The California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 are two privacy laws that aim to protect consumers against privacy violations and give them more control over the kind of personal information that businesses and organizations can collect and use from them.

The California Consumer Privacy Act of 2018 

The CCPA was the first-ever privacy law to be implemented in the US. It was introduced on January 3, 2018, and came into effect on June 28, 2018. The Act contains guidance on how data privacy matters must be handled by organizations and businesses and includes the kind of data privacy rights consumers hold against such entities.

The California Privacy Rights Act of 2020

The CPRA, also known as the CCPA 2.0, was introduced due to satisfaction from the outcomes of the CCPA. The 52-page document further builds upon the contents of CCPA and includes laws on the following topics:

  • Data minimization
  • Consumer rights
  • Purpose limitation
  • Sensitive data
  • Data Breaches

The Act was approved on November 3, 2020, and will come into effect on January 1, 2023, replacing the CCPA. All businesses and organizations need to ensure that processes involving consumer data usage conform to these acts. If not, they will be subjected to penalties ranging from $100 to $7500 per violation. 

CCPA and Privacy Compliance

What Type of Organizations Need to Comply With These Acts?

These privacy laws need to be followed by any for-profit organization or business that has an annual revenue of more than $25 million and performs any transactions such as buying, selling, or sharing of personal information of more than fifty thousand consumers each year. It also covers businesses that gain more than 50% of their revenue from selling consumers’ personal information in California.

According to Section 1798.105 of the civil code, the following are some of the rights consumers gain with the CPRA:

  • Right to know the type of personal information being collected by organizations
  • Right to access personal information 
  • Right to ask organizations not to use, share, or sell their personal information
  • Right to delete sensitive information 

CPRA and CCPA Fines

Any organization that does not comply with the CCPA guidelines will be fined based on the violation committed. The CCPA allows a grace period of 30 days after the violation has been declared for businesses to rectify the violation. 

Failure to comply or intentionally violating the laws will lead to civil penalties that depend on the severity of the issue. This grace period is only allowed by the CCPA and not the CPRA. The following are the fines for some of the violations executed by organizations:

  • Any intentional violation of the CCPA leads to a maximum civil penalty of $7500.
  • An unintentional violation of the CCPA has a maximum civil penalty of $2500.
  • Consumers who feel that their data has been violated can file a private lawsuit against an organization for damages between $100 to $750.

The CPRA and CCPA fines mentioned above are for a single violation. The fines add on for every single violation, and the final penalty could be a costly risk for any business. Reviewing the privacy laws and ensuring that your organization complies with them is important to avoid these fines. 

How to Avoid CCPA and CPRA Fines?

Here are some ways in which organizations can ensure compliance with privacy laws:

Automate Data Mapping Process

One of the most important data subjects rights involves organizations providing consumers with information regarding what type of personal information is used, where it is used, and how it is used. With the huge amount of data processed every day, organizations must automate data mapping processes so that consumers can gain access to the information requested easily.

Secuvy’s DSAR (Automated Data Subject Access Requests) Automation helps simplify the process in the following ways:

The easy to use platform helps businesses via

  • Automating data subject requests
  • Link the correct personal and sensitive data to each of the data requests automatically 
  • Create simple privacy workflows to collaborate with different stakeholders 
  • Share personal data through a secure potential
  • Use a centralized database to manage data subject requests 

Manage Consent Compliance

The CPRA gives greater control to consumers by allowing them to reject companies and organizations from using any or all of their personal and sensitive data for the purpose of buying, selling, or sharing it. Consumers may change their consent preference from time to time based on their preference.

Organizations can easily comply with these changes using a Consent Management Solution. The following are a few benefits of Secuvy’s Consent Workflows:

  • Allow consumers to control and update any consent preferences based on the type of vendor or data category.
  • Allow organizations to create custom consent banners to match the brand’s website.
  • Allow organizations to easily manage data deletion privacy requests by enabling consumers to gain access and delete data based on their preferences.

Reduce Data Breach Risks

The personal data collected from consumers can include sensitive data such as identifiers (name, address, passport number, etc.), customer records information (signature, social security number, bank details, etc.), biometric information, professional information, etc. This information can be used for nefarious purposes and hence needs to be protected to ensure consumer and employee privacy.

Secuvy’s Privacy Risk Assessment Solution allows organizations to identify, prioritize and mitigate any type of data risk, including data breaches. Data discovery provides an overview of any potential data risks the organization might encounter and helps it find the right solution for the same.


The CCPA and CPRA can be difficult to comply with if the right tools are not used. Use Secuvy’s Platform services to automate data mapping, classification, manage risks, handle consumer rights, and avoid the liability of paying fines for privacy violations.