if you have multiple compliance frameworks you're working within (i.e. SOC2, HITRUST, ISO, etc.) Read more on G2.com
— Executive sponsor, Information technology and services
Strike Graph is your partner in compliance …
Strike Graph is your one-stop shop to get your security audits going and completed in half the time. There are file repositories for security audits, automated security questionnaires, evidence repository, and great support from the customer success team. Whether you need evidence of HIPAA, SOC2, or ISO, you're in the right place. Read more on G2.com
— Administrator, Information technology and services
More and more companies are turning to Strike Graph for privacy support.
CCPA: Dig into the details.
Wondering exactly what the California Consumer Protection Act requires of businesses? Read on to get all the details.
What is the California Consumer Protection Act (CCPA)?
The California Consumer Privacy Act (CCPA) gives consumers more control over the personally identifiable information (PII) that businesses collect about them. CCPA secures new privacy rights for California consumers, including the right to know about the PII a business collects about them, the right to delete PII collected, the right to opt out of the sale of their PII, and the right to non-discrimination for exercising their CCPA rights.
The CCPA gives consumers a number of rights in regard to their PII:
- Know whether personal data is collected
- Know which personal data is being collected
- Know specific categories of data a business collects
- Know categories of third parties with whom personal data is shared
- Know categories of sources of personal data
- Know the business or commercial purpose of collecting personal information
- Move (port) personal data
- Say no to the sale (or exchange) of personal data
- Delete personal data
Who needs to comply with CCPA?
The CCPA and its regulations apply to entities within California, as well as those located outside of California that engage in transactions with Californians for the purpose of financial gain OR collect any information from California residents. It also applies to any business that meets one or more of the following thresholds:
- Has an annual gross revenue of over $25 million USD
- Holds data containing personally identifiable information of 50,000 or more Californian consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers’ PII
What are the specific requirements for CCPA compliance?
In order to be compliant, your business should disclose your CCPA obligations front and center on your website (and wherever else you collect consumer data). Ask consumers to opt in or out of sharing some or all aspects of their personal data, including information collected by pixels, cookies, and other tracking technologies.
Additionally, you need to share all privacy information with consumers in a central place on your website. This information should include the following:
- Your latest privacy policy describing consumer rights, including any state privacy policies that apply (like CCPA)
- An opt out button
- A way for consumers to submit a Data Subject Access Request (DSAR)
- A way to capture, validate, and retain DSARs and enact Do Not Sell requests
When responding to a DSAR, you’ll typically need to access, modify, and delete data from your backend data management systems that host personal data.
How can my company demonstrate CCPA compliance?
You’ll need to create internal reports that demonstrate your compliance and — if you disclose personal information to third parties — show that you can send deletion requests and ensure they’re being followed. You’ll also need to maintain updated suppression lists and demonstrate they are being applied both internally and by third parties.
What are CCPA regulations and how many are there?
CCPA regulations provide guidance on how to implement the CCPA. These regulations consist of six articles.
Article 1: General provisions
Includes title and scope and definitions
Article 2: Notices to consumers
Includes overview of required notices, notice at collection of personal information, notice of right to opt out of sale of personal information, notice of financial incentive, and privacy policy
Article 3: Business practices for handling consumer requests
Includes methods for submitting requests to know and requests to delete, responding to requests to know and requests to delete, service providers, requests to opt out, requests to opt in after opting out of the sale of personal information, training, record-keeping, and requests to know or delete household information
Article 4: Verification of requests
Includes general rules regarding verification, verification for password-protected accounts, verification for non-account holders, and authorized agents
Article 5: Special rules regarding consumers under 16 years of age
Includes consumers under 13 years of age, consumers 13 to 15 years of age, and notices to consumers under 16 years of age
Article 6: Non-discrimination
Includes discriminatory practices and calculating the value of consumer data
What is a Data Subject Access Request (DSAR)?
A Data Subject Access Request (DSAR) allows people to make their desire to access, change, and control the data businesses collect about them known. Your company will need to provide methods for people to register these requests and respond accordingly. Such disclosures include data covered 12 months before the request.
DSARs include people seeking to know what data your organization holds about them, your intentions for collecting and using that data, to correct their data preferences, to exercise their “right to be forgotten” (to have an organization erase their records), and more.
What is the Do Not Sell Requirement?
When it comes to the consumer right to opt out of the sale of personal information, businesses are required to provide two or more methods for submitting such requests. These methods should require minimal steps to allow consumers to opt out and be easy for them to execute.
How do I get ready for the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act (CPRA) will take effect on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the GDPR. It gives consumers more control over their personal data and holds businesses more accountable for protecting the data they collect and process.
The CPRA will apply to any legal entity that
- Does business in the State of California, regardless of where the entity is located
- Collects consumers’ personal information
- Buys, sells, or shares the personal information of 100,000 or more consumers or households in a year OR derives 50% or more of its annual revenue from selling or sharing consumers’ data.
The Act also requires regulated businesses to provide CPRA training to employees dealing with consumer inquiries related to company privacy practices, as well as anyone responsible for the organization’s CPRA compliance.
Can’t find the answer you’re looking for? Contact our team!
Additional Resources
Check out more helpful guides from the Strike Graph team!
May 4, 2022
July 21, 2022
Additional Resources
Check out more helpful guides from the Strike Graph team!
January 13, 2023
Want to learn more about how Strike Graph can help with CPRA compliance?
Fill out the form below and one of our privacy experts will be in touch ASAP. We’re looking forward to showing you around.
