The California Consumer Privacy Act (CCPA) is a United States data privacy law enacted to enhance privacy rights and consumer protection for California residents.
The CCPA, effective January 1, 2020, gives consumers more control over the personal information that businesses collect about them. (It is considered one of the most comprehensive data privacy laws in the United States.) In November 2020, California voters passed the California Privacy Rights Act (CPRA), which amended and expanded the CCPA and came into effect on January 1, 2023.
The CCPA applies to for-profit businesses that collect and process the personal information of California residents and meet any of the following criteria:
- Have annual gross revenues in excess of $25 million.
- Buy, receive, sell, or share the personal information of 50,000 or more California residents, households, or devices.
- Derive 50% or more of their annual revenues from selling California residents' personal information.
CCPA Guidelines
The CCPA establishes several key rights for consumers and obligations for businesses, including:
- Right to Know: Consumers have the right to request information about the categories and specific pieces of personal data a business has collected about them, the sources of that information, the purpose for collecting it, and the third parties with whom the data is shared.
- Right to Delete: Consumers can request the deletion of their personal information held by a business, subject to certain exceptions.
- Right to Opt-Out: Consumers have the right to opt out of the sale of their personal information to third parties. Businesses must provide a "Do Not Sell My Personal Information" link on their website.
- Right to Non-Discrimination: Businesses cannot discriminate against consumers for exercising their CCPA rights, such as denying services or charging different prices.
- Notice Requirement: Businesses must inform consumers at or before the point of collection what categories of personal data will be collected and the purposes for which the data will be used.
Consequences of Non-Compliance
Non-compliance with the CCPA can result in significant penalties, including:
- Fines: The California Attorney General can impose fines of up to $2,500 per violation and $7,500 per intentional violation.
- Civil Penalties: Consumers can sue businesses for data breaches or for failing to comply with their CCPA rights. Statutory damages range from $100 to $750 per incident or actual damages, whichever is greater.
- Reputational Damage: Public awareness of non-compliance can harm a business’s reputation and consumer trust.
How Finite State Helps You Comply with CCPA
Finite State can complement your data protection efforts by strengthening your data security capabilities, particularly by:
- Enforcing Secure Coding Practices: Seamless integrations into existing CI/CD pipelines automatically analyze source code and compiled binaries for common security vulnerabilities and coding errors. This allows engineers to identify vulnerabilities hidden deep within legacy code and third-party libraries and detect and address issues early in the development process.
- Real-Time Threat Detection: Integrations with vulnerability databases provide up-to-date information on the latest threats and exploits, allowing for the proactive identification of potential risks before they can be exploited.
- Automate Vulnerability Identification: Using our advanced binary and source code SCA, vulnerabilities can be identified as they’re introduced across the SDLC to help teams keep applications secure.
- Comprehensive SBOM Solutions: Automatically generate Software Bill of Materials throughout the SDLC and easily compile detailed information on all components in your products, including open-source libraries, third-party dependencies, and custom code to improve transparency and identify potential security risks in your software supply chain.
Strong cybersecurity requires a collective effort. Talk to the team today to discover how Finite State can help you comply with CCPA.