Total Tests:

California CCPA and CPRA Compliance and Cybersecurity

Read Time: 6 min. Updated: September 1, 2023

The California Consumer Privacy Act (CCPA) is a state law which provides privacy rights and consumer
protections for the residents of California. The CCPA came into force in 2020 and has
since been amended by the California Privacy Rights Act (CPRA).

California CCPA and CPRA Compliance and Cybersecurity

What is the CCPA/CPRA and what does it mean for your business?

California became the first US state with a comprehensive privacy and data protection law that covered all industries and niches, when it implemented the California Consumer Privacy Act (CCPA) in 2020. The statute provides residents of California with a variety of privacy rights to protect their personal information and allows them to decide how it may be used and for which purposes.

CCPA compliance ImmuniWeb can help you comply with CCPA / CPRA cybersecurity and data protection requirements. How We Help

The most significant privacy rights granted under CCPA include:

  • the right to know if and how personal information is being used, shared or sold by commercial companies
  • the right to access or request deletion of personal information
  • the right to object to sale of personal information

The new rights were created by modifying Sections 1798.100, 1798.105, 1798.110, 1798.115 and 1798.120 of the California Civil Code.

Similarly to the European GDPR, the definition of “personal information” under the CCPA is pretty broad: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and includes, among other things, names and any identifiers, IP and email addresses, biometric information and geolocation data. Importantly, a business is not allowed to discriminate against its customers for exercising their privacy rights under the statute (Sections 1798.125).

From a technical viewpoint, the covered businesses must publish and maintain a privacy policy which includes a clear and specific description of how they collect and process personal data. Additionally, they must place a prominent hyperlink on their main page entitled “Do Not Sell My Personal Information” which enables their customers to easily opt out from having their personal data sold (as directed by the Section 1798.135).

The California Privacy Rights Act (CPRA) (also known as Proposition 24) amended the CCPA and further enhanced the privacy regime in California. Most of the CPRA provisions came into effect on January 1, 2023.

The CPRA amendments granted supplementary privacy rights to individuals, for example:

  • the right to correct their personal data; and
  • the right to opt out from automated decision-making.

Furthermore the CPRA introduced new and legally binding concepts of personal data minimization, purpose limitation and storage limitation. This means that covered businesses are only permitted to collect personal data as reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processedifproportionatefor the.

Interestingly, the CPRA pioneers privacy legislation by restricting usage of the so-called “Dark Patterns” that deliberately hinder, slow down or prevent users from making informed decisions or exercising their rights.

The act also introduces the concept of sensitive personal information, such as race, ethnicity, biometric or genetic data, that requires a higher degree of protection under the law - similar to that found under the GDPR.

Finally, the CPRA enhanced some of the previously existing rights such as data portability and mandatory opt-in for processing personal data of minors.

Who is covered by the CCPA/CPRA?

All commercial entitiesir that conduct business in California are covered by the CCPA, as amended by the CPRA, regardless of their geographical location or main place of business, as long as they meet at least one of the following criteria:

  • have an annual revenue of at least 25 million USD
  • process personal data of 100,000 or more California residents
  • obtain 50% or more of their annual revenue from selling or sharing personal information().

Compared to the GDPR or PDPA in Singapore, this minimum threshold is rather generous for SMEs which might otherwise find compliance excessively burdensome. Public sector, non-profit organizations and some specific types of personal data already regulated by federal legislation, such as HIPAA, are likewise exempt from the CCPA. Importantly, healthcare organizations that process personal information that is not regulated by HIPAA are still subject to CCPA/CPRA provisions in relation to this information.

Who enforces CCPA/CPRA compliance?

The California Privacy Protection Agency (CPPA) is the state regulatory agency for privacy rights and related topics in California. The agency is empowered to investigate possible violations of CCPA/CPRA on its own initiative or upon a complaint received from any person.

However, it should be noted that the enforcement by the agency of certain CCPA amendments has been postponed until March 29, 2024.

What are the penalties for CCPA/CPRA violations?

Every violation of the CCPAresolved may be punished by a monetary fine of 2,500 USD, while each intentional violation imposes a monetary fine of 7,500 USD as prescribed by Ssection 1798.155. The sanctions shall be assessed and claimed in a civil action brought by the California Privacy Protection Agency.

Additionally, pursuant to Section 1798.150, aggrieved consumers whose personal data is subject to unauthorized access, exfiltration, theft or disclosure stemming from CCPA infringement, may lodge a civil action in court and demand injunctive or declaratory relief, compensation of actual damages inflicted by the breach or, alternatively, statutory damages going up to 750 USD per individual in every incident.

What are the recent CPPA enforcement cases?

The first enforcement action under the CCPA was taken against beauty retailer Sephora in relation to an alleged breach of Section 1798.135 - specifically that the business had failed to explain to its website users that advertorial tracking technology (e.g. cookies) used on the website constituted a “sale” for purposes of the CCPA, and also failed to offer a way to opt out. The enforcement action - which was brought by the California Attorney General (before the California Privacy Protection Agency was established) - resulted in a settlement of 1.2 million USD in 2022.

In July 2023, the California Privacy Protection Agency announced a review of data privacy practices by manufacturers of vehicles which utilise connected vehicle (CV) technology, such as location sharing, in an effort to “understand how these companies are complying with California law when they collect and use consumers’ data”.

ImmuniWeb Newsletter

Get exclusive updates to cybersecurity laws and regulations:

Private and Confidential Your data will stay private and confidential

What are the cybersecurity requirements under CCPA/CPRA?

Protection of personal data under the CCPA is addressed by Ssection 1798.150, under which aggrieved individuals are eligible to recover damages or other relief for theft, loss or disclosure of their personal data caused by a business’s failure to implement and maintain reasonable security procedures and practices.

The CPRA expands Ssection 1798.185 by introducing express data protection and cybersecurity requirements for business entities whose processing of personal data may pose a significant risk by the nature of processed data, its size or volume. Any such businesses are required to:

  • perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent and
  • submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information.

In a nutshell, covered businesses should implement a risk-based cybersecurity strategy, and regularly evaluate efficiency and adequacy of security control to adequately mitigate the risks. They should also conduct continuous security monitoring, enhanced with regular penetration testing of systems that process or store personal information.

CCPA compliance ImmuniWeb can help you comply with CCPA / CPRA cybersecurity and data protection requirements. How We Help

What are the data breach notification requirements in California?

Both the CCPA and CPRA leave regulation of data breach notification to the existing state law. Section 1798.29(a) of the California Civil Code requires a business, or state agency, to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person.

Data breaches involving more than 500 California residents, as a result of a single breach of the security system, impose a duty to notify the Attorney General pursuant to the Section 1798.29(e). This notification can be made online by using the data breach report form provided on the website of the Office of Attorney General.

What are the supply chain security requirements under CCPA/CPRA?

The CPRA imposes accountability for third-party vendors and suppliers. Businesses are required to implement a set of contractual clauses to control and audit how third parties process, handle and protect the entrusted personal data.

For instance, contracts with vendors and suppliers shall permit “the business to monitor the contractor’s compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months” as a data security prerequisite for the provision of any service where personal data is accessible by the external provider.

Therefore, businesses covered by the CCPA should ensure they have a vendor risk management policy in place, to mitigate supply chain attacks and avoid harsh penalties for data breaches caused by negligent or careless suppliers.

Introduction to CCPA by Usercentrics

List of authoritative CCPA/CPRA resources

Share on LinkedIn
Share on Twitter

Share on WhatsApp

Share on Telegram
Share on Facebook
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential