CCPA/CPRA

Enforcement of CCPA/CPRA is not bound by geography

Framework Snapshot

The California Consumer Privacy Act (CCPA) was amended, effective January 1, 2023, by the California Privacy Rights Act (CPRA). This change gives California consumers additional enhanced controls over their personal data if a company meets a single CPRA criterion.

The criteria are:

  • Annual revenues of more than $25 million.
  • It buys, sells, or shares the personal information of at least 100K California residents, households, or devices each year.
  • The company makes 50% or more of its annual revenue from selling or sharing California resident data.

Enforcement of CCPA/CPRA is not bound by geography; instead, the law protects the personal data of California residents regardless of physical location.

CPRA (CCPA amended 1/2023) Automation: Compliance for Less

The SureShield platform simplifies CPRA, formerly, CCPA compliance by automating technical
controls and guiding you through operational controls. SureShield’s automation will reduce your
overall compliance cost by up to 70% when compared to traditional, labor-intensive compliance
methods. For organizations requiring compliance to multiple frameworks, crosswalk automation
drives cost savings up toward 90%.

Does CCPA/CPRA Apply to You?

Start Your FREE TRIAL


    *Required fields

    Benefits of CCPA/CPRA Compliance

    Increased Consumer Trust

    Making data practices public and giving consumers the opportunity to make privacy requests earn trust and goodwill.

    Building Brand Legitimacy

    Smaller businesses can use CCPA/CPRA compliance to signal they’re competitive with anyone.

    Planning For Future Compliance

    Successful CCPA/CPRA compliance today will greatly reduce future effort required when other states pass their compliance laws.

    CCPA/CPRA is strongly influenced by the EU’s primary data privacy regulation, GDPR. The rights of individuals to control their data are highly protected under both frameworks. Once significant difference: Under CCPA/CPRA, data may be collected until the consumer opts out, whereas, under GDPR, no data may be collected until the consumer opts in.

    Consumers have the right to delete the information businesses acquire and refuse the sale of their data without repercussions. Organizations that collect PII are required to implement and maintain reasonable data security practices and procedures. Sanctions and other remedies can be imposed for violations, regardless of whether there was intent.

    Organizations required to comply with CCPA/CPRA must have websites that include:

    1. A ‘do not sell my personal information’ option.
    2. Explanations at every data collection point about what categories of personal data are collected and for what purpose.
    3. A privacy policy, updated within the past year.
    4. A process to respond when customers request information about the data you collected on them.


    The CPPA is actively working on several sets of proposed regulations:

    1. Cybersecurity Audits: Guidelines for auditing cybersecurity practices.
    2. Privacy Risk Assessments: Assessing and managing privacy risks.
    3. Automated Decision-Making Technologies (ADMTs): Addressing AI-driven decision-making.
    4. Revisions to Existing Regulations: Updates to definitions and consumer request processes.
    5. New Rules for Insurance Companies: Specific requirements for insurers


    Enforcement Advisory on Data Minimization:

    1. In April 2024, the CPPA issued its inaugural enforcement advisory emphasizing data minimization principles.
    2. Businesses should restrict the processing of personal information to what is reasonably necessary and proportionate.
    3. The CPPA will consider good-faith efforts to comply when deciding whether to pursue investigations.
    1

    Activate CCPA/CPRA framework

    2

    Install scanner for compliance evidence gathering

    3

    Review baseline evidence to score compliance control status

    4

    Close compliance gaps

    5

    Ongoing compliance and gap surveillance

    6

    Enforced maintenance of compliance readiness

    Free COMPLiANCE Assessment

    Do you need help assessing your compliance readiness? Learn how our automated crosswalk technology will dramatically reduce your labor requirements. Schedule your free consulting session, up to 1 hour.