Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

LLM Firewall

Secure your GenAI applications with distributed and context-aware LLM firewalls

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

LLM Firewall

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View

LLM Firewall

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

What is California Consumer Privacy Act (CCPA)

By Anas Baig | Reviewed By Omer Imran Malik

Published August 14, 2023 / Updated March 3, 2024

After the promulgation of the General Data Protection Regulations (GDPR) in the European Union (EU), the California Consumer Privacy Act (CCPA) was the next data privacy regulation that had a significant impact for organizations all across the world.

The CCPA is a data privacy law that mandates companies to become better custodians of their consumers' personal information and is often seen as the U.S. counterpart of the GDPR. The law came into effect on January 1, 2020, and has been enforced from the 1st of July 2020.

The CCPA has garnered a lot of attention due to California's historical influence in prompting other states to adopt new and progressive legislation.
It is expected that many states will adopt CCPA-like legislation in the face of the global debate relating to data privacy regulation and protection.
Several drafts being considered by Congress for a Federal data privacy law are reportedly very similar to the CCPA.
The CCPA was recently amended in November 2020 by the California Privacy Rights Act (CPRA), which provides additional obligations for covered entities and additional rights and protections to California consumers - the amendments will not come to force till January 1, 2023 though.

Here is an overview of this critical privacy regulation.

Right to Opt-in for Minors

Personal information containing minors' personal information cannot be sold by a business unless the minor (age of 13 to 16 years) or the Parent/Guardian (if the minor is aged below 13 years) opt-ins to allow this sale. Businesses can be held liable for the sale of minors' personal information if they either knew or wilfully disregarded the consumer's status as a minor and the minor or Parent/Guardian had not willingly opted in.

Right to Continued Protection

Even when consumers choose to allow a business to collect and sell their personal information, businesses' must sign written contracts with service providers and/or any other entities who process the data on behalf of the company or are sold the business's data for a specific business purpose. Businesses must also transmit consumer’s opt-out requests to their service providers and associated third parties.

Right to Access

The right to access allows consumers to request organizations to disclose the following personal information:

Information collected about them within the last 12 months
Sources from where the data was collected
Business or commercial use of information
Categories of third parties with which the information is shared
Types of personal information that was sold or disclosed by the company

This all needs to be provided within 45 days of the request.

Right to Opt-out

The right to opt-out mandates businesses to set up a "Do Not Sell My Information" button on the company's website and implement procedures to comply with its corresponding requirements. A business cannot re-ask a consumer for consent if they have chosen to opt-out for a period of 12 months. Consumers also retain the right to opt-out of the sale of their personal information, even after permitting its sale to a business, if a third party that bought the personal information wishes to sell it to another party.

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

Automating Compliance

Given the expanded definition of the term 'personal information and the tight time frame provided to businesses to respond to privacy disclosure, access, and deletion requests along with other requirements, complying with the CCPA can be very labor-intensive and costly.

Securiti's award-winning solution revolves around the concept of PrivacyOps, which utilizes robotic automation, artificial intelligence, and machine learning to automate compliance tasks, freeing up crucial resources for other areas of business.

Securiti helps businesses discover data over a wide range of internal and external systems, build a People Data Graph to link personal data to each individual, automate data access requests, assessments, consent management, and more.

The CCPA stands for California Consumer Privacy Act.

Nearly 500,00 organizations worldwide have been affected by the CCPA.

According to IAPP research, 95% of businesses are not prepared for the CCPA.

The CCPA fines are a maximum of $7,500 per violation with no upper cap.

CCPA exempts organization complying with the following:

HIPAA
Gramm-Leach-Bliley
Fair Credit Reporting Act

Securiti uses award-winning automation, machine learning, and AI to help reduce costs, liabilities, and human effort while helping your business comply effortlessly.

Key Takeaways:

Introduction of CCPA and CPRA: The CCPA, effective from January 1, 2020, with enforcement starting July 1, 2020, represents significant data privacy legislation in the U.S., akin to the EU's GDPR. The CPRA, an amendment to the CCPA passed in November 2020, adds further obligations and consumer rights, effective from January 1, 2023.
Consumer Rights under CCPA: The CCPA grants California residents rights regarding their personal information, including the rights to notice, erasure, opt-in for minors, protection post-consent, awareness, data sale, multiple request mechanisms, non-discrimination, access, and opt-out of data sales.
Definition of Personal Information: Under the CCPA, 'Personal Information' encompasses a broad range of data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Compliance Criteria: For-profit entities doing business in California must comply with the CCPA if they meet any of the following: annual gross revenues exceed $25 million; buy, receive, sell, or share the personal information of 50,000 or more California residents, households, or devices annually; or derive 50% or more of their annual revenues from selling California residents' personal information.
Exemptions: Certain organizations, such as health providers under HIPAA, financial institutions under Gramm-Leach-Bliley Act, and credit reporting agencies under the Fair Credit Reporting Act, are exempt from the CCPA.
Cookie Law Compliance: The CCPA requires an opt-out regime for cookies, necessitating notices about cookie use, the right to opt-out of personal information sales, a privacy policy link, and opt-in consent for minors' information sales.
Penalties for Non-Compliance: The CCPA imposes penalties for non-compliance, including civil penalties up to $7,500 for intentional violations and $2,500 for unintentional violations. Consumers can also file private lawsuits for data breaches, with damages ranging from $100 to $750 per incident.
Automating Compliance with Securiti: Given the broad definition of personal information and the operational challenges in managing privacy requests and compliance, Securiti offers solutions based on PrivacyOps. This approach uses robotic automation, AI, and machine learning to automate compliance tasks, streamline privacy operations, and reduce the manual labor and costs associated with CCPA compliance.

CCPA stands for the "California Consumer Privacy Act." It's a comprehensive data privacy law enacted in California, USA, designed to give California residents greater control over their personal information held by businesses.

GDPR and CCPA are two distinct privacy regulations. GDPR is the General Data Protection Regulation, a European Union regulation governing data protection and privacy for individuals within the EU. CCPA, on the other hand, is a state level law that provides privacy rights to residents of California, USA.