SOC 2
Type II
Achieved
$7,500
Max penalty per intentional violation
45 days
Consumer request response window
CPRA
2023 amendments now in force
California
Consumers with wide impact
CCPA Applicability Assessment
CCPA applies to businesses that collect California consumers' personal information and meet specific revenue, data volume, or data sale thresholds. We assess whether your organization is subject to CCPA, determine which CPRA amendments apply, and define the scope of personal information your program must cover.
Data Inventory & Mapping
CCPA compliance requires knowing what personal information you collect, where it comes from, how it is used, and who you share it with. We conduct a data inventory and mapping exercise that identifies every personal information data flow and documents the business purpose for each category.
Privacy Policy & Notice Development
CCPA requires a privacy policy that discloses categories of personal information collected, purposes of collection, consumer rights, and how to exercise them. We draft CCPA-compliant privacy notices, collection notices, and the Do Not Sell or Share opt-out mechanism required by the law.
Consumer Rights Request Processes
CCPA grants consumers rights to know, delete, correct, and opt-out of sale or sharing of their personal information. We design and implement the processes, forms, and workflows required to receive, verify, and fulfill consumer rights requests within statutory timeframes.
Vendor & Service Provider Contracts
CCPA requires specific contract provisions with vendors and service providers that process personal information on your behalf. We audit your vendor contracts, identify missing CCPA provisions, and provide updated data processing agreement language.
CPRA Compliance & Ongoing Program Management
The CPRA amendments added sensitive personal information requirements, cybersecurity audit obligations, and a new enforcement agency (CPPA). We assess CPRA obligations specific to your business and build the ongoing program management processes needed to maintain compliance as the law evolves.
What Makes Us Different From Others
- CPRA Updated Expertise We implement against CPRA as amended: covering sensitive personal information, opt-out preference signals, and CPPA regulatory guidance, not just the original 2020 CCPA.
- Data Mapping First CCPA compliance requires knowing your data flows before implementing any control. We do the data inventory properly: talking to each business unit, not just reviewing IT architecture diagrams.
- Consumer Rights Fulfillment Process Design Most CCPA programs have the privacy policy right but the fulfillment process wrong. We design operationally realistic processes that can actually be executed within the 45-day response window.
- Cross-State Privacy Law Coordination Organizations subject to CCPA are often also subject to VCDPA (Virginia), CPA (Colorado), and other state privacy laws. We build programs that address multiple state laws simultaneously where possible.
- Security Controls Included CCPA and CPRA require reasonable security for personal information. We include a security assessment and recommendations as part of every CCPA engagement.
garrisonOne walked us through our first security assessment and built a remediation roadmap that mapped directly to our compliance goals. We hit our SOC 2 Type II milestone on schedule and the auditor said it was one of the cleaner first-time audits they had seen.
Client results
See how we have helped
Technology / SaaS
SaaS Startup — AWS Security Hardening
A seed-stage SaaS startup had customer data in a public S3 bucket. garrisonOne conducted a full AWS security assessment against CIS benchmarks and hardened the environment in 4 weeks.
3
Public S3 buckets closed
19
Overprivileged IAM roles fixed
100%
Security review passed
Industry focus
Industries we serve
Related Services: All Compliance | GDPR | HIPAA | Cybersecurity Consulting
Frequently asked questions
Who is subject to the CCPA?
CCPA applies to for-profit businesses that do business in California and meet any one of three thresholds: annual gross revenues exceeding $25 million; annually buy, receive, sell, or share personal information of 100,000 or more California consumers or households; or derive 50% or more of annual revenue from selling California consumers' personal information.
What rights do consumers have under CCPA?
California consumers have the right to know what personal information is collected about them; the right to delete personal information; the right to correct inaccurate personal information (added by CPRA); the right to opt-out of the sale or sharing of personal information; the right to limit use of sensitive personal information (added by CPRA); and the right to non-discrimination for exercising these rights.
What is the difference between CCPA and CPRA?
The California Privacy Rights Act (CPRA) amended and strengthened the CCPA, effective January 1, 2023. CPRA added new rights (correction, limit sensitive PI use), created a new enforcement agency (California Privacy Protection Agency), added sensitive personal information as a distinct category with additional protections, and strengthened enforcement mechanisms.
What are the penalties for CCPA violations?
Intentional CCPA violations can result in civil penalties of up to $7,500 per violation. Unintentional violations face penalties of up to $2,500 per violation. In the case of data breaches involving certain categories of personal information, consumers have a private right of action for statutory damages between $100 and $750 per consumer per incident, or actual damages if higher.
Does CCPA apply to employee data?
The CPRA amendments ended the employee and B2B exemptions that existed under the original CCPA. As of January 1, 2023, California employees and job applicants have full CCPA rights over their personal information collected by employers. Organizations must extend their consumer-facing privacy practices to cover employment data.
How long does CCPA compliance take?
Organizations with no existing privacy program typically need eight to sixteen weeks to achieve initial CCPA compliance: data inventory, policy development, rights fulfillment process design, and vendor contract updates. Organizations with existing GDPR programs can often adapt those to meet CCPA requirements in four to six weeks.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
