Mitigate privacy risks to your customers and organization!

Privacy risk can exist throughout the data life cycle, so it is important to manage and govern data properly. A number of privacy risk management activities can be undertaken during the data life cycle. Designing a privacy risk management framework is the first step to ensuring data validation and data protection, monitoring and controlling data, and complying with all applicable laws and regulations.

The Continuum GRC ITAM SaaS platform has privacy modules available, such as:

California Consumer Privacy Act (CCPA) attestation

The CCPA applies to any for-profit entity “doing business” in the state of California, whether or not they have a physical presence in the state, that meets at least one of the following criteria:

  • Gross annual revenue above $25 million
  • Annually buys, receives, or shares personal information belonging to 50,000 or more California consumers, households, or devices
  • Derives at least half of annual revenue from selling personal information belonging to California consumers

Modules include:

  • California Consumer Privacy Act (CCPA) attestation

What are you waiting for?

You are just a conversation away from putting the power of Continuum GRC to work for you. 

Contact us using the form below or calling us at 1-888-896-6207 for immediate assistance.

Download our company brochure.

About the Standard

The California Consumer Privacy Act (CCPA), effective January 1, 2020, and amended by the California Privacy Rights Act (CPRA) effective January 1, 2023, imposes specific compliance requirements on businesses that collect, use, or share personal information of California residents. Below is a concise overview of the key compliance requirements:

1. Applicability

The CCPA applies to for-profit businesses that:

  • Have annual gross revenues exceeding $25 million; or
  • Buy, sell, or share personal information of 100,000 or more California consumers or households annually; or
  • Derive 50% or more of their annual revenue from selling or sharing California consumers’ personal information.
  • The business must also collect personal information of California residents and either operate in California or have a parent/subsidiary relationship with a business that does.

2. Consumer Rights

Businesses must honor the following rights for California consumers:

  • Right to Know: Consumers can request details about what personal information is collected, used, shared, or sold, and the purposes for these actions.
  • Right to Delete: Consumers can request deletion of their personal information, subject to certain exceptions (e.g., data needed for legal compliance).
  • Right to Opt-Out: Consumers can opt out of the sale or sharing of their personal information. Businesses must provide a clear “Do Not Sell or Share My Personal Information” link on their website.
  • Right to Non-Discrimination: Businesses cannot discriminate against consumers (e.g., by denying services or charging different prices) for exercising their CCPA rights.
  • Right to Correct: Consumers can request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: Consumers can limit the use of sensitive data (e.g., health, biometric, or precise geolocation data) to specific purposes.

3. Key Compliance Obligations

  • Privacy Notice: Provide a clear, accessible privacy policy at or before the point of data collection, detailing:
    • Categories of personal information collected.
    • Purposes for collection, use, or sharing.
    • Categories of third parties with whom data is shared.
    • Consumer rights and how to exercise them.
  • Opt-Out Mechanism: Include a “Do Not Sell or Share My Personal Information” link on the homepage and ensure mechanisms to process opt-out requests, including support for browser-based opt-out signals (e.g., Global Privacy Control).
  • Request Handling: Respond to consumer requests (e.g., to know, delete, or correct) within 45 days (extendable by 45 additional days if needed). Verify the requester’s identity without collecting excessive additional data.
  • Service Provider Contracts: Ensure contracts with service providers, contractors, or third parties handling personal information include CCPA-compliant terms, limiting data use to specified purposes.
  • Data Minimization: Collect, use, and retain only the personal information necessary for the disclosed purpose.
  • Sensitive Personal Information: Obtain explicit consumer consent for certain uses of sensitive data or provide a “Limit the Use of My Sensitive Personal Information” link.
  • Record-Keeping: Maintain records of consumer requests and responses for at least 24 months (for businesses meeting certain thresholds).
  • Training: Train employees handling consumer inquiries about CCPA requirements and processes.

4. Data Security

  • Implement reasonable security measures to protect personal information from unauthorized access, use, or disclosure. Breaches may lead to consumer lawsuits for statutory damages ($100-$750 per consumer per incident or actual damages, whichever is greater).

5. Special Considerations

  • Children’s Data: Obtain opt-in consent for selling or sharing personal information of consumers under 16. For children under 13, parental consent is required.
  • Updates to Privacy Policies: Review and update privacy policies annually or when practices change significantly.
  • CPRA Additions: The CPRA expanded requirements, including data minimization, retention schedules, and compliance with the California Privacy Protection Agency’s regulations.

6. Penalties for Non-Compliance

  • The California Attorney General or the California Privacy Protection Agency can impose fines of up to $2,500 per violation or $7,500 per intentional violation or violation involving minors.
  • Consumers can sue for data breaches, seeking statutory or actual damages.

7. Implementation Steps

  • Conduct a data inventory to map personal information collection, use, and sharing.
  • Update privacy policies and website disclosures.
  • Establish processes for handling consumer requests (e.g., web forms, toll-free numbers).
  • Implement opt-out mechanisms and respect browser-based signals.
  • Train staff and update vendor contracts.
  • Regularly audit compliance, especially for sensitive data and third-party relationships.

For detailed guidance, businesses can refer to the California Privacy Protection Agency’s regulations or consult legal experts, as enforcement has become stricter since the CPRA took effect.