California Consumer Privacy Act (CCPA)

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a California state regulation intended to protect consumers and enhance their privacy rights. The bill, officially called AB-375, was signed into law in 2018 and has been amended several times. The largest batch of amendments, in the form of the California Privacy Rights Act, became law in 2019.

What rights does the CCPA give consumers?

As outlined by the CCPA fact sheet provided by the California State Government, the CCPA grants new rights to California consumers, including:

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information
  • The right to delete personal information held by businesses and by extension, a business’s service provider
  • The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA

How does the CCPA define “personal information”?

Personal information is any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, license plate number, passport number, or other similar identifiers.”

Publicly available information is not considered personal information.

Which businesses are affected by the CCPA?

Despite only applying to California residents, from a practical standpoint, most large businesses need to be in compliance with the CCPA in order to easily do business in America. The aforementioned fact sheet outlines which kind of businesses need to adhere to the regulation:

The CCPA applies to any business where one of the following is true:

  • Has annual gross revenues in excess of $25 million
  • Buys, receives, or sells the personal information of 50,000 or more consumers or households
  • Earns more than half of its annual revenue from selling consumers’ personal information

Overseas businesses that meet those requirements are also liable if they ship items into California.

How do businesses achieve compliance with the CCPA?

The CCPA bill outlines the compliance requirements. In order to achieve compliance, businesses must do the following: 

  • Implement processes to obtain parental or guardian consent for minors under 13 years (and the affirmative consent of minors between 13 and 16 years) for data sharing purposes (Cal. Civ. Code § 1798.120(c)).
  • Include a “Do Not Sell My Personal Information” link on the home page of the website of the business that will direct users to a web page enabling them, or someone they authorize, to opt-out of the sale of the resident’s personal information (Cal. Civ. Code § 1798.135(a)(1)).
  • Designate methods for submitting data access requests including, at a minimum, a toll-free telephone number (Cal. Civ. Code § 1798.130(a)).
  • Update privacy policies with newly required information, including a description of California residents’ rights (Cal. Civ. Code § 1798.135(a)(2)).
  • Avoid requesting opt-in consent for 12 months after a California resident opts-out (Cal. Civ. Code § 1798.135(a)(5)).

There are some other provisions of the bill that should be taken into consideration: 

  • Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents (Cal. Civ. Code § 1798.135(c).
  • Privacy notices must be accessible and have alternative formats clearly communicated.

What Happens if You’re Not in Compliance

The CCPA bill outlines the following sanctions, penalties, and remedies that may be imposed for CCPA violations:

  • Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident — or actual damages, whichever is greater — and any other relief a court deems proper. The California Attorney General’s Office has the option to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).
  • A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155)

Key differences between GDPR and CCPA

The European General Data Protection Regulation (GDPR) is similar to the CCPA but there are some key differences. This article outlines some of the main differences. Among the most notable:

  • The definitions of personal information is different between the GDPR and CCPA. In some cases the CCPA only considers personal information to be consumer-provided. The GDPR applies to all personal data regardless of the source. The definition in GDPR is much broader since the CCPA does not cover publicly available information.
  • GDPR applies to all businesses that process the personal data of EU citizens and as such the scope of those businesses is much wider than the CCPA.
  • Penalties for violating the GDPR may be up to 4% of the company’s annual global turnover or 20 million euros (whichever amount is greater).

Saviynt & the California Consumer Privacy Act (CCPA)

Saviynt’s cloud-native, automated, and centralized governance and compliance platform includes real-time risk dashboards, SaaS-based SoD analysis, and reporting mapped to CCPA, SOX, PCI, FedRAMP, HIPAA, and more.

Understanding Compliance-as-a-Service

Accelerate Compliance Program Maturity

Standardize User Access

Scale Compliance with Risk Controls

Monitor Controls Continuously

Continuously Document Compliance Activities

Integrate with Behavior and Monitoring solutions

Saviynt’s built-in Risk Control Library and Unified Controls Framework leverage intelligent analytics to continuously monitor for anomalous access, enabling assured compliance-as-a-service. A continuous controls monitoring solution keeps an eye on risk-based access controls to meet stringent compliance mandates.

The Control Exchange accelerates compliance program maturity with its out-of-the-box control repository and a Unified Controls Framework cross-mapped across business-critical regulations, industry standards, platforms, and control types.

Additionally, the following compliance programs apply to Saviynt cloud services and maintain the confidence of our customers in the status of information security that we provide.

SOC 1 Type II Audit Report

ISO 27001:2013

SOC 2 Type II Audit Report

ISO 27017:2015

FedRAMP Moderate

Get Started Today

See the Saviynt Enterprise Identity Cloud in action

Saviynt named a Gartner® Peer Insights™ Customers’ Choice: IGA Learn More >