Obtain and Maintain Compliance with CCPA, California’s Consumer Privacy Law

  • July 20, 2022

Donna Lee

Senior Product Marketing Manager at Secureframe

If your company collects personal data on California residents or has over $25M in revenue and does business in California, then you are most likely required to follow the California Consumer Privacy Act (CCPA). CCPA is California's version of GDPR and is meant to enhance privacy rights for California residents. It went into effect in 2020 with numerous businesses that collect, process, or share the personal data of California residents, regardless of where they're based, already being audited for compliance. 

CCPA enforcement is expected to increase in 2023 with the California Privacy Protection Agency (CPPA) recently established as a dedicated privacy regulator to enforce and update to CCPA, the California Privacy Rights Act (CPRA). The CPRA will go into effect in 2023 with a look back period to January 2022, which means companies could be liable for activities taken (or not taken) this year. Once notified of a violation, companies only have a 30 day “cure period” to get compliant or face serious fines.

Secureframe’s goal is to make security compliance easy for any company regardless of expertise. That's why our security compliance automation platform now supports CCPA to help companies get and maintain CCPA compliance quickly and securely. We make the compliance process clear by providing procedures and policies vetted by CCPA experts, proprietary CCPA training for automated employee compliance, access to in-house experts, and everything else you need to get compliant in weeks. We also stay up-to-date on the latest CCPA regulations for you, so you can focus on what matters most…serving your customers and growing your business.

CCPA: California’s landmark consumer privacy law

The California Consumer Privacy Act (CCPA) was passed by the state legislature and signed by the governor on June 28, 2018. It went into effect on January 1, 2020, for-profit organizations that target or collect the personal data of California residents must follow this law. 

Organizations that fail to comply with CCPA can be fined up to $2,500 per unintentional violation and $7,500 per intentional violation. The California Privacy Protection Agency (CPPA) was recently established as a dedicated privacy regulator to enforce the California Privacy Rights Act (CPRA) and CCPA. The CPRA will go into effect in 2023 with a look back period to January 2022, which means companies could be liable to fines for activities taken (or not taken) this year.

Companies that target or collect the personal data of California residents must comply with various privacy requirements and maintain certain security controls. Not only that, CCPA is continuously being updated and changed.

Some of the current CCPA compliance requirements include:

  • Providing California residents a way to know if their personal data has been collected 
  • Allowing California residents to opt-out of personal information sales, request disclosure of their collected personal information in a portable format, and request deletion of their personal data
  • Documenting and tracking personal information collection, processing, and sharing activities
  • Implementing security controls and policies to safeguard personal information
  • Assessing CCPA compliance for vendors that receive personal information
  • Training personnel with access to personal information on CCPA requirements

Which businesses need to be CCPA compliant?

CCPA applies to companies collecting the data of California residents AND that fulfill at least one of these requirements:

  • Have $25 million or more in annual revenue
  • Possess the personal data of more than 50,000 consumers, households, or devices
  • Earn more than half of their annual revenue selling consumers’ personal data.

Secureframe makes it easy to get and maintain CCPA compliance

CCPA contains numerous privacy requirements, obscure security requirements, and several amendments — often prone to misinterpretation due to complicated legal language. We break down the CCPA compliance processes into simple, clear-cut steps, saving you hours of time and effort.

With Secureframe, you will:

  • Get CCPA compliant quickly: Getting CCPA compliant quickly, especially if you’re within the 30 day cure period, is crucial to reducing the risk of fines. We provide a straightforward list of requirements you need to meet and the policies and procedures needed to meet those requirements.
  • Stay focused on serving customers and growing your business: We help you design CCPA security policies that are right for your business. Select from our library of policies, developed and vetted by in-house security experts and former auditors. Policies can be easily adapted within the Secureframe platform based on specific business needs, and then published out to the organization to drive ongoing compliance.
  • Access Secureframe CCPA training with automatic completion tracking: CCPA requires companies to implement and track employee training to be compliant. Secureframe provides its own CCPA training course that can be assigned to specific users and tracked within the platform.
  • Easily stay current with the latest CCPA requirements: As CCPA regulations change, Secureframe provides updates on frameworks, communicates those changes to you, and shows gaps in compliance so your organization has the tools, information, and reporting you need to stay compliant.

Expand your security compliance beyond CCPA

CCPA is just one law that you may be required to follow to avoid violations and penalties. But many companies have additional contractual and legal security requirements. Secureframe’s platform helps you get SOC 2, ISO 27001, PCI DSS, HIPAA, and GDPR compliant quickly and easily.

Ready to get started?

Take the guesswork out of CCPA, get expert guidance at every step, and streamline the compliance process with Secureframe.

If you’re interested in becoming CCPA compliant, reach out to our Product Experts to find out more or schedule a demo