What to know about the CCPA

Proactive management of data privacy compliance to handle challenging CCPA requirements

CYTRIO - California CCPA

What is the CCPA?

As the modern internet has changed the way we do business, The California Consumer Privacy Act (CCPA) was created to combat growing data privacy concerns to protect human rights. The California legislature passed CCPA in 2018 and was made effective January 1, 2020. The CCPA shares a similar framework and terminology to the General Data Protection Regulation (GDPR), establishing rights and protections for California residents and their personal identifiable information (PII). Any for-profit organization that collect consumers’ personal information, and meets one of the follow thresholds must comply:

  • Gross Revenue >$25M
  • Buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes
  • Derives 50% or more of its annual revenue from selling consumers’ personal information

Consumer Rights under the CCPA

The Right to Know

The Right to Delete

The Right to Opt-Out

The Right to Non-Discriminate

Best Practices: How to Comply

Compliance starts with a strategic plan and checklist. Below are a few tips to get going:

Update Privacy Policy to acknowledge that you are aware of GDPR

Review legal basis for processing personal data

Document all data is collected and processed

Data Mapping for personal information fields to each internal database

Appoint a person, team, or Data Protection Officer who can own data privacy

Reporting Metrics for auditing. Show auditors your data landscape, proof of purpose, and all data subject access requests completed to date

Meet proper deadlines (30 days to respond to requests

CCPA: Fines and Penalties

Unintentional:

Maximum $2,500 per offense

Intentional:

Maximum $7,500 per offense

Consumer Private Lawsuit:

Between $100-$750 per person

Frequently Asked Questions

California Attorney General
California Privacy Protection Agency
Any individual who has their permanent address in California
Customers of household goods and services, employees, business-to-business transactions
Yes, if you have consumer who resides in California
Consumers may only make most information requests twice a year and only for a 12-month look-back
An individual whose data is collected and processed.
An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form.
The process of matching fields from one database to another.
A person who determines the purposes and means of the processing of personal data.
A third-party who processes personal data on behalf of the controller.
A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
The California Consumer Privacy Act (CCPA) is a law that provides California consumers that engage with businesses with specific rights, including the ability to request how private data is used. CCPA helps ensure companies protect personal information from misuse. The CCPA was signed into law in June 2018, setting the stage for additional regulation introduced by subsequent California law, called the California Privacy Rights Act (CPRA). CCPA went into effect in January 2020, with enforcement starting on July 1st, 2020. CPRA will go into effect on January 1st, 2023. CCPA and CPRA have meaningful enforcement mechanisms in place, including significant fines and penalties for non-compliance.
CCPA compliance is substantial because it requires companies (irrespective of where they are domiciled) to be transparent about how they collect, use, process and share personal information (PI) and implement specific data privacy controls to secure and protect consumer privacy. Personal information subject to CCPA compliance is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples include their name, telephone number, mailing address, social security number, driver’s license number, email address, financial accounts, and more. CCPA gives consumers control over their personal information. These data requests are called Data Subject Access Requests (DSAR) or Data Subject Requests (DSR). Consumer rights under CCPA (and CPRA) include:
  • Right to Access (obtain a copy of personal information)
  • Right to Delete (delete personal information collected by the business)
  • Right to Do not Sell my information
  • Right to Correct (under CPRA)
CCPA mandates companies to make it easy for consumers to submit a data request and comes with specific response SLAs. For example, a Right to Access request must be completed within 45-days from request submission, with a 45-day extension for legitimate business reason. When responding to data request, CCPA requires a company that receives a data request to search through all data to identify personal information that belongs to the requestor and respond to the request in timely manner. It is important for companies under the scrutiny of CCPA consider a CCPA compliance software solution, like CYTRIO.
CCPA compliance impacts any business (irrespective of where they are domiciled) that collects, uses, process, sells, or shares California citizen personal information. Every company that meets one of the three following criteria must comply with CCPA:
  • Has annual revenue of at least $25 million; or
  • Collects, uses, process, sells, or shares personal data of at least 50,000 California citizens; or
  • Generates more than 50% of their revenues from the sale of personal data.
Impact of CCPA compliance include:
  • Consumer personal information cannot be collected, used, processed, shared, or sold without consent. Businesses must provide consumers with details on how they will use what they collect from you beforehand. They also must provide consumers with an option to opt-out of future sharing of personal information.
  • Businesses must provide a mechanism for consumers to get a copy or to delete their personal information—for free! They must disclose categories of personal information they collect, business purpose, and who they shared it with. The mechanism must be clearly stated in a Privacy Policy.
  • One of the more notable aspects of CCPA is its expansive data discovery requirements. Under CCPA, businesses must provide a customer with a record of all the personal data that they have collected upon request, with a 12-month look back. Companies will also need to disclose how personal information is currently being used and who has seen it.
The law allows for two separate enforcement mechanisms:
  1. Civil action by California Attorney General, where fines range from $2,500 to $7,500 per violation
  2. Private right of action under section 1798.150 of the statute that gives California consumers the right to sue businesses in certain circumstances. These claims can range between $100 to $750 per individual per violation
CYTRIO CCPA solutions are helping all businesses comply with the California Consumer Privacy Act (CCPA) swiftly and cost-effectively. Using CYTRIO, organizations can eliminate 80%+ of manual tasks, resulting in significant time and cost-saving, meet CCPA compliance response SLAs and minimization risk of regulatory fines, all the while building consumer trust. Using CYTRIO CCPA compliance SaaS platform, organizations can operationalize and automate Privacy Right Management, enabling organizations to meet a complex set of CCPA compliance requirements through a secure data request intake portal, identity verification, AI-driven PI data discovery, classification, identity correlation, CCPA DSAR response orchestration, and detailed audit records. Learn more on CYTRIO’s NextGen Privacy Rights Management Solution.

All-in-one Data Privacy Compliance Platform