California CCPA/CPRA

The toughest data privacy law in the United States.

Book a Demo

What are CCPA & CPRA?

The California Consumer Privacy Act (“CCPA”) is the toughest data privacy law in the United States, and a game changer for companies around the world. It is a state law that enhances privacy rights and consumer protections for residents of California. CCPA became effective on January 1, 2020 and enforceable as of July 1, 2020; the regulation requires affected companies collecting personal information from California residents (regardless of where the company is located) to implement CCPA-compliant protocols and procedures.

Amended by the CPRA (California Privacy Rights Act), which is also known as the CCPA 2.0, the CCPA is a set of measures that are set to have a profound impact on what data privacy and data security mean for the future. The new provisions listed under the CPRA took effect as of the 1st of January 2023, and according to the Attorney General’s website, the CPRA amends the CCPA but does not create a new law. The two work together as one law, referred to as CCPA.


What is Personal Information and what are other key definitions?

According to California’s law, personal information is any information that identifies, relates to, describes or could be linked to a consumer or household and includes data such as name, email, date of birth and even IP address.

Sensitive personal information, newly defined in the CPRA, is information that reveals sensitive details such as, for example: 

  • a visitor’s precise geolocation, 
  • their social security number, driver’s license number, state identification card number or passport number, 
  • their racial or ethnic origin;
  • Log-in credentials for various accounts, credit/debit card numbers alongside any access code needed to access to their account;
  • Their genetic information;
  • The contents of their mail, e-mail or text messages, unless otherwise intended as part of the communication between the business and the website visitor.

The law also defines ‘biometric information’ as “an individual’s physiological, biological or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that is used or intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.” This includes, among other details, “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”

Last but not least, according to the text of the law, ‘consumer’ means a natural person who is a California resident.


Who has to comply with the CCPA?

The CCPA applies to any business, service provider or third party, but to this a fourth category will be added under the CPRA, namely, contractors. 

It defines a business as “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

  1. Earns annual revenues of more than $25 million;
  2. Collects and processes personal information of at least 100,000 consumers, households or devices; or
  3. Derives at least 50% of its annual revenues from selling or sharing consumers’ personal information.

As a contractor, your business is similar to a service provider under the CPRA, as it is similarly bound by terms and conditions listed in a written contract that outlines certain restrictions regarding the use of personal information. However, unlike a service provider, a contractor will need to include some form of certification proving that the contractor understands the above mentioned restrictions and that it will comply with them.

Who is excluded from CCPA compliance? 

According to the regulation text, there are a series of organizations and types of data that are excluded from compliance:

  • Medical information governed by the Confidentiality of Medical Information Act. 
  • Providers of healthcare governed by the Confidentiality of Medical Information Act or “a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services.”
  • Personal information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects.
  • “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations, or the California Financial Information Privacy Act.”
  • “personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994.”
  • Job application information about individuals. 

How can I keep my organization CCPA compliant? 

In order to be compliant, you need to follow a series of guidelines established by the text of the regulation: 

  • Inform your website visitors of the personal information being collected about them at the point of or just before the collection of personal information.
  • Do not collect additional categories of personal information.
  • Reply to every verifiable consumer request in a timely manner and free of charge. 
  • Keep track of requests to ensure compliance with the response time set for these.

One very important aspect of compliance with the California law is that you are required to provide your website visitors with a clear and easily accessible link, on the homepage of your website,  called “Do not sell my personal information”, which should be linked to a page where visitors can opt out of the sale of their personal information. Additionally, a description of consumer rights and a separate “Do not sell my personal information” link should also be added to your online privacy policy and/or any specific description of consumers’ privacy rights.

With the amendments brought on by the CPRA, this has now been expanded by allowing data subjects to limit both the sale and the sharing of their personal information. You are now required to provide a clear link on the homepage of your website, called “Do not sell or share my personal information” which has to lead data subjects to a page where they can opt out of selling or sharing their personal information with third parties. 

What is more, if your business processes sensitive personal information you must provide a clear link on the homepage of your website, called “Limit the use of my sensitive personal information”.


What data access rights does CCPA grant? 

A consumer can compel your company to provide it with the following rights:

  • Right to Know: consumers have the right to know what personal information is being collected, from whom and for what purpose and, if that is the case, to whom it is being sold;
  • Right to Delete: consumers have the right to ask that their personal information be deleted from the website;
  • Right to Opt Out of Sale: your website visitors must be given the option to opt-out of their personal information being sold. 
  • Right to Non-Discrimination: discriminating users based on their choice to exercise or not their CCPA rights is forbidden, the same level of access and service must be made available to all your website visitors.

In addition to these, the CPRA adds two more rights, namely: 

  • Right to Correct: which allows your website visitors to ask that their personal information be corrected;
  • Right to Limit Use and Disclosure of Sensitive Personal Information.

California CCPA/CPRA compliant website with Clym

Book a Demo

How to address data subject access requests under CCPA?

CCPA enumerates certain rights for individuals, one of which requires companies to provide access to the data collected on individuals by facilitating Data Subject Access Requests (“DSARs”). 

One such request is the one referring to opting out of the sale of one’s personal data, also known as the “Do Not Sell My Personal Information” component of CCPA. If a consumer makes this request, your company cannot sell that consumer’s information for at least 12 months, after which the company can sell the consumer’s information provided that they obtain affirmative consent from the consumer to do so.

It is important to know that CCPA takes a broad view of the word “sell”, which the regulation defines as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

Based on our understanding of the regulation, if you’re running tracking scripts on your website, that’s considered to be selling personal information for purposes of CCPA.

CCPA requires that you respond to any DSAR within 45 days after receipt, which can be extended once for another 45 days provided you notify the consumer about the delay. Note that in another section of the law’s text businesses are given an extension of 90 days after the initial 45 days, but it is not clear when the 45 days vs. 90 days extension applies. 


Enforcement and penalties

According to the regulation text, if your business is in violation of the CCPA and you do not prove compliance within 30 days from the date of notification, you can be charged up to $2,500 for every unintentional violation and $7,500 for every intentional violation. 

In addition, any consumer who suffers consequences following a data breach of your website can recover damages between $100 and $750 per consumer per incident or actual damages, depending on which is greater, can file for injunctive or declaratory relief, or for any other type of relief that a court determines as being proper. 


How can Clym help?

Clym believes in striking a balance between legal compliance and business needs, which is why we offer businesses the following:
  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Custom branding;
  • Ready Compliance: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today. 




If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
+1 980 446 8535 +1 866 275 2596