Saviynt
Saviynt

California Consumer Privacy Act (CCPA)

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a California state regulation intended to protect consumers and enhance their privacy rights. The bill, officially called AB-375, was signed into law in 2018 and has been amended several times. The largest batch of amendments, in the form of the California Privacy Rights Act, became law in 2019.

What rights does the CCPA give consumers?

As outlined by the CCPA fact sheet provided by the California State Government, the CCPA grants new rights to California consumers, including:

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information
  • The right to delete personal information held by businesses and by extension, a business’s service provider
  • The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA

How does the CCPA define “personal information”?

Personal information is any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, license plate number, passport number, or other similar identifiers.”

Publicly available information is not considered personal information.

Which businesses are affected by the CCPA?

Despite only applying to California residents, from a practical standpoint, most large businesses need to be in compliance with the CCPA in order to easily do business in America. The aforementioned fact sheet outlines which kind of businesses need to adhere to the regulation:

The CCPA applies to any business where one of the following is true:

  • Has annual gross revenues in excess of $25 million
  • Buys, receives, or sells the personal information of 50,000 or more consumers or households
  • Earns more than half of its annual revenue from selling consumers’ personal information

Overseas businesses that meet those requirements are also liable if they ship items into California.

How do businesses achieve compliance with the CCPA?

The CCPA bill outlines the compliance requirements. In order to achieve compliance, businesses must do the following: 

  • Implement processes to obtain parental or guardian consent for minors under 13 years (and the affirmative consent of minors between 13 and 16 years) for data sharing purposes (Cal. Civ. Code § 1798.120(c)).
  • Include a “Do Not Sell My Personal Information” link on the home page of the website of the business that will direct users to a web page enabling them, or someone they authorize, to opt-out of the sale of the resident’s personal information (Cal. Civ. Code § 1798.135(a)(1)).
  • Designate methods for submitting data access requests including, at a minimum, a toll-free telephone number (Cal. Civ. Code § 1798.130(a)).
  • Update privacy policies with newly required information, including a description of California residents’ rights (Cal. Civ. Code § 1798.135(a)(2)).
  • Avoid requesting opt-in consent for 12 months after a California resident opts-out (Cal. Civ. Code § 1798.135(a)(5)).

There are some other provisions of the bill that should be taken into consideration: 

  • Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents (Cal. Civ. Code § 1798.135(c).
  • Privacy notices must be accessible and have alternative formats clearly communicated.
Table of Contents
  1. What is the California Consumer Privacy Act (CCPA)?
  2. Which business are affected by CCPA?
  3. How do businesses achieve compliance with the CCPA?
  4. What happens if you’re not in compliance with the CCPA?
  5. Key Differences between the CCPA and the GDPR
  6. Saviynt & the California Consumer Privacy Act (CCPA)
  7. Additional Resources

What Happens if You’re Not in Compliance

The CCPA bill outlines the following sanctions, penalties, and remedies that may be imposed for CCPA violations:

  • Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident — or actual damages, whichever is greater — and any other relief a court deems proper. The California Attorney General’s Office has the option to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).
  • A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155)

Key differences between GDPR and CCPA

The European General Data Protection Regulation (GDPR) is similar to the CCPA but there are some key differences. This article outlines some of the main differences. Among the most notable:

  • The definitions of personal information is different between the GDPR and CCPA. In some cases the CCPA only considers personal information to be consumer-provided. The GDPR applies to all personal data regardless of the source. The definition in GDPR is much broader since the CCPA does not cover publicly available information.
  • GDPR applies to all businesses that process the personal data of EU citizens and as such the scope of those businesses is much wider than the CCPA.
  • Penalties for violating the GDPR may be up to 4% of the company’s annual global turnover or 20 million euros (whichever amount is greater).

Saviynt & the California Consumer Privacy Act (CCPA)

Saviynt’s cloud-native, automated, and centralized governance and compliance platform includes real-time risk dashboards, SaaS-based SoD analysis, and reporting mapped to CCPA, SOX, PCI, FedRAMP, HIPAA, and more.

Understanding Compliance-as-a-Service

Accelerate Compliance Program Maturity

Standardize User Access

Scale Compliance with Risk Controls

Monitor Controls Continuously

Continuously Document Compliance Activities

Integrate with Behavior and Monitoring solutions

Saviynt’s built-in Risk Control Library and Unified Controls Framework leverage intelligent analytics to continuously monitor for anomalous access, enabling assured compliance-as-a-service. A continuous controls monitoring solution keeps an eye on risk-based access controls to meet stringent compliance mandates.

The Control Exchange accelerates compliance program maturity with its out-of-the-box control repository and a Unified Controls Framework cross-mapped across business-critical regulations, industry standards, platforms, and control types.

Additionally, the following compliance programs apply to Saviynt cloud services and maintain the confidence of our customers in the status of information security that we provide.

SOC 1 Type II Audit Report

ISO 27001:2013

SOC 2 Type II Audit Report

ISO 27017:2015

FedRAMP Moderate

Additional California Consumer Privacy Act (CCPA) Resources

Saviynt’s cloud-native, automated, and centralized governance and compliance platform includes real-time risk dashboards, SaaS-based SoD analysis, and reporting mapped to CCPA, SOX, PCI, FedRAMP, HIPAA, and more.

Understanding Compliance-as-a-Service

Saviynt’s built-in Risk Control Library and Unified Controls Framework leverage intelligent analytics to continuously monitor for anomalous access, enabling assured compliance-as-a-service. A continuous controls monitoring solution keeps an eye on risk-based access controls to meet stringent compliance mandates.

The Control Exchange accelerates compliance program maturity with its out-of-the-box control repository and a Unified Controls Framework cross-mapped across business-critical regulations, industry standards, platforms, and control types.

Additionally, the following compliance programs apply to Saviynt cloud services and maintain the confidence of our customers in the status of information security that we provide.

saviynt-featured-image-dark-1200x600-1.png

The True Cost of Non-Compliance

Learn more ›

Featured Image

Continuous Compliance Without Complexity or Compromise

Learn more ›

saviynt-featured-image-dark-1200x600-1.png

Identity Governance & Administration

Learn more ›

Get Started Today

See the Saviynt Enterprise Identity Cloud in action

Request a Demo

Products

Enterprise Identity Cloud Identity Governance & Administration Cloud Privileged Access Management Third-Party Access Governance Application Access Governance Data Access Governance Key Integrations

Customers

Saviynt + Gordon Food Services Saviynt + Origin Energy Saviynt + Wienerberger Saviynt + First Solar Explore Customer Successes

Resources

Content Hub Events & Live Webinars Identity Security Glossary Analyst Reports Community Customer Support Forrester TEI Estimator Saviynt Blog

Company

About Saviynt Leadership Partners Newsroom Careers Contact Us
Responsible Disclosure Policy
Privacy Policy
Copyright © 2022. Saviynt Inc. All Rights Reserved.