CCPA Compliance

Mitigate the risks from the California Consumer Privacy Act’s (CCPA) most pressing challenges

Download CCPA Checklist

California Consumer Privacy Act (CCPA) Sets the Bar in the USA

With the Privitar Data Privacy Platform™, enterprises can mitigate the risks from the California Consumer Privacy Act’s (CCPA) most pressing regulatory compliance challenges:

With many states proposing similar or identical legislation, recognition that implementing a single standard for the entire country can be more cost effective and efficient, and an understanding that US consumers are demanding their sensitive personal data be protected, leading businesses are committing to CCPA compliance across the entire US.


Does the CCPA Apply to Me?

The CCPA is the most significant US privacy law to date. It applies to all for-profit companies doing business in California that collect, share or sell California consumers’ personal data and meet one of the following criteria:

  • Has >$25M in annual revenue
  • Processes data on >50,000 consumers, households or devices
  • Generates >50% of revenues from selling personal data.

Plus CCPA applies if your organization is owned by, or shares common branding with a covered business. And you don’t even need to have operations or employees in California.

Private Right of Action

Consumers can exercise a Private Right of Action (PRA) if certain types of data, as defined in the California Data Breach Notification Law, leak. This data includes driver’s license, social security number, email address, account numbers, as well as medical, health and biometric information. Affected consumers can claim damages of $100-$750 per person for distress alone. Damages are uncapped for actual harm. Privitar enables you to pseudonymize these data types and eliminate the risk of PRA.

$ 2500
$ 7500

California Attorney General Fines

The state Attorney General has new investigative authority and the power to levy fines up to $2,500 – $7,500 per incident per person for violations.

Request for Deletion

Consumers can request their data to be deleted. Although this sounds straight-forward, in practice it can be challenging for organizations to comply. And non-compliance can result in fines. Learn more about the Right to be Forgotten.

Taking Data Outside the Scope of the CCPA

The CCPA does not apply to data which has been de-identified and aggregated. Simple pseudonymization is not enough, because pseudonymous data can be identifying when combined with other proprietary or publicly available data.  However, using Privitar’s advanced de-identification functionality you can move beyond pseudonymization to take data out of the scope of the CCPA.

Don’t Delete: De-Identify

Fulfill Requests to be Forgotten while Maintaining the Value of Data

The California AG’s draft regulations confirm that de-identifying data is sufficient to comply with deletion requests. With direct and quasi-identifiers de-identified, you can retain behavioral and historic data that enables you to maximize the value and insights from future aggregate analyses.

Related Content

Ready to learn more about Privitar?

Our team of data privacy experts is here to answer your questions and discuss how data privacy can fuel your business.

Protected data demo