Your Perfect Cybersecurity Partner

Stay Connected:



CCPA stands for California Consumers Protection Act 2018. It is the most recent personal data protection law passed by the State of California, aimed to protect the right to privacy of its residents and as a response to the increased role of personal data in contemporary business practices and the personal privacy implications surrounding the collection, use, and protection of personal information.

Speak to an Expert

For more information, how our Briskinfosec penetration testing services can help to safeguard your organisation, call us now on +91 860 863 4123 or request a call back using the form below.

Awesome Image

Who should do CCPA Compliance?

The CCPA will apply to for-profit businesses that collect and control California residents' personal information, do business in the state of California, and meet at least one of the following thresholds:

  • Annual gross revenues larger than $25 million

  • Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year

  • Make 50 percent or greater annual revenue from selling California resident information


Companies already following GDPR guidelines will have a bit of a leg up becoming CCPA-compliant with the two privacy measures overlapping in certain areas. But meeting all the requirements for the new CCPA standards will still take diligence even for those already compliant in other areas—and face new consequences for any gaps.

Free Download Center

Cybersecurity starts from appropriate awareness. Briskinfosec BINT LAB cybersecurity researchers continuously put extraordinary effort to help you to realise cybersecurity better and faster. For more information, download the One-page flyer, Case Study and Threatsploit Adversary report.



What are CCPA Requirements?

For businesses that must adhere to CCPA law, compliance breaks down into 5 main requirements:

  • Data inventory and mapping of in-scope personal data and instances of “selling” data
  • New individual rights to data access and erasure
  • New individual right to opt-out of data selling
  • Updating service-level agreements with third-party data processors
  • Remediation of information security gaps and system vulnerabilities

CCPA Penalties and how to avoid them

As with any compliance enforcement, violating the CCPA comes with a price tag. Under Section 17206 of the California Business and Professions Code penalties are $2,500 for an unintentional violation, and $7,500 for intentional violations. The new privacy law will allow individuals to recover between $100 and $750 per incident—or greater if there’s solid evidence that damages exceed $750.

How CCPA Works?

Does Your Business Have to Comply with CCPA?

Any for-profit organization doing business in California that collects consumers’ personal data and meets the following qualifiers must comply with CCPA:

  • Has annual gross revenues in excess of $25 million
  • Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

While the current compliance requirements are limited to California, this new privacy law could signal the beginning of a nationwide change, similar to GDPR regulations in Europe.

Need a Quote

To plan, build and certify your Organization as HIPAA Compliant. Kindly provide your contact details, as mentioned below.

How do we differ?

How Briskinfosec can support and help you to comply with CCPA 2020?

Briskinfosec is a Global Information \ Cyber Security and a CERT-IN Empanelled Organization, will help you to assist in CCPA Compliance requirements protect personal data as well as honor consumers’ rights as per California privacy law.

Briskinfosec Team will identify any potential gaps between the practices and CCPA requirements, and advise corrective actions to be taken in order to be prepared for a CCPA audit and support in future

Why to be partnered with Briskinfosec for CCPA Compliance?

Briskinfosec Team are knowledgeable and experienced in providing compliance audit, assessment and implementation services to organizations in meeting their regulatory compliance requirements, such as PCI DSS, HIPAA, EI3PA, NERC-CIP, NFA, FINRA and GDPR.


Our CCPA Services are

  • CCPA audit and assessment
  • Personal Data Mapping
  • Privacy by Design Program

  • Privacy Impact Assessment
  • Incident and Data Breach response planning
  • Network Penetration Testing
  • Vulnerability Scanning
  • Enterprise Privacy Risk Assessment
  • Personal Data Security Awareness and Training

Awards and Affiliations



Will there be any changes to the CCPA before it goes into effect on Jan 1, 2020?

Who does CCPA apply to?

The CCPA applies to for-profit businesses operating in California that collect personal information of California consumers for which any of the following are true:

  • Annual gross revenues over $25 million.
  • Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices.
  • Derives at least 50% of annual revenue from selling California consumers’ personal information.

What are the consumer rights conferred by the CCPA?

The CCPA provides the following rights to consumers:

  • The right to know what personal information has been collected.
  • The right to know whether that information has been disclosed or sold.
  • The right to say “no” to the sale of their information (also called “opt out”).
  • The right to request deletion of their personal information.
  • The right to access their personal information.
  • The right to equal service/price when people exercise their privacy rights.

Are there any exceptions or exemptions to the CCPA?

The CCPA could be preempted by a federal law. It does not apply to the following information:

  • Protected or health-related information collected by a covered entity governed by California’s Confidentiality of Medical Information Act, as well as information governed by HIPAA. (Although this exemption is not as broad as it seems, since any “personal information” that isn’t PHI is still subject to CCPA).
  • Sale of personal information from consumer reporting agencies used to generate consumer reports if the use of that information is limited by the federal Fair Credit Reporting Act (FCRA).
  • Information that is collected, processed, sold, or disclosed that is pursuant to the federal Gramm-Leach-Bliley Act (GLBA), if it is in conflict with that act.
  • Information that is collected, processed, sold, or disclosed that is pursuant to the federal Driver’s Privacy Protection Act (DPPA), if it is in conflict with that act.

Some of the proposed amendments, if passed, would also create additional exceptions and exemptions for businesses. Some of these include:

  • Exempting employees from the definition of a “consumer”
  • Providing personal information to a government agency solely for the purposes of carrying out a government program
  • Selling personal information of consumers who have opted out of sale to prevent fraudulent or illegal activity
  • Excluding “publicly available information” from the definition of personal information
  • Removing de-identified or aggregated data from the definition of personal information

Does GDPR compliance cover CCPA compliance?

No. While efforts made to comply with the GDPR may also be leveraged for compliance with the CCPA, the CCPA is not interchangeable with the EU’s data protection regulation. There are differences between the two pieces of legislation and compliance with one does not equate compliance with the other.

How do I achieve compliance?

While we await additional clarification from the Office of the California Attorney General, we recommend focusing efforts around the following proactive measures:

  • Audit, analysis, and assessment – map existing processes and data against CCPA requirements to scope the impact of changes and identify
  • Awareness – drive alignment around the resources and technology, such as a consent management platform, needed to address required changes.
  • Designed future state – create a detailed blueprint for compliance.
  • Operationalization model – transform the blueprint into actionable work streams, to remediate gaps and implement new processes, policies, and tools.
  • Ongoing governance – ensure compliance is monitored and enforced by reviewing all data sources and performing privacy impact assessments, as well as amending contracts as needed.

What if my site or app does not comply with the CCPA?

If a company intentionally violates the CCPA, they will be subject to the maximum civil penalty: $7,500 per violation, per individual. Otherwise, the max penalty is $2,500 per violation, per individual. Additionally, the CCPA entitles consumers to $100-$750 compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach.

My company aggregates data from other sources and we have no control over the policies/sites of our data providers; what are our options?

You will need to review your service agreements with data providers and ensure that they are CCPA compliant. You should ask for evidence (such as screenshots and URLs) from your source providers during the privacy review process to ensure that they collect, process, and share personal data in a compliant manner.

What other privacy regulations are being considered inside the United States?

While the CCPA will be one of the most comprehensive state privacy laws, approximately ten other states, including Hawaii, Maryland, New York, and Washington, among others, are currently proposing laws similar to the CCPA with one recently passing in Maine. Even so, many are similar to the CCPA, and brands and publishers should consider prioritizing compliance with the original due to its outsize footprint with regard to population size.

If each state law passes, marketers will need to maintain compliance in every jurisdiction in which they operate. The fact remains that as additional states create their own privacy laws, compliance becomes increasingly difficult, reiterating the need for federally pre-emptive legislation.

Get in Touch

For more information on how our Briskinfosec penetration testing services can help safeguard your organisation, call us now on +91 860 863 4123 or request a call back using the form below.