The California Consumer Privacy Act (CCPA): What risk and compliance managers need to know.


The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020 – and it’s expected to be the toughest data privacy law in the United States. Are you prepared?

Concerns over cost and not being ready are widespread. There are always monetary tradeoffs to compliance initiatives. What is the upfront cost of making required changes vs. the fines of non-compliance? In the case of CCPA, there is no debate the cost of not being compliant is real, with fines reaching up to $7,500 per violation.

Whether your company does business in California today or not, it’s worth understanding the scope of the CCPA, its business impact, and the role you play in its enforcement as a risk and compliance manager. Similar laws will likely affect your business soon if they aren’t already – legislation resembling the CCPA is pending in eight other states, including Illinois, Maryland, Massachusetts, Nevada and New York.


What is the CCPA?

The CCPA is a new data privacy law that gives California consumers more control over their personal data and punishes companies for exposing that data. The law covers businesses that have $25M or more in annual sales, that buy, sell or share information on 50,000 or more consumers, or derive more than half of revenue from selling personal information. The CCPA requires these companies to disclose to their customers (at their request) the personal data they’ve collected, why it was collected and which third parties have received it.

Enforcement for CCPA starts with civil penalties up to $7,500 per violation. The fines vary depending on whether there was an intent to violate the compliance standards, such as purposely misstating to consumers the time it takes for requests of information to be addressed. There is a cure period of 30 days where the company can address the violation without penalty.

Another type of penalty is a fine related to breaches. Statutory damages related to breaches range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. Organizations not within scope of CCPA can still find themselves to be in scope for any breaches that affect consumers – meaning they can be hit by breach fines, even if they don’t sell consumer information.


What’s the difference between CCPA and GDPR?

The CCPA is very similar to Europe’s General Data Protection Regulation (GDPR). The biggest difference comes down to who is affected. GDPR covers controller, processor and data subjects, while CCPA covers business, service providers, third parties and consumers. The other main distinction is the type of data that is in scope for each regulation. GDPR covers any type of personal data while CCPA kicks in when data is sold for monetary or other valuable consideration (releasing, disclosing, transferring or even renting of the data).


What does the CCPA mean for me as a risk and compliance manager?

Organizations within scope of the CCPA must have processes in place to support the regulation’s requirements for privacy. These range from having a website banner that says you process information for California consumers and clear procedures for responding to requests for personal data, data portability, data erasure and opting out of data processing. It also requires quick responses and the ability to properly issue privacy notices around how personal information is collected and used.


Technology is a risk and compliance manager’s best defense against unintentional CCPA violations. Automation makes the entire compliance process seamless, from gathering information to responding to requests. Using an integrated risk management platform directly supports the requirements because it enables you to:

  1. Perform a readiness assessment on the maturity of your privacy procedures as it relates to CCPA and other privacy regulations. Easily identify your current state of compliance and compare it to where you need to be. A maturity approach enables you to better understand if you’re optimized for performing the procedures necessary for long-term CCPA compliance.
  2. Create a centralized inventory of processing activities, categories and subjects as it relates to CCPA so there’s a single source of truth for easily determining what is in scope for any request. Provision 1798.110(a)(4) outlines the specific pieces of data that need to be inventoried along with supporting evidence that validates the procedures, controls and documentation used.
  3. Develop questionnaires for Data Privacy Impact Analysis (DPIA) so you can easily understand how important certain processes are for CCPA compliance. Organizations need to understand the impact different processes, systems, and other assets have in relationship to meeting CCPA regulations. Performing a DPIA enables you to understand this impact level and the classifications of different assets. Risk managers should plan to evaluate the impact of different assets on a frequency enforced by the organization and when a material event occurs (acquisition of a company, new offering, change in process).
  4. Use automated workflows to speed request response time. Once a request comes through, whether for access to data, erasure, or even notification of a breach, organizations have just 45 days to respond. Automated workflows are key for fast and easy orchestration among all parties involved to provide answers to requests in a timely fashion.

The already complex risk landscape is getting even more complicated as regulations become more stringent to address consumers’ concerns over data privacy. Leveraging technology makes compliance processes easier to manage and gives risk and compliance managers a way to prove all procedures align to the new standards.

To learn more about CCPA and what you need to do to prepare – join our webinar, CCPA 101: What is It, and How Will It Impact Your Organization, on Thursday, October 3rd at 1:00pm ET.
Register Here