Enforcement of CCPA/CPRA is not bound by geography

Framework Snapshot

The California Consumer Privacy Act (CCPA) was amended, effective January 1, 2023, by the California Privacy Rights Act (CPRA). This change gives California consumers additional enhanced controls over their personal data. If a company meets a single CPRA criterion, it must comply with this framework.

The criteria are:

  • Annual revenues of more than $25 million.
  • Buys, sells, or shares personal information of at least 100K California residents, households, or devices each year.
  • The company makes 50% or more of its annual revenue from selling or sharing California resident data.

Enforcement of CCPA/CPRA is not bound by geography; instead, the law protects the personal data of California residents regardless of physical location.

CPRA (CCPA amended 1/2023) Automation: Compliance for Less

The SureShield platform simplifies CPRA, formerly, CCPA compliance by automating technical
controls and guiding you through operational controls. SureShield’s automation will reduce your
overall compliance cost by up to 70% when compared to traditional, labor-intensive compliance
methods. For organizations requiring compliance to multiple frameworks, crosswalk automation
drives cost savings up toward 90%.

Does CCPA/CPRA Apply to You?


    *Required fields

    Benefits of CCPA/CPRA Compliance

    Increased Consumer Trust

    Making data practices public and giving consumers the opportunity to make privacy requests earn trust and goodwill.

    Building Brand Legitimacy

    Smaller businesses can use CCPA/CPRA compliance to signal they’re competitive with anyone.

    Planning For Future Compliance

    Successful CCPA/CPRA compliance today will greatly reduce future effort required when other states pass their compliance laws.

    CCPA/CPRA is strongly influenced by the EU’s primary data privacy regulation, GDPR. The rights of individuals to control their data are highly protected under both frameworks. Once significant difference: Under CCPA/CPRA, data may be collected until the consumer opts out whereas, under GDPR, no data may be collected until the consumer opts in.

    Without repercussion, consumers have the right to delete the information acquired by businesses and refuse the sale of their data. Organizations that collect PII are required to implement and maintain reasonable data security practices and procedures. Sanctions and other remedies can be imposed for violations, regardless of whether there was intent.

    Organizations required to comply with CCPA/CPRA must have websites that include:

    1. A ‘do not sell my personal information’ option
    2. Explanations at every data collection point about what categories of personal data are collected and for what purpose
    3. A privacy policy, updated within the past year
    4. A process to respond when customers request information about the data you collected on them

    Activate CCPA/CPRA framework


    Install scanner for compliance evidence gathering


    Review baseline evidence to score compliance control status


    Close compliance gaps


    Ongoing compliance and gap surveillance


    Enforced maintenance of compliance readiness

    Free COMPLiANCE Assessment

    Do you need help assessing your compliance readiness? Learn how our automated crosswalk technology will dramatically reduce your labor requirements. Schedule your free consulting session, up to 1 hour.