Schedule a demo
See how you can maintain an inventory of Law 25-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be-forgotten requests at endpoints, and policy enforcement.
Provide evidence to auditors of steps taken to secure the confidentiality of customer information collected and protect it against threats and unauthorized access.
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are considered the most comprehensive consumer data privacy laws in the U.S., and a benchmark for other states.
CCPA was enacted to enhance privacy rights of California residents by setting guidelines on how businesses should handle private consumer information. CPRA, also known as CCPA 2.0, builds on CCPA’s foundation and enhances consumer privacy protections, as well as the obligations for companies and organizations that process personal information.
CCPA has been fully enforceable since July 2020. Businesses have until January 1, 2023 to become CPRA compliant.
CPRA’s amendments to CCPA apply to any for-profit business that collects personal information on California-based consumers and meets any of the below criteria:
Note: Businesses need not have operations or employees in CA in order to be subject to CPRA.
CCPA does not apply to nonprofit orgs or government agencies. Other exemptions include:
For purposes of CCPA, a California resident is defined as an individual who uses California residency for income tax purposes. CCPA does not protect consumers who are temporarily in the state of California.
The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with a particular consumer or household. This includes: name, address, birthday, biometric data, social security number, telephone number, email address, and any other information linkable to a specific individual.
Sensitive Personal Information is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals:
The CCPA offers two exemptions:
Neither the CCPA and CPRA extend to data already protected by other laws, such as:
The CCPA creates six specific rights for consumers:
The CPRA creates three additional rights:
The CPRA creates and transfers all rulemaking and enforcement authority from the California attorney general to the new state agency, the California Privacy Protection Agency.
The CPRA tightens enforcement, removing the mandatory 30-day cure period that businesses currently enjoy under the CCPA and tripling penalties for violations that involve minors under the age of 16. The law also expands the types of data breaches that are considered within the scope of the data breach private right of action to include breaches of a username or email address, in combination with a password or security question and answer that would permit access to an online account.