From compliance automation through audit, the Thoropass compliance delivery platform helps you get and stay compliant.
Modern audits delivered by expert auditors
Maintain compliance with real-time monitoring and alerts
Identify vulnerabilities with CREST-accredited pentest experts
Leverage AI for smarter compliance solutions
Streamline audits and improve accuracy with evidence automation
Simplify user reviews to enhance security
Automate responses to security questionnaires
Track and mitigate security risks in one place
Build trust with a professional, public-facing portal
Seamlessly connect your tools for streamlined compliance
Audits done the modern way. Leverage AI-powered compliance solutions with expert guidance for seamless, scalable audits.
From controls to audit, rapidly achieve infosec compliance with a single vendor
Manage your risk and streamline compliance
Meet your auditor on day 1 and eliminate any surprises
Discover proven compliance outcomes in the words of our customers.
Catch up on the latest industry trends and expert insights
Watch the latest webinar or meet us in person
Expert-curated resources for your compliance journey
A "true crime" styled podcast for anyone in the compliance industry
Actionable tools for your compliance journey
Implement audit-ready compliance solutions for friction-free infosec compliance outcomes.
Go beyond readiness with unmatched expertise
Stay updated with the latest Thoropass news and insights
Join the team that's reimagining compliance
Let's make compliance easier—together
We're committed to unbiased audits and superior service
Wondering about the differences between GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act)? You’re not alone. Grasping the similarities and differences between these two compliance standards is critical for any business handling personal data, as compliance is not a one-size-fits-all solution.
In this blog post, we’ll provide a comprehensive and strategic comparison of how GDPR and CCPA define personal data, enforce user rights, and stipulate compliance, helping you identify key actions for your data governance strategy. Step into this guide to succinctly discern the implications for your organization amid the GDPR vs CCPA debate.
At their core, both the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are committed to bolstering individuals’ data privacy.
However, they also present unique characteristics:
Grasping how CCPA vs GDPR aligns and diverges is key for entities aiming to maintain adherence to these regulations.
Though their reach may vary, both GDPR and CCPA share an underlying objective: To significantly raise standards around user privacy protections. These frameworks compel organizations not just to secure personal data, but also affirmatively respect people’s rights.
Became effective: May 25, 2018
Protects: Any data subject in the EU (or other GDPR countries)
Targets: Data controllers. All businesses and their entities (website and mobile application) that personally process data of people in the European Union(EU), including not-for-profits and e-commerce are considered to be a data controller.
User rights (high level):
Cookie opt-in/opt-out:
Possible fines: The penalty for non-compliance with the GDPR may be up to either:
Required oversight: Requires the hiring of a Data Protection Officer (DPO) to oversee compliance and act as a liaison for audit purposes.
Enforced by: EU Commission and Member State(s)
Understand the role of a DPO and the benefits they bring to your organization
Became effective: Jan 1, 2020
Protects: Consumers who are residents of the California region
Targets: Businesses operating in California that also:
Possible fines: Fines range from $2500 per unintentional violation to $7500 per intentional violation with no maximum penalty outlined by the law.
Required oversight: CCPA has no equivalent requirement for oversight
Enforced by: California Attorney General
Let’s look at the key differences in greater detail.
The GDPR and the CCPA both aim to protect personal privacy but adopt different scopes when it comes to what constitutes personal data and information. The GDPR broadly includes various types of data within its protective scope, while the CCPA specifically targets information pertinent to consumers, devices, and households in a narrower fashion.
Under the GDPR, personal data encompasses any information that can identify or be associated with a natural person who is either identified or identifiable.
This expansive interpretation includes not only conventional identifiers like names and IP addresses but also captures information from wearable technologies and locational details—thereby sweeping an extensive array of informational content into its regulatory orbit.
The notion of personal data incorporates sensitive elements concerning multiple facets of individual identity, such as:
The broad characterization at the heart of GDPR’s strategy provides a foundational architecture designed to acknowledge the complex dimensions through which identity is reflected and address the diverse processes by which personal data may be handled and put at risk.
Under the CCPA, personal information extends beyond mere data points. It encompasses details that characterize a particular consumer, their device, or household. The legislation defines this type of information in broad terms but with precision, encompassing any data that:
This definition serves as an expansive definition of what constitutes personal information.
Reflective of its purpose to safeguard consumers within and outside individual contexts, the CCPA targets protection at both singular levels and across wider living situations involving interactions with various devices. It casts a wide net over several types of data—from biometric particulars to internet search histories—effectively enveloping the routine online activities engaged by California residents within its sphere of safety.
Within the landscape of data protection regulations, entities have unique roles: Companies are subject to the CCPA, and data controllers operate under GDPR guidelines. Each operates with different sets of instructions and complies with various requirements dictated by their governing laws.
Under the GDPR, entities known as data controllers hold authority over collecting and processing personal data belonging to EU residents. These can be organizations of different kinds—including businesses and public authorities—that shape how personal data is processed. The responsibility they shoulder includes guaranteeing that all handling of personal information adheres to the stringent regulations set out by the GDPR from its initial collection through to final processing.
Not only must these data controllers comply with regulations themselves, but they are also responsible for ensuring their appointed data processors operate within the parameters of GDPR compliance. This dual level of accountability reflects the regulation’s broad strategy in protecting individuals’ personal information, advocating a cooperative model where every party involved shares a commitment to uphold privacy standards.
The California Consumer Privacy Act (CCPA) applies to for-profit entities operating within the state that meet certain thresholds. To fall under its jurisdiction, a business must either:
Businesses meeting any one of these criteria are required to comply with CCPA mandates.
Through this strategic targeting, the CCPA ensures accountability among those enterprises that have significant influence over consumer privacy and pushes them toward adopting data handling practices that are both transparent and respectful of consumers’ private information.
While there is an overlap in certain respects between both the CCPA and GDPR regarding user rights, both directives have exclusive provisions that align with their respective objectives for safeguarding privacy.
The rights to be informed and data portability are shared passports in the GDPR and CCPA world, allowing individuals to travel through the data landscape with insight and agency.
These common rights empower users to not only receive information about the processing of their personal data, but also to transfer it from one service provider to another, promoting a fluid data ecosystem that respects user autonomy.
Alongside these rights, both regulations mandate that organizations provide timely responses to user requests, ensuring that the dialogue between data subjects and entities is both efficient and constructive.
Although the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) share some similarities, each regulation provides unique rights that mirror their separate goals.
The GDPR’s provision to challenge automated decision-making and profiling underscores the European Union’s dedication to creating digital environments with a human focus. In contrast, the CCPA offers individuals the right to opt out of both selling and sharing their personal information, which marks an era of increased consumer power in how personal data is commercially utilized.
These specific rights illustrate each law’s underlying philosophy toward protecting user privacy, from GDPR’s defense mechanisms against algorithmic control to CCPA’s protections designed as a defense against unwarranted trading of personal data. They capture what lies at the core of each framework—respecting individual autonomy over one’s own information in relation to data protection practices.
The foundations of GDPR and CCPA are robustly established in the realm of data processing and consent, but they diverge in their respective approaches. The GDPR mandates unequivocal prior consent before any data processing can take place, whereas the CCPA advocates for an opt-out approach, granting individuals the liberty to withdraw from specific uses of their data.
The General Data Protection Regulation (GDPR) mandates that consent is an essential condition for legal data processing, and it cannot be treated as a mere formality. It’s imperative that organizations obtain explicit consent, ensuring the individual consciously engages in granting permission. Consent must adhere to several strict criteria.
Users should navigate through this process with language that is both accessible and straightforward.
To obtain user consent, the GDPR delineates six lawful grounds under which personal data may be processed. This creates a comprehensive framework wherein personal data handling can occur within legal boundaries if it strictly complies with the demanding provisions of the regulation.
Unlike the GDPR, which requires prior consent, the CCPA permits the default handling of personal information but ensures that consumers have access to options for opting out. This reflects a strive to balance facilitating business activities with protecting consumer rights by granting California residents the autonomy to withdraw from data collection as they desire.
Under CCPA regulations, explicit permission is not necessary to store cookies. A straightforward mechanism for users to opt-out must be in place. This showcases a sophisticated stance on data processing that considers both consumer interests and business necessities.
Both the GDPR and the CCPA are equipped with their own arsenal of punitive measures designed to thwart non-compliance and uphold individuals’ data rights. The GDPR threatens tougher consequences, including higher fines for breaches, while the penalties associated with the CCPA also underscore the necessity of complying with its requirements.
The responsibility for implementing the GDPR’s rules lies with national data protection authorities throughout the EU. These regulators carry the authority to ensure compliance and have at their disposal formidable punitive measures that can significantly impact even well-established companies, imposing fines up to €20 million or 4% of a firm’s annual global turnover, depending on which amount is higher.
Such severe penalties underscore a stern warning to companies across the globe: Take data protection seriously. The scale of potential sanctions under the GDPR underscores how committed the EU is to maintaining premier privacy protections for its Citizens.
The California Privacy Protection Agency is empowered by the CCPA to enforce the state’s data protection laws, demonstrating a rigorous commitment to safeguarding consumer data rights. Companies that fail to comply with these regulations may be subject to fines as high as $7,500 for each deliberate infraction.
The CCPA enables consumers directly affected by violations of data protection rules not only to rely on the California Privacy Protection Agency but also to pursue legal action themselves. This mechanism ensures individuals can vindicate their data rights and demand accountability from corporations mishandling their information.
Navigating the complexity of data protection rules demands strategic planning and actionable measures. Adopting best practices, including Privacy by Design and utilizing compliance management tools, can act as navigational aids to steer companies through the intricacies of GDPR and CCPA compliance with assurance.
When organizations embrace these best practices and implement solutions, they are positioned to:
Thus, achieving compliance transcends mere adherence to a legal requirement. It becomes an intelligent investment in the longevity and success of a company’s future.
Okay, that may have been a scary read. If we’ve got your attention, let us now offer some reassurance.
Let’s chat. Connect with a compliance expert to find out how GDPR and/or CCPA applies to your business — no strings attached. Book a chat here.
Our 5-step approach makes GDPR or CCPA/CPRA a cinch (okay, not quite a cinch, but as easy as it can get!)
Learn more here!
GDPR is applicable to any entity involved in processing personal data of residents from the EU, whereas CCPA emphasizes granting transparency and control over personal information specifically for those residing in California, targeting businesses that function within the state.
Organizations handling personal data of residents from the EU are required to adhere to GDPR standards, and profit-oriented companies in California that either exceed $25 million in yearly revenue or deal with the personal information of more than 100,000 individuals residing in California must conform to CCPA regulations.
No, the GDPR and CCPA do not share identical definitions for personal data and information. The GDPR articulates that it encompasses any information pertaining to an identified or identifiable natural person. On the other hand, under the CCPA, personal data is described as information that can be associated with a particular consumer, device, or household.
Organizations that fail to adhere to GDPR regulations may face penalties as steep as €20 million or 4% of their annual global turnover. Similarly, under the CCPA, intentional violations can incur fines of up to $7,500 for each instance. Consumers have the right to seek statutory damages.
Ensuring compliance with these regulatory standards is imperative for organizations in order to prevent significant monetary sanctions.
Take the quiz
Take the quiz to find out the best framework(s) for your organization and how a multi-framework approach to compliance is the only way to stay ahead of the game.
Oro provides content designed to educate and help audiences on their compliance journey.
The California Consumer Privacy Act (CCPA) laid the groundwork for data privacy laws in the United States. With the addition of the California Privacy Rights Act (CPRA) in 2020, privacy protections for California residents were strengthened, including new definitions for consent, sensitive personal information, and additional business obligations.
The CPRA amended the CCPA with varied consent levels based on personal information usage, encompassing the traditional opt-out approach and opt-in consent in specific situations. In addition, Californians now have more rights under the CPRA, such as personal information relating to:
Under the CPRA’s amendment, consent is defined similarly to the General Data Protection Regulation (GDPR). For consent to be valid, it needs to be ‘freely given, specific, informed, and unambiguous,’ signified by an unambiguous indication or a clear affirmative action for a specifically defined purpose, which signifies agreement.
In this blog post, we’ll delve into CCPA cookie consent and implementing a compliant cookie policy. But first, let’s get crisp on whom CCPA applies to!
The CCPA/CPRA applies to businesses handling the personal information of Californians, regardless of their location. Its purpose is to provide privacy protection to California residents.
The CCPA imposes certain duties on for-profit businesses meeting certain criteria. This includes those businesses having annual gross revenue over $25 million OR buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices OR derives 50% or more of annual revenue from selling California resident’s personal information.
To abide by this data privacy law, businesses must gain user consent as per the regulations, which includes showcasing a clear link to their privacy policy detailing the personal information collected, including the consumer’s personal information and its usage. It should be highlighted that under the CCPA/CPRA, cookies, and other ‘unique identifiers’ are regarded as personal information.
Although the CCPA doesn’t generally demand user consent for cookies, there are particular scenarios where consent becomes necessary.
For example, businesses must obtain opt-in consent when it comes to minors’ personal information. Apart from that, the CCPA requires businesses to implement opt-out frameworks, providing users with clear ways to exercise their right to opt-out.
Businesses must also be aware of the CCPA’s consent requirements for cookies related to sensitive personal information. Explicit consent is needed for cookies related to minors or sensitive personal information, such as health data or information on a person’s race or ethnicity. In all other cases, the CCPA operates on an opt-out consent system for cookies.
Third-party cookies, often used for tracking and advertising purposes, also fall under the purview of the CCPA. These cookies are usually placed on a user’s device by a website other than the one they are currently visiting, hence the name “third-party.” These cookies are often used to track a user’s internet activity and personalize advertising content.
Under the CCPA, businesses must clearly inform users about the use of third-party cookies and obtain their consent before these cookies can be placed. Furthermore, users should be given an easy and accessible way to opt out of the use of such cookies.
A step-by-step comprehensive guide on how to comply with California’s privacy act
A clear opt-out option for cookie usage must be provided to users by businesses. This can be achieved by including “Do Not Sell” and “Limit Sensitive Info” links on the website, which allow users to easily exercise their rights under the CCPA. These links should be easily visible and accessible to users, ensuring they can make informed decisions about the use of their personal information.
Keep in mind: Businesses can consolidate these two links, given both options are provided and clearly labeled with a clear and conspicuous link. By providing users with a user-friendly opt-out framework, businesses not only comply with the CCPA but also foster trust and transparency with their customers.
The CCPA/CPRA defines a sale as any exchange of personal information for monetary or other valuable consideration. This means that when a business transfers personal information to another entity in exchange for something of value, it is considered a sale. This includes:
Grasping the definition of a sale under the CCPA/CPRA is pivotal for businesses to comply with the law and safeguard their users’ personal information.
The CCPA places specific consent requirements on businesses when it comes to minors’ personal information. CCPA designates under 13 requiring parental consent and at least 13 and less than 16 as being able to provide their own consent. This means that businesses must ensure they have mechanisms in place to obtain opt-in consent from minors and parental consent for those under 13.
Adherence to these consent requirements for minors allows businesses to obtain consent and comply with the CCPA, safeguarding the privacy and security of their younger users. This fosters a safe online environment where minors and their parents can feel confident in the handling of their personal information.
Several factors must be considered by businesses to formulate a CCPA-compliant cookie policy. These include identifying and categorizing cookies used on the website, ensuring transparency and disclosure, and providing accessible opt-out mechanisms.
The following subsections will guide you through each of these steps, helping you establish a compliant cookie policy for your business.
Businesses need to identify and classify the cookies used on their website, inclusive of their purposes and expiration dates. Cookie categories typically include HttpOnly, SameSite, and secure cookies, which serve different functions depending on the website and the type of cookie.
For example, HttpOnly cookies are often used for authentication information, while SameSite cookies protect against cross-site request forgery. By understanding the various categories and purposes of cookies used on your website, you can ensure your cookie policy is comprehensive and CCPA-compliant.
Promoting transparency and disclosure in your cookie policy is vital for building trust and accountability. To achieve this, businesses should provide a clear and accessible privacy policy including information about cookies and their usage. This policy should detail the types of cookies used, their purposes, and how users can opt out of their usage.
By providing users with transparent information about cookies, businesses can inform consumers and:
The incorporation of accessible opt-out mechanisms is a significant element of a CCPA-compliant cookie policy.
One way to achieve this is by using a cookie consent banner that provides clear options for users to opt out of the use of cookies. These banners should be easy to use and understand, ensuring that users can exercise their right to opt out without difficulty.
However, the website does not need a separate cookie banner if the website discloses information relating to the collection and use of personal information through cookies, and permits consumers to exercise their rights, if this information is included in the website privacy policy and is provided at or before the point of collection.
By providing accessible opt-out mechanisms, businesses not only comply with the CCPA, but also demonstrate their commitment to respecting their users’ privacy. This fosters a positive user experience and helps build trust between businesses and their customers.
Noncompliance with CCPA / CPRA can result in severe financial consequences. Penalties can range from $2,500 to $7,500 USD per violation, with intentional violations carrying a higher penalty of up to $7,500 USD per violation, while unintentional violations have a maximum penalty of $2,500 USD each.
The CCPA / CPRA provides a 30-day cure period, allowing businesses to take corrective action and avoid penalties if they remedy the situation within that time frame. It’s important to note that breaking the law when it comes to children’s personal information can result in a penalty as high as $7,500 for each offense.
Businesses must be diligent in ensuring their compliance with the California Consumer PrivacyAct. This involves understanding the law itself, its applicability, and the specific requirements for cookie consent.
By implementing a compliant cookie policy covering cookie categories and purposes, transparency and disclosure, and accessible opt-out mechanisms, businesses can safeguard their users’ personal information while fostering trust and accountability.
Now is the time to review your business’s cookie policy and make any necessary adjustments. By doing so, you can confidently navigate the ever-evolving landscape of data privacy laws, ensuring a safe and secure online environment for both your business and your users.
Thoropass’s end-to-end platform and bundled expert services deliver the fastest, most efficient path to continuous compliance with frameworks like CCPA/CPRA and PIPEDA.
Yes, cookies can be considered personal information under CCPA, depending on the situation, as they may require the same notices and to provide for the rights of consumers, including deletion or opt-out of sale as other personal information collected on the website.
Yes, cookie consent is required in California if the collected personal information is sold to other businesses; users have the right to opt out of it.
The CPRA is an amendment to the CCPA, introducing stricter regulations and additional consumer privacy protections. Unlike the CCPA, the CPRA establishes the California Privacy Protection Agency, a dedicated enforcement authority for privacy laws.
The CCPA regulations in California provide consumers with the right to know what personal information is being collected, the right to request deletion of personal information, and the right to opt out of the sale of their personal information.
These rights are important for protecting consumer privacy and ensuring that companies are transparent about their data collection practices.
The California Consumer Privacy Act (CCPA) applies to for-profit businesses that do business in California, have an annual gross revenue of over $25 million, and buy, sell, or share the personal information of 100,000 or more California residents, households, or devices OR derives 50% or more of annual revenue from selling California resident’s personal information.
Businesses subject to the CCPA must meet the requirements outlined in the law to be compliant.
Free Quiz
Take this quiz to discover the frameworks and standards required for your business and the best path to achieving comprehensive compliance.
The California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA) is a comprehensive data privacy law providing Californians with more control over their personal information and sets requirements for businesses collecting, using, and selling their data.
To help you navigate this complex regulation, we’ve created a step-by-step guide on how to comply with CCPA, ensuring your business is CCPA compliant.
At its core, the CCPA provides more transparency and control to consumers over how their personal data is collected, used, and sold. Businesses must be aware of their obligations under the CCPA, as failure to comply can result in hefty fines and legal action.
You may wonder what qualifies as personal data and how the CCPA impacts your business practices. Let’s explore these aspects.
Under the CCPA, personal data includes any information linking to an individual or household. The following are considered personal data:
It is crucial to understand the implications of personal information collected and how it can impact individuals’ privacy.
However, not all information falls under this category; public information from government records, aggregated data, and certain consumer-shared information are exempt from CCPA regulations.
The CCPA and CPRA applies to for-profit businesses that collect and sell the personal information of California residents, maintain reasonable security procedures, and meet at least one of three specific criteria:
If your business aligns with any of these categories, understanding and adhering to the CCPA requirements is required. Compliance with the CCPA not only safeguards your California customers’ privacy rights but also exhibits your dedication to data security and transparency, thereby enhancing trust among your clientele.
Here are the key details of CCPA at-a-glance:
The CCPA empowers California consumers with a set of key rights regarding their personal information. By understanding these rights, businesses can better address consumer concerns and ensure their practices remain compliant with the CCPA.
The right to notice requires businesses to inform consumers about what type of personal information they are collecting and how they plan to use it, either before or at the point of collection. This disclosure must include:
The right of access, also known as the right to request, allows consumers to obtain the personal information a business has collected about them. To comply with this right, businesses must provide at least two ways for consumers to submit requests, such as a:
Note: A business operating exclusively online that has a direct relationship with a consumer is only required to provide an email address.
Once a request is received, businesses must confirm receipt of request within ten (10) days with a response in 45 days (and an additional 45 days once the consumer is notified.)
The right to know grants consumers the ability to learn how their personal information is being used, sold, or shared by businesses. This includes the categories of personal information collected, the sources from which it was obtained, the purpose for which it was collected or sold, and the third parties with whom it is shared, disclosed, or sold. To comply with the right to know, businesses must provide the requested information within 45 days, with the possibility of an additional 45-day extension if the consumer is notified.
The right to opt out enables consumers to tell businesses not to sell or share their personal information. Businesses must provide a clear and conspicuous link on their website, usually labeled “Do Not Sell My Personal Information,” where consumers can exercise this right.
The California Privacy Rights Act amended CCPA and provides new guidance and additional privacy protections for consumers.
Under the right to delete, consumers can request businesses delete any personal information they have collected. To comply with this right, the consumer’s identity needs to be verified for a deletion to occur. Businesses must also provide at least two methods for consumers to submit deletion requests, such as a:
Once a request is received, businesses must respond within 45 days, with the possibility of an additional 45-day extension if the consumer is notified.
The right to notification of financial incentive requires businesses to inform consumers of any financial incentives offered in exchange for the collection, sale, or deletion of their personal information. Businesses must clearly explain the material terms of the incentive program, including the categories of personal information involved, the value of the consumer’s data (along with the method used to calculate this value), how the consumer can opt in or out of the program, and a statement the consumer can withdraw at any time (or exercise their right).
The right not to be discriminated against ensures consumers cannot be denied goods or services, charged different prices, or receive lower quality goods or services due to exercising their CCPA rights.
This protection encourages consumers to exercise their rights without fear of negative consequences, promoting a fair and transparent marketplace.
Ensuring your business is CCPA-compliant requires adherence to a series of steps covering all necessary requirements and obligations. These steps include:
Each of these steps holds a significant role in CCPA compliance. Let’s examine each one…
The first step in CCPA compliance is understanding your business’s obligations under the law. This involves familiarizing yourself with the key provisions of the CCPA, such as the consumer rights it grants, the types of personal information it covers, and the specific rules and requirements it imposes on businesses.
A crucial step in CCPA compliance is updating your privacy policy to reflect the requirements of the law. This involves:
Frequent reviews and updates of your privacy policy can uphold transparency and exhibit your dedication to data privacy.
To comply with the CCPA’s right to notice, businesses must implement data collection notices informing consumers about the types of personal information being collected and the purposes for which it will be used.
These notices should be provided before or at the point of collection and must be clear, conspicuous, and easy to understand.
Implementing data collection notices can help businesses maintain transparency and build trust with their customers by informing them about the data collected and managing their data inventory effectively.
Another essential aspect of CCPA compliance is effectively managing consumer requests and responses. This includes:
Data security is a critical component of CCPA compliance, and businesses must implement reasonable security measures to protect consumers’ personal information.
In the event of a data breach, businesses are required to notify affected consumers and, in some cases, the California Attorney General. Investing in data security and establishing a breach notification plan can reduce the risk of expensive penalties and reputational harm linked to data breaches.
CCPA compliance extends to your business’s relationships with third-party processors, making it crucial to audit and update your third-party contracts. This process involves:
Finally, staff training and awareness are essential for CCPA compliance. Employees who handle customer inquiries about a company’s privacy policies or process personal information must be knowledgeable about the CCPA and its requirements.
Regular training on the CCPA, consumer rights, and data security best practices can help ensure your staff is well-equipped to handle any privacy-related issues and maintain compliance with the law.
Keep in mind, CCPA compliance is a continuous process, and staying informed about any law updates or changes is vital. Regularly reviewing your practices and policies, as well as maintaining open communication with consumers, will help your business remain compliant and foster trust with your clientele.
Non-compliance with the CCPA can result in significant penalties and legal action. The California Attorney General is responsible for enforcing the law, and businesses failing to comply can face fines of up to $7,500 per violation.
Additionally, consumers affected by a data breach may take legal action against the business, with potential damages ranging from $100 to $750 per consumer per incident.
Potential financial and reputational consequences of non-compliance underline the importance of sticking to the CCPA regulations. By following the steps outlined in this guide and maintaining a strong commitment to data privacy, your business can avoid costly penalties and protect the privacy rights of California consumers.
Businesses must comply with consumer requests to delete their data, provide notices explaining their privacy practices, and update third-party contracts. Additionally, they must require vendors to provide data inventories, due diligence questionnaires, records of processing, and ensure data syncability.
Examples of CCPA compliance include a business:
The CCPA provides consumers with key protections, such as the right to know what information is collected about them and how it’s used, the right to delete their personal information, and the right to opt out of data sales or sharing.
Businesses collecting and selling personal information of California residents meeting certain criteria must comply with CCPA. This includes for-profit companies with annual gross revenues exceeding $25 million, handling personal information of 100,000 or more consumers, or earning more than 50% of their annual revenue from selling personal data.
A landmark data privacy law, The California Privacy Rights Act (CPRA), is an amendment to the California Consumer Privacy Act (CCPA), introducing new consumer rights and compliance requirements for businesses.
As the digital world continues to evolve, understanding and navigating CPRA is crucial for businesses and consumers alike. So what is CPRA? And are you ready to dive in? Let’s go!
The California Privacy Rights Act (CPRA) was designed to strengthen privacy protections for California residents, and it has rapidly become a benchmark for data privacy laws across the United States.
Built on the foundations of the California Consumer Privacy Act (CCPA), CPRA expands particular consumer rights and introduces new compliance requirements for businesses dealing with sensitive personal information.
As a result, companies must adapt their data collection practices and privacy policies to meet the stringent standards set forth by CPRA.
The evolution of CCPA into CPRA began when California voters approved CPRA in the November 2020 election.
This law took effect in California on January 1, 2023, widening the scope of businesses to which the law applies. It’s important to note that applicable businesses, service providers, third parties, and contractors must all comply with both California Consumer Privacy Act (CCPA) and The California Privacy Rights Act (CPRA), with CPRA adding a new fourth category of entity, “contractors”.
Businesses must meet the vendor contracting obligations under CPRA by providing California residents with notice and the right to opt out of disclosing their personal information to third parties.
Contracts with contractors may include the right for businesses to monitor their compliance. This monitoring can be in the form of ongoing manual reviews, automated scans or regular assessments, audits, and other technical and operational tests at least once every twelve (12) months. Note that these requirements are still being worked on by the California Privacy Protection Agency (CPPA) and haven’t yet been finalized at the time this post was published.
Understand the ins and outs of the recent CCPA enhancement, CPRA
While the foundations of the CCPA remain intact, some key differences set CPRA apart. The most notable differences between the two laws include new categories of businesses, sensitive personal information, and private rights of action related to the consumer’s personal information.
CPRA introduces new categories within the CCPA’s definition of business. These new categories include joint ventures (or partnerships) and persons voluntarily certifying to the CPPA (even though they may not be considered a ‘business’). In addition, the CPRA added a new subset of personal information called ‘sensitive personal information’, which includes government identifiers (such as social security numbers), account log-in, financial account, debit card, or credit card number with any required security code/credential allowing access to the account.
As for “common branding,” the shared name, servicemark, or trademark must be recognizable enough for the average consumer to realize that two or more entities are related. The potential business must have the same branding as the covered business and get personal information from the covered business for cross-context behavioral advertising.
The CCPA / CPRA has a profound impact on businesses, as it requires them to comply with regulations or face penalties enforced by the CPPA and the State Attorney General.
Businesses must ensure their data collection and storage practices follow the law’s guidelines to meet the requirements of CCPA / CPRA. This includes setting up data retention periods or criteria for each type of information and deleting information based on a schedule or criteria, including the consumer’s precise geolocation data.
To comply with CCPA / CPRA, companies must implement a comprehensive privacy program and update their vendor contracts to meet the law’s requirements, including rules about sharing consumers’ personal information.
Service providers and contractors must also comply with CCPA / CPRA’s obligations once the business has passed them down via contract, which may include handling sensitive personal information such as religious or philosophical beliefs.
Staying CCPA / CPRA compliant means ensuring your privacy notices and policies are up to date, performing a gap analysis, and only processing the minimum amount of consumer personal information. Businesses must understand the implications of CPRA and adapt their practices accordingly.
CCPA / CPRA significantly expands consumer rights, giving individuals the power to correct inaccurate personal information and limit how sensitive personal information is used and disclosed.
Under CCPA / CPRA, consumers have the right to request businesses to delete personal information. The businesses must also notify their service providers, contractors, and third parties to whom the information was sold or shared for cross-contextual advertising purposes unless it requires a disproportionate effort.
The right to limit the use and disclosure of sensitive personal information is another essential aspect of CCPA / CPRA, allowing consumers to have greater control over their data and how businesses use it.
Under CCPA / CPRA, consumers now have the right to request that a business correct any inaccurate personal information they have about them.
This new right empowers consumers to take control of their personal data and ensure its accuracy. Once a business receives a verified request, it must do its best to correct the personal information according to the consumer and the regulations.
Businesses must make every effort to correct personal information as per the consumer’s and the regulations’ instructions. Failing to comply with CCPA / CPRA’s requirements for correcting inaccurate personal information could result in hefty fines of up to $7,500 per violation.
CCPA / CPRA also encompasses the right to limit the use and disclosure of sensitive personal information, which includes data elements like:
Consumers can instruct businesses to restrict the use of sensitive personal information to what is necessary to provide the services or goods they expect, or for specific business purposes while ensuring their personal information collected is protected.
To comply with CCPA / CPRA, businesses who are selling/sharing personal information with a third party must include a second link on their website homepage titled “Limit the Use of My Sensitive Personal Information.” This additional link allows consumers to exercise their right to limit the use and disclosure of sensitive personal information easily and effectively.
CCPA / CPRA enforcement is handled by the California Privacy Protection Agency (CPPA), an administrative agency dedicated to administering, implementing, and enforcing CCPA as amended by CPRA.
The Agency has been allocated $5 million for its initial setup and $10 million for its operations in every fiscal year afterward. The Attorney General retains enforcement authority under CPRA and may initiate civil action if necessary.
The California Privacy Protection Agency is responsible for safeguarding the consumer privacy of Californians. Its key responsibilities include investigating potential violations, providing businesses with an opportunity to remedy the situation, and taking necessary enforcement actions, with fines going to the state’s Consumer Privacy Fund.
The Agency’s rulemaking authority was effective from April 21, 2022. The members of the California Privacy Protection Agency are appointed by different branches of the state government, such as the Governor, the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly.
The California Attorney General maintains enforcement authority under CCPA / CPRA and may initiate civil action if needed.
Understanding the investigation and enforcement process of CCPA / CPRA is crucial for businesses to ensure compliance and avoid potential penalties. By being proactive and taking the necessary steps to comply with CPRA, businesses can protect themselves from costly fines and safeguard their customers’ data.
Companies must take steps to assess and update their privacy policies and implement data security measures to prepare for compliance.
A compliance checklist can help businesses navigate the complex requirements of CCPA / CPRA, including:
Proper preparation and a thorough understanding of CCPA / CPRA’s requirements are vital for businesses to avoid potential penalties and protect their customers’ privacy. Not sure where to start? We can help!
To ensure CCPA / CPRA compliance, businesses must review their privacy policies and make sure they are up to date with the law’s requirements. This includes providing clear and concise information about the types of data collected, how it’s used, and who it’s shared with. Moreover, businesses must conduct privacy training for all personnel who handle consumers’ or employees’ personal information, as mandated by CCPA / CPRA.
Businesses should also assess their data collection, storage, and usage practices, as well as any third-party vendors used, to identify gaps in their current privacy policies and procedures. By proactively addressing these gaps, businesses can ensure their privacy policies are CCPA / CPRA compliant and ensure the protection of their customers’ sensitive personal information.
In addition to updating privacy policies, businesses must implement data security measures to protect consumer data and prevent unauthorized access, exfiltration, theft, or disclosure. CCPA / CPRA requires businesses that process personal information with a high risk of impacting consumers’ privacy to conduct a yearly cybersecurity audit.
To ensure data security, especially for sensitive information like financial account details, businesses should consider adopting things like:
Implementing these measures not only helps businesses comply with CPRA but also safeguards their customers’ data and maintains trust in their brand.
The California Privacy Rights Act (CPRA) represents a significant step forward in data privacy protection for Californians. By understanding the intricacies of CPRA and taking the necessary steps to ensure compliance, businesses can protect their customers’ data, avoid potential penalties, and foster trust in their brand.
As the digital landscape continues to evolve, staying ahead of the curve and embracing the principles of CCPA / CPRA is not only a legal obligation but a strategic advantage for businesses prioritizing the privacy and security of their customers’ information.
CPRA is a state law that provides California residents with additional privacy rights and protection, including the right to opt out of the sale of their personal information. It also imposes stricter requirements for businesses operating in California when it comes to handling and protecting consumer data.
CPRA is an updated version of the CCPA, with changes that include expanded protections for sensitive data, additional consumer rights to limit the sale of their information and new categories of businesses under its regulations. In summary, CPRA strengthens many of the laws established in the CCPA.
Noncompliance with CPRA can result in hefty fines – up to $7,500 per violation for intentional breaches and $2,500 for unintentional violations. Be sure to stay compliant to avoid costly penalties!
CPRA affords consumers significant new rights, including the right to access and delete their personal data, the right to opt out of data sharing, and the right to data portability. Consumers can also enjoy greater transparency and control over how companies use their personal data.
To ensure CPRA compliance, businesses should update their privacy policies, invest in data security measures, and use a compliance checklist to keep track of the requirements. Doing this will help them stay up to date with all of the regulations.
Explore more content
With so many frameworks to choose from, where do you start? Read this guide to find out.
California dreamin’? Well, it’s not so breezy when it comes to data privacy! Did you know that California has some of the most stringent data privacy laws in the United States?
As a business owner, it’s essential to understand how these regulations affect you. In this post, we’ll explore the ins and outs of the California Consumer Privacy Act (CCPA) and its enhancement, the California Privacy Rights Act (CPRA).
In this article, we’ll look at:
These laws aim to give Californian consumers more control over their personal information while requiring businesses to maintain reasonable security procedures to protect consumer data. The introduction of these laws has changed the privacy and data security landscape and forced companies to rethink their data collection and management practices.
Organizations need to understand their obligations under these laws, as they protect various types of personal information, including unique identifiers like a person’s driver’s license numbers and internet protocol addresses
The California Consumer Privacy Act (CCPA) provides California residents with specific privacy rights and applies to businesses that collect personal data, operate in California, and meet certain criteria. These businesses must comply with California or federal law regarding data privacy and ensure they have secure procedures and practices in place to protect consumer data.
CCPA defines a “sale” of personal information as when a business sells, rents, releases, discloses, disseminates, makes available, transfers, or otherwise communicates a consumer’s personal information to another business or a third party for monetary or other valuable consideration. It also introduces the concept of a “service provider.”
A service provider is third-party entity that receives personal information from, or on behalf of, a business and processes that information based on a written contract provided the contract prohibits the entity from retaining, using, or disclosing personal information for any purpose other than for the specific purpose in performing the specified services under the contract.
The main goal of the CCPA is to give California residents the right to privacy, such as the right to delete, correct, know, and opt-out.
The California Privacy Rights Act (CPRA) amends and adds provisions to the CCPA, further strengthening consumer privacy protections. One of the significant changes introduced by the CPRA is the establishment of the California Privacy Protection Agency, a dedicated enforcement authority for privacy laws.
The CPRA expands the scope of businesses liable under the CCPA, increasing the number of consumers it applies to and broadening its reach to include not just selling but also sharing personal information.
It also introduces new requirements for websites, such as providing links labeled “Do Not Sell Or Share My Personal Information” and “Limit The Use Of My Sensitive Personal Information,” enabling California residents to limit the use and disclosure of their personal and sensitive personal information.
Additionally, the CPRA has rules in place for behavioral advertising, which uses personal information to target Californians with marketing based on profiling. Under the CPRA, businesses must limit collection, use, and retention of personal information to only those purposes (1) a consumer would reasonably expect (2) compatible with expectations disclosed to the consumer (3) by consent (as long as not obtained through dark patterns). For all of these purposes, the collection, use, and retention must be reasonably necessary and proportionate to serve the ‘above’ purposes.
Overwhelmed yet? Okay, let’s break this down a bit more. To navigate California privacy laws effectively, it is crucial to understand the key definitions. These terms include personal information, sensitive personal information, and consumer information.
Each term plays a vital role in understanding the scope and applicability of the CCPA and CPRA.
Personal information, as defined by CCPA, includes any information that identifies, relates to, or could be linked to a specific individual or household, such as:
However, publicly available information from government records, information lawfully available to the public, and certain information a consumer shares are excluded from personal information under CCPA.
Sensitive personal information is a subset of personally identifiable information that carries higher risks if mishandled.
Examples of sensitive personal information include:
It is crucial to correct inaccurate personal information to minimize these risks, as inaccurate personal information can lead to further complications.
CPRA further expands the definition of sensitive personal information to include information revealing ethnicity, religious or philosophical beliefs, health information, and more.
In the context of California privacy laws, a ‘consumer’ is a natural person who is a resident of California. This definition highlights the laws’ focus on protecting the privacy rights of California residents.
California privacy laws apply to various types of businesses, including those that control or are controlled by a business or those with contractual obligations stemming from a business.
Both CCPA and CPRA have specific criteria that businesses must meet to be subject to these laws.
Businesses must understand their obligations under these laws to protect consumer personal information and maintain compliance.
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
If a business violates CCPA, a court may impose penalties that the court deems appropriate.
Some exceptions to personal information apply under CCPA, such as publicly available information from local government records and certain types of information.
CPRA brings changes to the applicability of privacy laws on businesses. It expands the scope of businesses liable under CCPA, increasing the number from 50,000 to 100,000, and includes sharing personal information in addition to selling it.
CPRA also introduces new requirements for websites to provide links for California residents to limit the use and disclosure of their sensitive personal information.
Learn how the US and EU compare on data privacy laws
California privacy laws, including CCPA and CPRA, provide consumers with specific rights regarding their personal information. These rights empower consumers to have more control over their data and help ensure businesses handle personal information responsibly and transparently.
Businesses must comply with these laws or face potential fines and other penalties. Consumers can exercise their rights by submitting requests to businesses, such as the right to access, delete, or opt-out.
Under CCPA, consumers have
Consumers can ask businesses to disclose the categories of personal information collected, used, shared, or sold about them and the reasons for doing so, including any instances of selling consumers’ personal information.
Businesses must provide consumers with at least two methods to submit their requests, such as email, website form, or hard copy form. Businesses have 45 calendar days to respond to a request, with the possibility of extending the deadline to 90 days if they inform the consumer.
The CPRA introduces new rights for consumers in addition to those provided by the CCPA. For example, California residents can now request businesses to stop sharing their personal information with providers of targeted advertising services.
This right to opt-out of behavioral advertising strengthens consumer privacy by giving them more control over their personal information.
Complying with California privacy laws can be challenging for businesses, especially those that handle large amounts of personal information.
However, adopting best practices such as proper data collection and management and implementing effective consent and opt-out mechanisms can help businesses stay compliant and protect consumer privacy. Working with the experts at Thoropass will set you on a path to pain-free compliance!
Proper data collection and management practices are essential for businesses to comply with California privacy laws.
The CCPA requires businesses to inform consumers about the categories of personal information they collect and the purposes for which they use it. Additionally, businesses must provide consumers with the option to opt out of the sale of their personal information.
Implementing secure data collection and management practices can help businesses protect consumer personal information and maintain compliance with privacy laws.
Implementing effective consent and opt-out mechanisms is another crucial aspect of complying with the CCPA. The CPRA, for example, requires businesses to allow consumers to opt out of sharing their personal information for cross-context behavioral advertising.
By providing clear and easy-to-use consent and opt-out mechanisms, businesses can ensure they respect consumer privacy rights and maintain compliance with privacy laws.
What are the consequences of getting it wrong? Basically, you don’t want to end up there…
Understanding the enforcement authorities and potential penalties is essential for businesses to take privacy laws seriously and prioritize compliance.
The California Privacy Protection Agency and the California Attorney General‘s office are responsible for enforcing California privacy laws. These authorities ensure businesses comply with the CCPA and CPRA, protecting consumer privacy and holding non-compliant businesses accountable.
Businesses that fail to comply with California privacy laws can face penalties of up to $7,500 USD for intentional violations or $2,500 USD for unintentional ones. Consumers can also take legal action against businesses for damages, such as statutory damages ranging from $100 to $750 per consumer per incident, actual damages, injunctive or declaratory relief, and any other relief the court deems appropriate.
To minimize the risk of penalties, businesses must take privacy laws seriously, implement secure data practices, and prioritize compliance.
The CCPA and CPRA play a critical role in protecting consumers’ personal information and holding businesses accountable for their data practices. As a business owner or consumer, understanding these laws and their implications is essential for navigating the evolving privacy landscape.
By implementing best practices in data collection and management, consent and opt-out mechanisms, and staying informed about enforcement and penalties, businesses can successfully comply with California privacy laws and protect consumer privacy. Remember, privacy is not just a legal requirement but also a fundamental right that builds trust between businesses and consumers.
Still confused? Here are some of the most frequent questions we’re asked about the California Privacy Act:
The California Privacy Rights Act (CPRA) is the new privacy law in California, which came into effect on 1st January 2023. It will be in full force from 2023 onward. CPRA amends the California Consumer Privacy Act (CCPA) and introduces additional privacy protections for consumers.
The main privacy laws in California are the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These laws apply to businesses that collect, use, or share personal information of California residents and meet specific criteria.
The California Consumer Privacy Act (CCPA) applies to for-profit businesses that do business in California, have an annual gross revenue of over $25 million, buy, sell, or share the personal information of 100,000 or more California residents, households, or devices.
Staying compliant with the CCPA can be a challenge, but organizations need to protect consumers’ data. Companies must ensure that they are collecting only relevant information, giving users access to their data, and properly notifying them about third-party vendors who have access to it.
Taking these steps will help companies meet the requirements of the CCPA and keep consumers’ data safe.
