Strike Graph security compliance blog

CCPA / CPRA compliance: What you need to know

Written by Michelle Strickler | May 4, 2022 7:00:00 AM

The California Consumer Privacy Act (CCPA) began as a ballot initiative sponsored by Californians for Consumer Privacy. The CCPA was signed into law on June 28, 2018 by Governor Jerry Brown as Assembly Bill 375 (AB 375), and became effective on January 1, 2020.

Since being passed, the CCPA has been amended twice (both in September 2018 and October 2019) and Proposition 24—passed in November 2020—both amended and expanded it. So what exactly does the CCPA protect and who needs to comply? Let’s take a look.

The CCPA gives consumers more control over their personally identifiable information—or PII (often used interchangeably with ‘personal data’)—that businesses collect about them. This gives California residents the right to:

  • Know what personal information is being collected about them.
  • Know whether that data is sold or disclosed, and to whom.
  • Access their personal data.
  • Opt out of the sale of their personal data.
  • Request a business to delete any personal information about them as a consumer.
  • Not be discriminated against for exercising their CCPA rights.

Unlike publicly available information, which is information that is lawfully made available from federal, state, or local government records, personally identifiable information, or PII, is information that:

  • Identifies,
  • Describes,
  • Relates to,
  • Could be reasonably linked to (both directly or indirectly), or
  • Is capable of being associated with…

…a particular consumer or household. Some examples might include geolocation data, education- and employment-related information, internet activity (think your IP address), biometric data, and other personal identifiers.

When it comes to compliance, the CCPA and its regulations applies to businesses both  located within and outside of California that collect any information from California residents or engage in transactions with Californians for the purpose of financial gain and that meet one or more of the thresholds (or their parent company/subsidiary does):

  • Has an annual gross revenue in excess of US $25 million (as adjusted for any increase in the Consumer Price Index in January of every odd-numbered year)
  • Holds (including buying, selling, receiving, or sharing) data containing personally identifiable information of 50,000 or more Californian consumers, households, or devices
  • Derives 50% or more of its annual revenues from selling consumers’ PII

So how can businesses prove compliance? The CCPA requires entities to provide a privacy notice disclosing how consumers’ PII is collected, used, and shared. It also requires them to:

  • Share how consumers can exercise their CCPA rights
  • Have at least two mechanisms for consumers to submit requests for information about, access to, or deletion of their PII
  • Provide consumers with the ability to opt out of the sale of their PII

While the CCPA doesn’t explicitly reference the requirement to train employees, it does require that “All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed.” This means that it’s a good idea to train your employees—especially those directly responsible for handling consumer inquiries about your company’s privacy practices.

What Now?

If the CCPA or CPRA apply to your business and you’re still not compliant, there’s no time to waste. At Strike Graph, we can bring you up to speed fast. We’ll provide step-by-step training and guidance so you can build out a compliance framework and breeze through every step of the compliance process.