California Consumer Privacy Act (CCPA)

California Privacy Rights Act (CPRA)

It's about consumer data privacy.

The California Consumer Privacy Act, or CCPA, is a state-level statute intended to enhance privacy rights and consumer protection for residents of California, United States. Officially called AP-375, the bill was passed by the California State Legislature and signed into law on June 28, 2018. It amended Part 4 of Division 3 of the California Civil Code. It went into effect on January 1, 2020, and enforcement began on July 1, 2020.

The CCPA was the first comprehensive privacy law in the United States. It provides a variety of privacy rights to California consumers. Businesses regulated by the CCPA have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like consumer data subject rights (DSRs), an "opt-out" for certain data transfers, and an "opt-in" requirement for minors.*

In November of 2020, California voters passed Proposition 24, the California Privacy Rights Act, or CPRA. The bill amended and extended CCPA and created an administrative body, the California Privacy Protection Agency, or CPPA. The CPPA was given full authority and jurisdiction to implement and enforce CCPA, update existing regulations, and adopt new ones. On April 21, 2022, rulemaking authority transferred from the California Attorney General to the CCPA. This transfer was approved by the California Office of Administrative Law (OAL) on May 5, 2022.

*Has anyone actually selected their age when choosing "Accept" in the toast or message for cookies?

What Does That Mean?

Do I Have To Do This?

The CCPA applies to companies doing business in California which satisfy one or more of the following:

have a gross annual revenue of more than $25 million, or
derive more than 50% of their annual income from the sale of California consumer personal information, or
buy, sell, or share the personal information of more than 50,000 California consumers annually.

NOTE: Valuation of sharing personal information is somewhat subjective —and the CCPA equates sharing with selling/buying. You do not have to have assigned a dollar amount for an exchange to be considered of value, and thus change the criteria upon which you based your decision on compliance.

Think this isn't you?

What If I Don't?

The CPPA will enforce the CCPA and has the power to issue non-compliance fines.

The CCPA also provides a private right of action which is limited to data breaches. Under the private right of action, damages can range between $100 and $750 per incident, per consumer.

The CPPA can also enforce the CCPA in its entirety with the ability to levy a civil penalty of not more than $2,500 per violation or $7,500 per intentional violation.

What does that mean in normal words?

What CaN You Do FOr me?

We use AI/ML to scan the data being processed and categorize any potential PI/PI/PHI/ePHII/privacy violations.

We identify all components in your software supply chain, verifying that each is up-to-date, itemizing and ranking vulnerabilities if found, and determining the licensing requirements and your obligations for disclosure.

We analyze your software source code for hard-coded or production data embedded or in use for testing or any other reason.

We produce artifacts that can be used for integration and compliance as needed (SBOM, CPE, CVE, etc.).

...and so much more!

Great, but how is that "privacy"?