CCPA Consulting: CCPA Compliance Consulting Services

CCPA Compliance Consulting Services

2B Advice CCPA consultancy services can give your business a clearer picture of what the key requirements of this privacy regulation are, what steps you can take to meet them and how much time and effort you can expect to put into each step.

Our certified privacy law & CCPA compliance experts can help you assess your organization’s exposure to risk and design an appropriate level of mitigation.

2B Advice has helped thousands of organizations navigate data protection and privacy laws with experience and know-how developed over 17 years as one first data privacy services and technology firms in the U.S. and Europe.

U.S. Company

We are an international company with offices in San Diego, California.

SINCE 2003

We are one of the providers with the longest experience in the market.

INTERNATIONAL TEAM

Our data protection expertise is transnational and we work internationally.

Get A CCPA Compliance Consulting Quote!

Learn more about how we can help your company with a CCPA compliance program.

Technology-Driven Approach To CCPA Consulting

One of our most vital tools in privacy compliance management is 2B Advice PrIME.

This is our proprietary SaaS software specifically designed to handle the stringency and the complexity of regulations such as GDPR, CCPA, and more. We can also help with Data Subject Access Requests under CCPA.

>> Learn more

CCPA Compliance Consulting Frequently Asked Questions (FAQ)

What is CCPA 2.0?

The California Privacy Rights Act is also referred to as CPRA or CCPA 2.0. CCPA 2.0 is a ballot initiative aimed to regulate big corporations that collect large amounts of data. If passed it till take effect in 2023.

Does the CCPA affect my business?

CCPA applies to your business if you are a for-profit entity doing business in California that meets one of three thresholds:

Has $25 million or more in annual revenue; or
Possesses the personal data of more than 50,000 “consumers, households, or devices” or
Earns more than half of its annual revenue selling consumers’ personal data.

Does the CCPA apply to non-profits?

Non-profit organizations are excluded from the CCPA unless they potentially are subject to third party obligations if they receive personal information from a covered business.

Does CCPA apply to my business even if we don’t have operations in California?

Yes, your business can be based anywhere in the world. Even if your company is not organized under California law and even if you have no physical presence in California, if meets one of the three thresholds, then CCPA applies to your business.

Are there exceptions to CCPA?

Amendments to the CCPA have exempted “covered entities”, meaning those companies or healthcare providers that are subject to HIPAA or California’s Confidentiality of Medical Information Act (CMIA) from the CCPA’s scope to the extent that they protect patient data in accordance with HIPAA or CMIA.

Nor does the CCPA apply to:

Personal information processed under the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act
Protected health information or medical information governed by HIPAA or CMIA
Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects
The “sale” of personal information to or from a credit reporting agency, if used for a consumer report and use is limited to those permitted by the Fair Credit Reporting Act
Personal information processed pursuant to the Driver’s Privacy Protection Act.

What is the definition of a Household under CCPA?

The definition of “household” was revised to mean a group of people who reside at the same address, share a common device or the same service, and are identified by the business as a single account.

Does CCPA apply to me if I sell only to other businesses?

Even if your business sells only to other business, also referred to as Business-to-Business or “B2B”, you must allow individuals to request that their information not be sold. You cannot discriminate against users who do so. And you must promptly inform individuals of a data breach.

If you are a B2B, you should:

Know where personal information is stored and why
Update your privacy policy
Offer individuals an easy way to opt out from data sales
Make it easy for individuals to opt out of emails
Review your vendor relationships, particularly service providers who are processing data.

Will we need to update our company’s online privacy policy?

Yes, under CCPA you must update your Privacy Policy every 12 months and have a conspicuous link on your website’s front page.

What’s the difference between a Privacy Notice and a Privacy Policy?

A Privacy Notice describes the entity’s policies and practices regarding its collection and use of personal data, and sets forth the user’s privacy rights. A privacy notice is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy.

What rights do the CCPA give to California residents?

Consumers gain a number of important rights under CCPA.

Consumers have the right to request access and deletion of their personal information.
The CCPA requires any business that sells consumers’ personal information to provide a web page where consumers can opt out of having their personal information sold.
The CCPA also grants consumers a limited private right of action against businesses that fail to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”

What is the “sale” of personal data under CCPA?

There is a “sale” for CCPA purposes where data is exchanged directly for money or similar valuable consideration.

How does CCPA Impact Business-Vendor relationships?

The CCPA defines certain types of vendors to be a “service provider”:

A legal entity organized for profit
Which processes consumers’ personal information on a business’s behalf
And to which a business discloses consumers’ personal information for a business purpose
There exists a written contact that prohibits the entity from retaining, using, or disclosing the personal information for any purpose other than those services specified in the contract, or as otherwise permitted by the CCPA.

Service providers can be processors, suppliers, and vendors, etc. Service providers must demonstrate that they can protect shared consumer data.

A company may request that service providers delete the consumer’s personal information based on a consumer request.

Are all vendors considered “service providers” under the CCPA?

No. In order to be considered a “service provider” for the purposes of the CCPA, an entity must process personal information “on behalf of a business.”In addition, the vendor must be bound by a written contract that prohibits it from

Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract”
Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract”
Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract”.

CCPA does classify another group of vendors, called “third parties”.

What is a third party vendor under CCPA?

Under CCPA, third parties are the entities to which businesses sell or disclose personal information. The CCPA defines third parties in the negative—that is, a third party does not:

Collect personal information directly from consumers
Receive a consumer’s personal information from a business for a business purpose pursuant to a written contract that, among other things, prohibits the third party from selling, retaining, using, or disclosing the personal information.

What penalties for non-compliance may be applied to a company under CCPA?

The California attorney general can seek civil penalties for non-compliance with the CCPA that can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation. A business may not be liable if it cures any noncompliance within 30 days after being notified of alleged noncompliance.

What is “Private Right to Action” under CCPA?

The CCPA gives a private right to action that provides California consumers with a tool to seek redress if their personal information is accessed as the result of a data breach. This may involve actual damages, or statutory damages between $100 and $750 per consumer per incident.

Manage Your CCPA Compliance

Have you begun your journey to CCPA compliance? The California Consumer Privacy Act, or CCPA, creates a number of new rights for consumers and considerable compliance concerns for businesses with connections to California and its residents. Create a culture of privacy and ensure your company becomes and stays compliant with the new California Consumer Privacy Act by using CCPA compliance software from 2B Advice.

2B Advice brings deep legal expertise combined with the excellence of German engineering to empower companies with the knowhow, training, and technology that they need to meet today’s changing privacy environments. Our goal is to make meeting all CCPA compliance requirements simple and stress-free for you. Our easy-to-use 2B Advice PrIME software puts the power of compliance in the hands of your employees.

2B Advice PrIME is comprehensive privacy management and compliance software that places the power of managing policies, processing activities, internal and external assessments, data type tracking, reporting, compliance, employee training, policy generation, data subject request management, risk mitigation, and reporting at your fingertips. 2B Advice PrIME provides the everyday usability, performance, and functionality for legal, marketing, security, compliance, risk managers, data protection officers, and other users to manage a growing number of privacy regulations around the globe, including CCPA regulations.

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state law that applies to for-profit companies that do business in California.

“I think part of the misconception is around who is covered by CCPA; the nexus is the California Consumer, not the location of the business” – Mary Stone Ross, Privacy Advocate and Co-Author of the California Consumer Privacy Act

There are the three types of companies doing business in California that are covered by CCPA:

Companies with more than $25 million in gross revenue
Businesses with data on more than 50,000 consumers, households or devices
Business that derive more than 50 percent of their annual revenues selling consumer data (i.e. data brokers)

CCPA affords consumer rights under the law including disclosure about personal information being collected about them, access to that information, right to deletion, and the right to opt out of the sale of their information.

When does CCPA go into effect?

The CCPA law goes into effect January 1, 2020. If you are a business under CCPA, on January 1, you need to have your data tracking systems in place and to be able to comply with a right to know request on data collected on them over the previous 12 months. That means you have to know what information you have, and put in place a system that can send it to the consumer. The California attorney general shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020.

What are CCPA penalties for non-compliance?

The CCPA will be enforced by the California Attorney General, who may pursue statutory penalties which can go up to $7,500 per violation. The Act also provides for a private right of action in specific circumstances. For instance, if “non-encrypted or non-redacted” consumer information is compromised because of a failure of reasonable security, a consumer may bring a legal action for statutory damages ranging from $100 to $750 per violation or actual damages, whichever is greater.

What is the difference between GDPR and CCPA?

Though modeled after the GDPR, which went into effect May 2018, there are both similarities and differences that should be understood between CCPA requirements and GDPR. To learn more, download our easy to read side by side comparison.

CPRA vs CCPA FAQ

What date was the CPRA passed?

The California Privacy Rights Act, or CRPA, passed in November 2020 and will bring changes in scope to the CCPA.

What date will CPRA go into enforcement?

CCPA went into enforcement effective January 2020 but CPRA becomes enforceable July 1, 2023.

Does CPRA cover businesses outside of California?

The CPRA still covers businesses located outside of California if they do business in California but the amendment modified the three thresholds set out by the CCPA to determine which businesses are subject to the Act. In addition, the CPPA can investigate possible violations on its own initiative or upon the sworn complaint of any person, not just California residents.

Business Subject to CCPA/CPRA Enforcement

Have annual gross (global) revenue of over $25 million;
Buy, receive, sell or share the personal information of 100,000 or more consumers (a “consumer” is defined as a California resident), households or devices for commercial purposes each year; or
Derive 50% or more of annual revenue from sharing or selling consumer personal information.

Are there changes to what businesses are covered by CPRA?

With respect to the first threshold, requiring annual gross revenues over $25 million, the CPRA clarifies that revenues are calculated by looking at the “preceding calendar year.” Thus, businesses not operating on a calendar-year basis may need to adjust how they operate or undergo additional accounting to determine if they fall within this statutory threshold.

The CPRA increases the second threshold from 50,000 to 100,000 for the number of consumers or households whose personal information, alone or in combination, is bought, sold, or shared annually. The heightening of this threshold likely will exclude more small businesses from the scope of the CPRA.

Finally, with respect to the third threshold, the CPRA amends its application to businesses that derive at least 50% of their annual revenue from sharing or selling the personal information of California consumers. The addition of “sharing” to this threshold requirement expands the scope of the CPRA.

What is Sharing vs. Selling?

Consumers must be able to opt out of the sale as well as the sharing of data. The CPRA now requires all sales, sharing, and disclosures of personal information for a business purpose to be made pursuant to a contract.

What authorities are responsible for public administration?

With the passing of CPRA, it established a new administrative agency charged with protecting the fundamental privacy rights of consumers over their personal information. On March 17, a five-member inaugural board for the California Privacy Protection Agency (CPPA) consisting of experts in privacy, technology, and consumer rights was named.

The California Privacy Protection Agency will have full administrative power, authority, and jurisdiction to implement and enforce the CCPA and CPRA. The Agency may bring enforcement actions related to the CCPA or CPRA before an administrative law judge. The California Attorney General will retain civil enforcement authority over the CCPA and the CPRA.

CPRA provides that any business, service provider, contractor, or other person that violates [the CPRA] shall be liable for an administrative fine … in an administrative enforcement action brought by the CPPA.

The CPPA can investigate possible violations on its own initiative or upon the sworn complaint of any person, not just California residents.

Is the CPRA similar to the GDPR?

CCPA was not very similar to the GDPR. However, Prop 24 passed in fall 2020 brought it’s successor, the CPRA, more in alignment with the GDPR in several significant ways.

The CPRA imposes new requirements for businesses to protect personal information, including by “reasonably” minimizing data collection, limiting data retention, and protecting data security. It also strengthens accountability measures by requiring companies to conduct privacy risk assessments and cybersecurity audits, and regularly submit them to regulators. In addition, it supplements the individual rights in the CCPA with new notification requirements, clarifies that individuals have the right to opt out of both the “sale” and “sharing” of personal information, and adds protections for a new category of “sensitive data.” These 22 new regulations are still being written.

Final CPRA regulations are to be adopted by July 1, 2022, a year ahead of the CPRA’s enforcement.

Of note: The CPRA’s risk assessment requirement is similar to the EU General Data Protection Regulation. Article 35 mandates a data protection impact assessment be carried out in consultation with the data protection officer for processing “likely to result in a high risk,” but unlike the CPRA, it does not require DPIAs to be filed with a regulatory authority.

Under CPRA, what is Sensitive Personal Information?

“Sensitive personal information” means:
(1) personal information that reveals
(A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
(C) a consumer’s precise geolocation;
(D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;
(F) a consumer’s genetic data;

(2)(A) the processing of biometric information for the purpose of uniquely identifying a consumer;
(B) personal information collected and analyzed concerning a consumer’s health; or
(C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. Sensitive personal information that is “publicly available” pursuant to paragraph
(2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal information or personal information.

New Exceptions to Personal Information

These carveouts include new, context-specific exceptions to the definition of “personal information,” including an expanded definition of “publicly available” information. Specifically, publicly available information—which under the CCPA only includes information made available through government records—will include under the CPRA information made publicly available by the consumer or information from widely distributed media. In addition, the CPRA also excludes lawfully obtained, truthful information that is a matter of public concern from the definition of “personal information”.

What are the responsibilities of businesses under CPRA?

Businesses should specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice.
Businesses should only collect consumers’ personal information for specific, explicit, and legitimate disclosed purposes, and should not further collect, use, or disclose consumers’ personal information for reasons incompatible with those purposes.
Businesses should collect consumers’ personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared.
Businesses should provide consumers or their authorized agents with easily accessible means to allow consumers and their children to obtain their personal information, to delete it, or correct it, and to opt‐out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive personal information.
Businesses should not penalize consumers for exercising these rights.
Businesses should take reasonable precautions to protect consumers’ personal information from a security breach.
Businesses should be held accountable when they violate consumers’ privacy rights, and the penalties should be higher when the violation affects children.

Are Employee Rights exempted under CCPA?

Gov. Gavin Newsom signed into law AB 1281, an amendment to the California Consumer Privacy Act (CCPA) that would extend the current exemption on employee personal information from most of the CCPA’s protections until Jan. 1, 2022.

CCPA Requirements for 2021 for Businesses

With CCPA being drafted hastily and moved rapidly toward January 1, 2020, there were a number of ambiguities around the CCPA requirements for 2020 for businesses. There have been numerous public forums about the law and commentary that revealed contradictory internal cross-referencing and confusing definitions. There had been many questions circling such as whether CCPA compliance requirements were aimed at businesses headquartered in California or if the revenue threshold was total revenue or proceeds just from sales in California, to name just a few of the points of confusion. Many other questions centered around the “personal information” definition which has been noted to be much broader than other well known regulations such as the GDPR. In order to provide clarification questions around the CCPA requirements for 2020, many of these questions have been addressed in a series of CCPA amendments.

California Governor Signs Five CCPA Amendments

On October 11, Governor Gavin Newsom signed all five of these bills. Following is a summary of the CCPA amendments that passed (gov.ca.gov/2019/10/11/governor-newsom-issues-legislative-update-10-11-19/).

A.B. 25—HR Data Exemption: Excludes employee or job applicant data from a consumer’s right to access, deletion, and opt-out (leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB25)

A.B. 874 — Clarification on “publicly available information” and “Personal information” definition: Clarifies that “publicly available information” that is lawfully made available from federal, state, or local records, and “deidentified or aggregate” information are not considered “personal information” (leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB874)

A.B. 1146 —Product warranty or recall or vehicle information exclusion: Excludes from the right to opt-out vehicle and ownership information for purposes of vehicle repair covered by a warranty or recall (leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1146)

A.B. 1355—Definition of “business” and other related definitions and clarifications: Businesses may offer different rates or services levels based on the value of the consumer data; grants certain exceptions for personal information provided as part of a transaction; disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer and promptly take steps to determine whether the request is a verifiable consumer request (leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1355).

“Business” means:

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

A.B. 1564—Designated consumer request methods: Provides that businesses that operate exclusively online and has a direct relationship with the consumer need to provide only an email address for submitting consumer requests (leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1564).

This is further clarification and changes to A.B. 1355 which required that businesses make available to consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the business maintains an internet website, a website address.

These five amendments don’t solve the questions forever as most of them are set only for the next 12 months. However, it is anticipated that there will be further distillation and clarification around the CCPA requirements as more businesses put it into action in 2020.

If you have questions about CCPA requirements, reach out to the 2B Advice privacy compliance experts today!

Related Articles:

ISO 19011

Certified Auditor

Gold Member

IAPP Gold Member

ISO Certified

2B Advice is ISO/IEC 27001:2017 Certified

CIPP

Certified Information Privacy Professionals

Questions? Contact Us Today! SEND MESSAGE or call +1 (858) 366 9750

Our Clients (Selection)

Privacy Solutions

How We Can Help

Our Services

Privacy Solutions

How We Can Help

Our Services

Further Information

2B Advice PrIME Software and GDPR

Learn more about how data protection compliance software can help you with GDPR compliance.

2B Advice Reasons to operationalize CCPA Whitepaper

7 reasons why to get started on the journey to privacy compliance. Download the whitepaper!

Free Single User License for 2B Advice PriME

Interested in an unlimited single seat license for comprehensive data privacy software? Register here now.

Why You Need CCPA Consulting

The California Consumer Privacy Act (CCPA) provides California residents with the ability to control how businesses process their personal information.

Regardless of where they are physically based, businesses will be required to honor requests from California residents to access, delete, and opt out of selling or sharing their information. The CCPA covers for-profit companies “doing business” in California that collect and sell personal information or discloses personal data for a business purpose.

The CCPA went into effect in January 1st, 2020. The act will have significant impact on corporate privacy initiatives of both large and small businesses. Even companies who have GDPR compliance programs in place will need to put additional measures in place.