Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


How Varonis Helps with the California Consumer Privacy Act (CCPA)

Compliance & Regulation

The California Consumer Privacy Act (CCPA) is set to go into effect on January 1, 2020. It not only gives ownership and control of personal data back to the consumer but holds companies accountable for protecting that data.

What is the California Consumer Privacy Act?

The CCPA gives California residents four basic rights in relation to how companies collect and store their personal information:

  • Transparency: the right to know what personal information a company is collecting about them, where that data came from (including 3rd parties), how it’s used, whether or not it’s being sold, and with whom that data is being shared. This will likely be disclosed via privacy policies (that will be updated at minimum once a year) and on-demand via consumer request.
  • Opt-out: the right to refuse a company the ability to sell their personal data to third parties.
  • Right to be forgotten: the right to have a company delete their personal information.
  • No penalties for privacy: the right to receive equal service and pricing from a company, regardless of whether or not they exercise their privacy rights.

The CCPA requires that companies are able to identify what personal data they’re collecting from individuals, define why they’re collecting the data, and disclose how that data is used.

They’ll need to be able to delete or quarantine that information – and in a relatively short amount of time: companies will need to disclose any requested information within 45 days of the original request.

The CCPA underscores that security of consumer data is a priority, requiring companies to “safeguard California consumers’ personal information and holding them accountable if such information is compromised as a result of a security breach arising from the business’s failure to take reasonable steps to protect the security of consumers’ sensitive information.”1

How does the California Consumer Privacy Act define personal information?

The CCPA takes a broader definition of what constitutes personal information than many regulations–including the GDPR–which will likely have significant effects on business models from targeted advertising to data brokerage.

Broadly, it’s defined as information that can be used to identify a specific individual.

That includes not only personal identifiers like name, email address, postal address, IP address, license number, etc., but extends to biometric data, browsing history, geolocation, and more. The CCPA even includes any inferences drawn from any of the aforementioned data in the definition of personal information.

Who will be held accountable?

  • For-profit companies that collect California residents’ personal information
  • Companies that do business in the State of California,
  • and:
    • have annual gross revenues in excess of $25 million;
    • or receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis;
    • or derive 50 percent or more of their annual revenues from selling California residents’ personal information.

What are the penalties?

Companies that don’t comply may be liable for penalties enforced by the California attorney general: up to $2,500 per violation that isn’t addressed within a 30-day window, and/or up to $7,500 per intentional violation.

Additionally, consumers have a right of action (private claim or class action) if their personal information is compromised in a data breach, no proof of harm necessary.

How does Varonis help with the CCPA?

In order to comply with the CCPA, companies need to be able to identify and discover personal information, fulfill data subject access requests, and protect consumer data:

  • Automatically discover and classify CCPA affected data
    Varonis can automatically discover, identify, and classify CCPA eligible data on-premises and in the cloud, and gives context around that data – so that you can more easily locate personal information, create reports with advanced classification criteria, and remediate security vulnerabilities.
  • Fulfill data subject access requests
    Search for data related to a data subject to fulfill public access requests: Varonis helps you locate relevant files, pinpoint exactly who has access, and enforce policies to move, quarantine, or delete personal information.
  • Protect consumer data
    Varonis protects data first, not last: combining data classification and access governance with UEBA and security analytics. With Varonis, companies can not only identify and monitor consumer data, but track who’s accessing it, spot unusual activity, and report on suspicious behavior on regulated and sensitive data.
  • Build a CCPA security policy to meet compliance
    Varonis helps companies build and enforce a data-centric security policy to help meet compliance, protect sensitive data, and prepare for the CCPA.

Varonis helps companies meet CCPA compliance requirements and build a unified data security strategy to protect consumer data.

Are you ready for the CCPA? Get a 1:1 demo and see how Varonis can help you discover, manage, and protect your CCPA data.


Sarah Hospelhorn

Sarah Hospelhorn

Based in Brooklyn, NY, Sarah focuses on the strategy behind solving problems in data security. She’s been in tech for over 20 years, with experience in software, hardware, and cryptography.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.