CCPA/CPRA

Salesforce solutions for CCPA implementation


Key Considerations

Got golden state data? Your Salesforce may need TLC for California Privacy Rights Act & California Consumer Privacy Act.

Discover Personal Data

CCPA Governance
Data Inventory and Classification

Track and inventorize Personal Data across your enterprise. Document data collection and movement both for internal and to 3rd parties.

 

Assess your organization’s posture for CCPA compliance, identify gaps, and mitigate risks. Use our pre-built templates or create custom assessments for your unique requirements.

Automate Privacy Rights

1798.130, 1798.120 (a), 1798.135 (a)
Data Access requests, ‘Do not sell’, Self-serve Privacy center

Enable branded self-service request portal for common Subject Access Requests (SAR) for seamless customer care.

 

Simplify the logging of SARs, verification process, generation, and delivery. Support multiple regulatory requirements such as offering different Portability documents for GDPR vs CCPA.

Manage Consent

1798.135.(1)(2)
Manage Opt-in/Outs, Consent and Communication Preferences

Obtain and track Consent to ensure data processing is in compliance with privacy laws. Cloud Compliance offers a full lifecycle including a self-service capability. 

 

Enable localized consent banners with a description of a consumer’s rights and a clear and conspicuous Do Not Sell link or button.

 

 

Manage Communication Preferences and consent in a centralized repository to avoid Consent fragmentation. Integrate consent and communication preferences with Salesforce, Marketing, and other systems.

Minimize Personal Data

CCPA Governance
Data Retention – Automated anonymize and delete

CCPA does not mandate Data retention, but it is the best defense to limit breach exposure

Manage Policy and Notices

1798.135.(1)(2)
Data Processing Notices, ‘Do not sell’ link

Manage and update policies in Salesforce for multiple regulations, countries, and languages.

 

 

Enable localized consent banners with a description of a consumer’s rights and a clear and conspicuous Do Not Sell link.

 

 Disclose privacy notices across websites, mobile apps, and others. Securely collect audit-ready proof of acceptance during customer onboarding and other business processes.

Mask Sandbox Data

CCPA Governance
Pseudonymize or Anonymize Personal Data to prevent Sandbox induced Data Breach

Protect your organization by masking or erasing sensitive data in your sandboxes.

 

Automate common tasks and sandbox readiness to ensure data hygeine and business usability of data while staying compliant to CCPA security measures for data processing.


Why compliance matters

Ethics

Your customer’s privacy is more than a compliance initiative. Privacy is a basic human right that your organizational ethos should align with.

Trust

Building trust in a digital world is difficult enough. Erosion of trust due to unsavory privacy incidents can permanently damage your business.

Embarrassment

Privacy violations are magnified disproportionately in social media. Bad publicity impacts your company’s leadership, stock price, and financials.

Fines

Many organizations have been penalized for their privacy oversights. Regulatory authorities are scaling up faster than the time you may need to design compliance policies.


FAQs

What is CPRA?

The California Privacy Rights Act (CPRA) is a state-wide data privacy bill passed into legislation in 2020 – with the goal of safeguarding and protecting the personal data privacy of residents of California.

 

CPRA is the result of a ballot initiative supported by a data privacy advocacy group called Californians for Consumer Privacy. CPRA adds more elements to CCPA to make it more comprehensive and far-reaching. CPRA will come into effect from January 1st, 2023.

Does CPRA apply to me?

CPRA applies to your organization if it –

1. Generates 25 Million dollars in gross revenue.

2. Has more than 100,000 consumers in California.

3. Derives more than 50% of the revenue from the sharing of personal data.

 

If your organization meets the above three criteria, then CPRA would apply irrespective of where your organization is physically located or registered. CPRA does not apply to Non-Profits.

Does CPRA apply to Non-Profits?

No. Non-profits are exempt from CPRA enforcement.

How can I make sure that my Salesforce is CPRA compliant?

CRM systems such as your Salesforce Org may contain personal data of your prospects, customers, employees, and partners.

To ensure CPRA compliance, you can standardize, automate and enforce CPRA-specific requirements with Cloud Compliance’s Apps that are available from AppExchange.

 

Some common use cases where Salesforce customers use our Apps include:

  • Generate a personal data inventory and conduct Data Protection Impact Assessments (DPIA) (Use our Personal Data Discovery)
  • Automate Data Portability, Right To Be Forgotten (RTBF), and other Subject Access Requests (SAR) (Use our Privacy Rights Automation)
  • Mask Sandbox Data to Enforce Data Security (Use our Sandbox DataMasker)
  • Drive transparency and audit-readiness in your privacy disclosures (Use our policy & Notice Management)
  • Solve consent fragmentation with an enterprise-wide consent and communication preference repository in your Salesforce org (Use our Consent Management)
  • Orchestrate processing of RTBF & portability DSARs across all Salesforce Orgs (Prod. link).

What’s the difference between GDPR and CPRA/CCPA?

GDPR is the framework legislation of Europe while CCPA & CPRA are the framework legislations of California.

 

The essence of both these laws is the same – to protect the data privacy of their respective constituents.

 

GDPR applies to EU residents while CPRA/CCPA applies to Californian residents. They do differ in terms of their requirements also. Please refer to this short video for additional information.

Do you have any additional resources?