Drive CCPA and CPRA sensitive data compliance

As of January 1, 2023, CPRA extends further protections to “Sensitive Personal Information.” Qohash finds SPI on any data source, in any location, and monitors it 24/7, for evidence of sensitive data policy enforcement.

CCPA and CPRA Overview

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are considered the most comprehensive consumer data privacy laws in the U.S., and a benchmark for other states.

CCPA was enacted to enhance privacy rights of California residents by setting guidelines on how businesses should handle private consumer information. CPRA, also known as CCPA 2.0, builds on CCPA’s foundation and enhances consumer privacy protections, as well as the obligations for companies and organizations that process personal information.

CCPA has been fully enforceable since July 2020. Businesses have until January 1, 2023 to become CPRA compliant.

CPRA’s amendments to CCPA apply to any for-profit business that collects personal information on California-based consumers and meets any of the below criteria:

  1. Had gross annual revenue of $25M as of January 1, 2022 or the preceding calendar year
  2. Buys, receives or sells personal info of 50,000 or more CA residents, households or devices
  3. Derives 50% or more of income selling CA residents’ personal info

Note: Businesses need not have operations or employees in CA in order to be subject to CPRA.

CCPA does not apply to nonprofit orgs or government agencies. Other exemptions include:

  • Consumer reporting agencies that are covered by the Fair Credit Reporting Act
  • Financial Institutions covered by the Gramm-Leach-Bliley Act
  • Entities covered by the Insurance Information and Privacy Protection Act

For purposes of CCPA, a California resident is defined as an individual who uses California residency for income tax purposes. CCPA does not protect consumers who are temporarily in the state of California.

The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with a particular consumer or household. This includes: name, address, birthday, biometric data, social security number, telephone number, email address, and any other information linkable to a specific individual.

Sensitive Personal Information is a subset of personal information newly defined in the CPRA.

SPI is personal information that reveals: 

  • social security, driver’s license, state identification card, or passport numbers
  • account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
  • precise geolocation
  • racial or ethnic origin, religious or philosophical beliefs, or union membership
  • the contents of a consumer’s mail,  email and text messages, unless the business is the intended recipient of the communication
  • genetic data

The CCPA offers two exemptions:

  • Personal information collected by a business about a person who was either a job applicant or past/current employee. The exemption is limited to when the business used the information
    provided “solely” for employment-related actions.
  • The B2B exemption applies to personal information of employees or business contacts that a business collected to aid in providing or receiving a product or service to and from another business.

Neither the CCPA and CPRA extend to data already protected by other laws, such as:

  • Financial services providers already in compliance with the GLBA
  • Medical information protected under the California Confidentiality of Medical Information Act
  • Personal information collected as part of a clinical trial or biomedical research study and subject to the Federal Policy for the Protection of Human Subjects
  • Information covered under the Fair Credit Reporting Act

The CCPA creates six specific rights for consumers:

  1. The right to know or request disclosure of personal information collected by the business about the consumer. This includes from whom it was collected, why it was collected, and, if sold, to whom.
  2. The right to delete personal information collected from the consumer.
  3. The right to opt out of the sale of personal information.
  4. The right to opt-in to the sale of personal information of consumers under the age of 16.
  5. The right to non-discriminatory treatment for exercising any rights.
  6. The right to initiate a private cause of action for data breaches.

The CPRA creates three additional rights:

  1. The right to opt out of automated decision-making technology.
  2. The right to correct inaccurate personal information.
  3. The right to limit use and disclosure of sensitive personal information.

The CPRA creates and transfers all rulemaking and enforcement authority from the California attorney general to the new state agency, the California Privacy Protection Agency.

The CPRA tightens enforcement, removing the mandatory 30-day cure period that businesses currently enjoy under the CCPA and tripling penalties for violations that involve minors under the age of 16. The law also expands the types of data breaches that are considered within the scope of the data breach private right of action to include breaches of a username or email address, in combination with a password or security question and answer that would permit access to an online account.
Penalties include:

  • Civil Penalties – In actions by the California Attorney General, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation (but there is an opportunity to cure any alleged violation within 30 days after receiving notice of the alleged violation).
  • Damages – In actions brought by consumers for security breach  violations, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. In actions for statutory damages, consumers must first provide businesses with written notice and an opportunity to cure.
  • Non-Monetary Relief – In actions brought by consumers for security breach violations, consumers may seek injunctive or declaratory relief, as well as any other relief the court deems
  • Businesses may also be subject to an injunction in actions brought by the Attorney General.

How Qohash drives CCPA compliance

Provide evidence to auditors of clear steps taken to secure the confidentiality of customer information and protect it against threats and unauthorized access.

Find sensitive data, everywhere

Qohash solution

Per the CPRA, consumers have the right to know what information was collected after January 1, 2022. Use custom date ranges to discover CPRA-regulated data collected on business systems – and do it 50x faster than alternatives, across any data source, in any location. Data is discovered, classified, tagged, assigned a risk level, and sorted, to provide a complete inventory of sensitive, unstructured data. Once legacy SPI is cleaned, Qohash monitors the remaining data 24/7. Track sensitive data elements, see employee interactions with specific pieces of information, and see locations where the data moved. Take immediate action when risky accumulation, deletion, and exfiltration occur.

The CPRA introduces new requirements for “sensitive personal information.” Businesses must limit the use of SPI and make sure it’s adequately protected.

Conduct privacy risk assessments

Qohash solution

A foundational step in conducting a risk assessment, Qohash provides an inventory of CPRA-regulated SPI across every data source. It provides access control lists for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much SPI is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.

The CPRA requires any business that processes personal data to perform periodic privacy risk assessments and independent cybersecurity audits.

Fulfill deletion requests

Qohash solution

Run keyword searches by name, date, credit card number, and more to find all copies of SPI across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations.

Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.


CCPA/CPRA gives consumers the right to know what SPI is in their possession, correct inaccurate information, and delete sensitive personal data upon request.

Automate data retention

Qohash solution

Enforcing a data retention policy requires a comprehensive data inventory. Map petabytes of data, to decide what to delete and what to keep — and for how long. Once data is cataloged, create custom retention policies by tagging information to keep, setting up workflows that govern how long data is stored, and setting up notifications for when data should be deleted.

CCPA/CPRA requires that businesses have data retention policies in place so that data is automatically deleted once it’s no longer relevant to the business.

Schedule a demo

See how you can maintain an inventory of CCPA-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be-forgotten requests at endpoints, and policy enforcement.

Contact us​

Logo Qohash
By initiative
Regulatory compliance:
Find, classify and inventory all sensitive data, across every data source
Data breach prevention:
Monitor sensitive data 24/7, track data lineage, and enforce policies at endpoints
Microsoft 365
One easy-to-use platform to secure sensitive data on Windows workstations and M365
By regulation
Law 25
Why Qohash
Defy legacy limitations
What our customers say about us