IAMRoadmapIAMRoadmap
Back to Compliance
Privacy Regulation

CCPA/CPRA

California Consumer Privacy Act / California Privacy Rights Act

California, United States
Effective: January 1, 2020
Updated: January 1, 2023

Overview

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides California residents with rights over their personal information. It requires businesses to disclose data practices, allow consumers to opt-out of data sales, and delete personal information upon request. The CPRA strengthened these protections and established the California Privacy Protection Agency.

IAM Requirements

Access Control

  • Implement access controls to prevent unauthorized access to personal information
  • Maintain audit trails of data access and sharing
  • Control access to sensitive personal information categories
  • Implement data retention limits and access expiration

Consumer Rights

  • Identity verification for consumer requests (avoid unauthorized disclosure)
  • Process access requests within 45 days
  • Implement opt-out mechanisms for data sales/sharing
  • Support right to correction and deletion

Data Security

  • Implement reasonable security measures
  • Conduct regular security assessments
  • Contractual security requirements for service providers
  • Breach response and notification procedures

Compliance Checklist

1
Determine applicability based on revenue, data volume, or business activities
2
Update privacy policy with required disclosures
3
Implement 'Do Not Sell or Share My Personal Information' link
4
Establish consumer request intake and response procedures
5
Create data inventory and mapping
6
Review and update service provider contracts
7
Implement opt-out preference signals recognition
8
Conduct risk assessments for high-risk processing
9
Train customer-facing staff on consumer rights
10
Establish data minimization practices

Penalties for Non-Compliance

Up to $7,500 per intentional violation, $2,500 per unintentional violation

Quick Facts

Region
California, United States
Effective Date
January 1, 2020
Enforcing Body
California Privacy Protection Agency (CPPA) and California Attorney General

Related Certifications

Related Regulations & Frameworks