Governance, Risk & CompliancePrivacy & Data Protection

CCPA

Overview

Direct Answer

The California Consumer Privacy Act (CCPA) is a state-level privacy statute enacted in 2018 that grants California residents explicit rights over their personal information held by for-profit businesses. It mandates transparency in data collection, establishes consumer access and deletion rights, and requires opt-out mechanisms for data sales.

How It Works

The law operates through four primary consumer rights: access (right to know what data is collected), deletion (right to request erasure), opt-out (right to prevent sale or sharing of personal information), and non-discrimination (right to equal service despite privacy choices). Organisations must disclose privacy practices in accessible privacy notices and respond to verified consumer requests within 45 days, with limited exemptions for legally required retention.

Why It Matters

Compliance failure exposes organisations to statutory penalties of up to $2,500 per unintentional violation or $7,500 per intentional violation, enforced by California's Attorney General and private litigants. The law has prompted widespread adoption of privacy management infrastructure, data inventory processes, and consent platforms across industries serving California residents, establishing a de facto standard for US privacy regulation.

Common Applications

Technology companies, retail organisations, financial services firms, and healthcare providers have implemented data governance frameworks, automated consent management systems, and customer data platforms to satisfy CCPA requirements. e-commerce platforms and SaaS providers routinely integrate privacy request workflows and data subject access tools into their operations.

Key Considerations

The law applies only to California residents and businesses meeting specific revenue or data-processing thresholds, creating compliance complexity for multi-state operations. Tensions exist between consumer rights and business utility of data, particularly regarding the definition of 'personal information' and exemptions for employee and business-to-business contexts.

More in Governance, Risk & Compliance

Anti-Money Laundering

Governance

Laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income.

Whistleblower Protection

Governance

Legal provisions protecting individuals who report illegal or unethical practices within organisations.

AI Risk Management Framework

Governance

A structured approach to identifying, assessing, and mitigating risks associated with AI systems, as defined by standards such as NIST AI RMF and ISO/IEC 42001.

Model Risk Management

Governance

The governance framework for identifying, measuring, and mitigating risks arising from AI and analytical models.

Ethical AI Framework

Governance

A set of principles, guidelines, and processes that an organisation adopts to ensure its AI systems are developed and deployed in a manner that is fair, transparent, and accountable.

Third-Party Risk Management

Risk Management

The process of identifying and mitigating risks associated with outsourcing to third-party vendors.

Compliance as Code

Compliance & Regulation

The practice of expressing regulatory and security compliance requirements as machine-readable policies that can be automatically validated against infrastructure and application configurations.

Data Privacy

Compliance & Regulation

The proper handling of personal data including collection, storage, processing, and sharing in compliance with regulations.