CCPA 2.0 (CPRA) and Your Salesforce Org - Part 2


A plain English guide to the latest additions in the California Privacy Rights Act (CPRA) and their implications for Salesforce orgs.


Salesforce developers, admins, architects, CISOs, and C-suite executives who need to understand the CPRA updates and ensure their organization’s Salesforce implementation remains compliant.


->  Build trust with your customers. Avoid hefty fines and penalties. Future-proof your data privacy practices 

What can you do with it?

  • Classify and protect sensitive data in Salesforce
  • Implement opt-out mechanisms and manual review processes
  • Streamline Right to Be Forgotten requests across your data ecosystem

2 out of 3 Salesforce professionals we speak with don’t know how to make their Salesforce data CPRA compliant. Do you?

Sensitive Data Under the Microscope 🔍

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) puts sensitive data front and center. Here’s what you need to know:


CPRA broadens the scope of sensitive data to include:

  • Government IDs (Social Security details, driver’s license, state ID, passport number)
  • Financial info (account details, credit/debit card numbers, access codes)
  • Precise geolocation
  • Race, religion, union membership
  • Private communications content
  • Genetic and biometric data
  • Health information
  • Sexual orientation


  • Strict Controls: Sensitive data in Salesforce now requires tighter access controls and processing limitations. No more free-for-all!


Real-World Example: A healthcare provider using Salesforce must classify patient genetic and health data as sensitive, restricting access and use to comply with CPRA.


Pro Tip: Tools like DataMasker can help you identify and protect sensitive data across your Salesforce sandboxes and environments.

Opt-Out and Profiling: Power to the People 🙋‍♀️🙋‍♂️

Gone are the days of mandatory email opt-ins and unchecked profiling. Under CPRA, customers can:

  • Say No to Automated Decisions: Customers can opt-out of automated decision-making and profiling, especially for sensitive data. 


  • Reject Unwanted Tracking: Those pesky tracking technologies following users across the web? Customers can give them the boot.


  • Right to Correction: Customers can request businesses to correct inaccurate personal information.


  • No Retaliation: Businesses cannot discriminate against customers for exercising their CPRA rights.


Real-World Example: If a bank uses automated credit scoring to reject a loan application, the applicant can request manual review under CPRA.

Right to Be Forgotten: Erasing Data Footprints 🗑️

CPRA expands the Right to be Forgotten (RTBF), requiring businesses to:


  • Delete on Demand: When a customer says “forget me,” you need to erase their data from your Salesforce org. No questions asked.


  • Loop in Third Parties: If you’ve shared customer data with third parties (think analytics firms or vendors), you must notify them to delete it too. No more passing the buck!


Real-World Example: An e-commerce company using Salesforce has to delete a customer’s data from its own systems and ensure any analytics partners do the same when an RTBF request comes in.

Compliance Made Easy: Cloud Compliance Privacy Center

CPRA compliance doesn’t have to be a headache. Tools like Salesforce’s Cloud Compliance Privacy Center can help you:


  • Automate Data Subject Access Requests (DSARs)
  • Streamline data deletion workflows
  • Maintain a clean, compliant Salesforce org


Read more here.

Avoiding Pitfalls: Fines, Contracts, and Exemptions

To stay on the right side of CPRA, keep in mind:


  • Fines: Violations can cost up to $2,500 per incident, or $7,500 for intentional violations. Even higher for kids’ data! (under 16)


  • Vendor Contracts: Make sure your service providers and contractors are CPRA-compliant too. It’s on you to hold them accountable.


  • Exemptions: CPRA doesn’t apply in certain cases, like when you’re required by law to provide info or for medical purposes. Know the exceptions.

TL;DR / Summary:

The CPRA brings key changes to sensitive data, opt-out rights, profiling restrictions, and the Right to Be Forgotten. 


To stay compliant, Salesforce-powered businesses must:

1️⃣ Identify and protect sensitive data

2️⃣ Provide opt-out options and manual review for automated decisions

3️⃣ Promptly honor RTBF requests and notify third parties


Sound daunting? Don’t worry! With the right tools and strategies, you can navigate the CPRA landscape with confidence. 


Automate DSARs, streamline data deletion, and maintain a clean, compliant Salesforce org – all while building trust with your customers. 

By leveraging tools like Cloud Compliance’s Privacy Rights Automation, businesses can confidently navigate the complexities of CCPA/CPRA compliance, ensuring a secure, efficient, and compliant data management process.

Picture of Saurabh Gupta

Saurabh Gupta

Saurabh is an Enterprise Architect and seasoned entrepreneur spearheading a Salesforce security and AI startup with inventive contributions recognized by a patent.

Related Articles