Total Tests:

California CCPA Compliance, CPRA and Cybersecurity

Read Time: 7 min.

California Consumer Privacy Act (CCPA) is a state law in California that since 2020 provides its
residents with a set of privacy rights and protections which were significantly expanded by the
California Privacy Rights Act (CPRA) coming in force in 2023.

California CCPA Compliance, CPRA and Cybersecurity

What is CCPA/CPRA and what do they mean for your business?

California became the first US state with a comprehensive privacy and data protection law that covered all industries and niches. The California Consumer Privacy Act (CCPA) or SB 1121, drafted in 2018 and entered in force on 2020, provides residents of California with a variety of privacy rights to protect their personal information and decide how it may be used and for which purposes.

CCPA compliance ImmuniWeb can help you comply with CCPA / CPRA cybersecurity and data protection requirements. How We Help

The most significant privacy rights under CCPA include the right to know if and how personal information is being used, shared or sold by commercial companies, the right to access or request deletion of personal information, and the right to object to sale of personal information as specified throughout the Sections 1798.100, 1798.105, 1798.110, 1798.115 and 1798.120 of the California Civil Code that were modified by the CCPA.

Similarly to the European GDPR, the definition of “personal information” under the CCPA is pretty broad: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and includes, among other things, names and any identifiers, IP and email addresses, biometric information and geolocation data. Importantly, the business cannot discriminate against its customers for exercising their privacy rights under the statute (Sections 1798.125).

From a technical viewpoint, the covered businesses must publish and keep up2date a privacy policy with clear and specific description how they collect and process personal data. Additionally, they must place a conspicuously visible hyperlink on their main page entitled “Do Not Sell My Personal Information” to provide a frictionless mechanism to opt-out from selling personal data of their customers as directed by the Section 1798.135.

The California Privacy Rights Act (CPRA), also known as Proposition 24, amends the CCPA and strengths the existing privacy regime in California. Most of the CPRA provisions are scheduled to come into an effect on January 1, 2023.

CPRA amendments grant supplementary privacy rights to individuals, for example, the right to correct their personal data and the right to opt-out from automated decision-making. Furthermore, for covered businesses, CPRA introduces new and legally binding concepts of personal data minimization, purpose limitation and storage limitation, meaning that business shall collect personal data only as reasonably necessary and proportionally to the eventual purpose of data collection and processing. Interestingly, CPRA pioneers privacy legislation by restricting usage of the so-called “Dark Patterns” that deliberately hinder, slow down or prevent users from making informed decisions or exercising their rights.

CPRA likewise introduces the concept of sensitive personal information, such as race, ethnicity, biometric or genetic data, that requires a higher degree of protection under the law.

Finally, under the CPRA amendments, some of the previously existing rights were enhanced including data portability and mandatory opt-in for processing personal data of minors.

Who is covered by CCPA/CPRA?

Under the extraterritorial regime of CCPA, all commercial entities, regardless of their geographical location and the main place of business, that do business in California. However, size of the business matters: CCPA applies only to commercial entities that have an annual revenue of at least 25 million USD, or process personal data of 50,000 or more California residents, or obtain 50% or more of their annual revenue from selling personal information as specified in the Section 1798.140. Compared to GDPR or PDPA in Singapore, this minimum threshold offers a generous leeway for small and medium business for whom compliance could be excessively burdensome. Public sector, non-profit organizations and some specific types of personal data already regulated by federal legislation, such as HIPAA, are likewise exempt from CCPA. Importantly, healthcare organizations that process personal information that is not regulated by HIPAA are still subject to CCPA/CPRA provisions in relation to this information.

Starting from 2023, CPRA amends the scope of the existing CCPA applicability. Under CPRA, organizations that derive more than 50% of their incoming from selling or sharing personal information will be covered, contrasted to the initial requirement that solely mentioned selling personal data. On the other side, CPRA softens regulation of small and medium businesses by raising the 50,000 residents bar to 100,000 residents.

Who does enforce CCPA/CPRA compliance?

For the time-being, the California Attorney General (AG) enforces CCPA and imposes penalties provided by the statute. Starting from July 1, 2023, a dedicated state agency will be created by the virtue of CPRA amendments: California Privacy Protection Agency (CPPA). The new agency will be the state regulatory agency for privacy rights and related topics in California. The CPPA will be empowered to investigate possible violations of CCPA/CPRA on its own initiative or upon a complaint received from any person.

What are the penalties for CCPA/CPRA violations?

Every violation of CCPA, unless cured by the business within a 30-day grace period, may be punished by a monetary fine of 2,500 USD, while each intentional violation imposes a monetary fine of 7,500 USD as prescribed by the Section 1798.155. The sanctions shall be assessed and claimed in a civil action brought by the Attorney General. The amendments brought by CPRA, suppress the 30-day grace period thereby amplifying the number of future enforcement actions and penalties.

Additionally, pursuant to the Section 1798.150, aggrieved consumers whose personal data is subject to unauthorized access, exfiltration, theft or disclosure stemming from CCPA infringement, may lodge a civil action in court and demand injunctive or declaratory relief, compensation of actual damages inflicted by the breach or, in alternative, statutory damages going up to 750 USD per individual in every incident. Eventually, large-scale leaks or data breaches may cost businesses many millions.

What are the cybersecurity requirements under CCPA/CPRA?

Protection of personal data under the CCPA is shortly but sharply addressed by the Section 1798.150. Under the section, aggrieved individuals are eligible to get compensation for the damage suffered or to obtain a statutory compensation for theft, loss or disclosure of their personal data caused by business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

Additionally, the Section 1798.105 indirectly imposes an incident detection and response program by saying that covered companies are not required to comply with personal data deletion requests if the latter hinder detection of security incidents or protection against malicious activity.

CPRA expands initial language of the Section 1798.185, that empowers the Attorney General to solicit broad public participation and adopt regulations, by introducing express data protection and cybersecurity requirements for business entities whose processing of personal data may pose a significant risk by the nature of processed data, its size or volume:

  • Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent.
  • Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information.

In a nutshell, covered businesses should implement a risk-based cybersecurity strategy, regularly evaluate efficiency and adequacy of security control to adequately mitigate the risks, and implement a continuous security monitoring enhanced with regular penetration testing of systems that process or store personal information.

CCPA compliance ImmuniWeb can help you comply with CCPA / CPRA cybersecurity and data protection requirements. How We Help

What are the data breach notification requirements in California?

Both CCPA and CPRA leave regulation of data breach notification to the existing state law. Section 1798.29(a) of the California Civil Code requires a business, or state agency, to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person.

Data breaches involving more than 500 California residents, as a result of a single breach of the security system, impose a duty to notify the Attorney General pursuant to the Section 1798.29(e). This notification can be made online by using the data breach report form provided on the website of the Office of Attorney General.

What are the supply chain security requirements under CCPA/CPRA?

CPRA amendments impose accountability for third-party vendors and suppliers. Under the enhanced CPRA’s privacy regime, businesses will be required to implement a set of contractual clauses to control and audit how their third parties process, handle and protect the entrusted personal data.

For instance, contracts with vendors and suppliers shall “permit the business to monitor the contractor’s compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months” as a data security requirement prerequisite to provision of any service where personal data is accessible by the external provider.

Therefore, businesses falling into the CCPA jurisdiction are better off start planning their vendor risk management policy in advance to mitigate supply chain attacks and void harsh penalties for data breaches caused by negligent or careless suppliers.

Introduction to CCPA by Usercentrics

List of authoritative CCPA/CPRA resources

Share on Twitter Share on LinkedIn Share on Facebook
Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential