What is CCPA?

The California Consumer Privacy Act (CCPA) is a new consumer protection and data privacy act. It enhances the privacy rights for residents of the state of California in the United States. CCPA becomes effective on January 1, 2020 and enforcement is expected July 1, 2020. 

CCPA bears much similarity to the GDPR. It grants rights to Californian residents such as: 

  • Consumers have the right to be informed of the categories of personal data a business collects about them and to gain access to the personal data a business collects about them, twice a year, free of charge.
  • Consumers have the right to sue for a data breach that results in the theft or unapproved disclosure of certain unencrypted or nonredacted personal data (if the company violated its duty to maintain reasonable security practices to protect the personal data).

Thus, organizations must disclose information about the collection, sale, and disclosure of personal information. 

How to prepare

With a new regulation that potentially affects your entire business and how it operates, there is a lot to learn. Start by taking inventory of what you already have in place, what you are currently planning for, and then how you need to stretch to accelerate your readiness for CCPA. 

Learn how your organization can prepare for CCPA.

Five essential capabilities

There are five essential building blocks to help you manage personal data as you work toward CCPA readiness:

Discovery and mapping

Discovery and mapping is a foundational step where structured, semi-structured and unstructured data is reviewed and classified. It helps define the location and type of personal data that’s stored in your information systems. This step helps you take an inventory of your data, identify the largest areas of risk associated with it and make your data business-ready.

Records of processing

Records of processing can help you document what personal data you hold, how you have captured it, what it’s doing and where it’s stored. A governed catalog of such information can be useful for responding to requests from regulators.

Consumer rights requests

As per CCPA, one needs to respond to consumer requests regarding the collection, sale and disclosure of personal information within 45 days. Using an enterprise-scale consistent auditable processing approach for all requests, leveraging a single catalog, policy and processing criteria for each consumer can help you with your consumer obligations. 

Lifecycle management

Organizations must provide a level of data security that is appropriate to the risks they face. Techniques such as minimization, pseudonymization and encryption can help you protect and manage personal information. You can govern the lifecycle of data with archival, records management, and disposal and drive towards data minimization.

Disclosures of personal information

Organizations must disclose information about the collection, sale, and disclosure of personal information, and only use this personal information in accordance with  disclosures.  Consumers are empowered to be able to opt-out of selling their personal data.

Get started on your CCPA journey

Kickstart your transition to CCPA readiness by using takeaways from your existing strategy for regulations like the GDPR. Then create a comprehensive game plan for data privacy regulations rather than taking a fragmented approach.

Take a deeper dive into CCPA and data privacy

IBM Data Privacy Academy

Join this webinar series to see how global data privacy regulations regulations are driving customer engagement, innovation and competitive advantage and how IBM Analytics solutions provide a key framework to help organizations in this journey.

Drive digital transformation with data privacy

Turn data privacy regulations into a business accelerator and go beyond compliance to gain a competitive advantage.


Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the California Consumer Privacy Act and the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.