California Privacy Rights Act (CCPA 2.0)

Salesforce solutions for CCPA and CPRA implementation

Key Considerations

Got golden state data? Your Salesforce may need TLC for California Privacy Rights Act & California Consumer Privacy Act.


A snapshot of Cloud Compliance's Enterprise Data Inventory showing a list of DI Systems including Salesforce, NetSuite, and others

Discover Personal Data

CCPA Governance

Data Inventory and Classification

Track and inventory Personal Data across your enterprise—document data collection and movement for internal and to 3rd parties.

Assess your organization’s posture for CCPA compliance, identify gaps, and mitigate risks. Use our pre-built templates or create custom assessments for your unique requirements.

Automate Privacy Rights

1798.130, 1798.120 (a), 1798.135 (a)

Data Access requests, ‘Do not sell’, Self-serve Privacy center

Enable branded self-service request portal for common Subject Access Requests (SAR) for seamless customer care.

Simplify the logging of SARs, verification process, generation, and delivery. Support multiple regulatory requirements such as offering different Portability documents for GDPR vs CCPA.

Screenshot of a privacy portal setup tool interface from Cloud Compliance
Consent Management interface showing customer support, product recall

Manage Consent​


Manage Opt-in/Outs, Consent and Communication Preferences

Obtain and track Consent to ensure data processing is in compliance with privacy laws. Cloud Compliance offers a full lifecycle, including a self-service capability.

Enable localized consent banners with a description of a consumer’s rights and a clear and conspicuous Do Not Sell link or button.

Manage Communication Preferences and consent in a centralized repository to avoid Consent fragmentation. Integrate consent and communication preferences with Salesforce, Marketing, and other systems.

Minimize Personal Data

CCPA Governance

Data Retention – Automated anonymize and delete

CCPA does not mandate Data retention, but it is the best defense to limit breach exposure

Screenshot of a data selection interface with a 'Welcome' banner and 'Step 1' indicating the process stage
GDPR Privacy Terms Content Management Interface

Manage Policy and Notices


Data Processing Notices, ‘Do not sell’ link

Manage and update policies in Salesforce for multiple regulations, countries, and languages.

Enable localized consent banners with a description of a consumer’s rights and a clear and conspicuous Do Not Sell link.

Disclose privacy notices across websites, mobile apps, and others. Securely collect audit-ready proof of acceptance during customer onboarding and other business processes.

Mask Sandbox Data

CCPA Governance

Pseudonymize or Anonymize Personal Data to prevent Sandbox induced Data Breach

Protect your organization by masking or erasing sensitive data in your sandboxes.


Automate common tasks and sandbox readiness to ensure data hygiene and business usability of data while staying compliant with CCPA security measures for data processing.

Workflow diagram for data preparation with stages: Sandbox Refresh, Data Masking, Post-refresh Automation, and Ready for use.

Why Compliance Matters


Your customer’s privacy is more than a compliance initiative. Privacy is a basic human right that your organizational ethos should align with.


Privacy violations are magnified disproportionately in social media. Bad publicity impacts your company’s leadership, stock price, and financials.


Many organizations have been penalized for their privacy oversights. Regulatory authorities are scaling up faster than the time you may need to design compliance policies.


Building trust in a digital world is difficult enough. Erosion of trust due to unsavoury privacy incidents can permanently damage your business.

Frequently asked questions

What is CPRA?

The California Privacy Rights Act (CPRA) is a state-wide data privacy bill passed into legislation in 2020 – with the goal of safeguarding and protecting the personal data privacy of residents of California.


CPRA results from a ballot initiative supported by a data privacy advocacy group called Californians for Consumer Privacy. CPRA adds more elements to CCPA to make it more comprehensive and far-reaching. CPRA will come into effect from January 1st, 2023.

Does CPRA apply to me?

CPRA applies to your organization if it –

1. Generates 25 Million dollars in gross revenue.

2. Has more than 100,000 consumers in California.

3. Derives more than 50% of the revenue from the sharing of personal data.


If your organization meets the above three criteria, then CPRA would apply irrespective of where your organization is physically located or registered. CPRA does not apply to Non-Profits.

Does CPRA apply to Non-Profits?

No. Non-profits are exempt from CPRA enforcement.

How can I make sure that my Salesforce is CPRA compliant?

CRM systems such as your Salesforce Org may contain personal data of your prospects, customers, employees, and partners.

To ensure CPRA compliance, you can standardize, automate and enforce CPRA-specific requirements with Cloud Compliance’s Apps that are available from AppExchange.


Some common use cases where Salesforce customers use our Apps include:

  • Generate a personal data inventory and conduct Data Protection Impact
  • Assessments (DPIA) (Use our Personal Data Discovery)
  • Automate Data Portability, Right To Be Forgotten (RTBF), and other Subject Access Requests (SAR) (Use our Privacy Rights Automation)
  • Mask Sandbox Data to Enforce Data Security (Use our Sandbox DataMasker)
  • Drive transparency and audit-readiness in your privacy disclosures (Use our Policy & Notice Management)
  • Solve consent fragmentation with an enterprise-wide consent and communication preference repository in your Salesforce org (Use our Consent Management)
  • Orchestrate processing of RTBF & portability DSARs across all Salesforce Orgs (Use MOPS Hub).
What’s the difference between GDPR and CPRA/CCPA?

GDPR is the framework legislation of Europe while CCPA & CPRA are the framework legislations of California.

The essence of both these laws is the same – to protect the data privacy of their respective constituents.

GDPR applies to EU residents while CPRA/CCPA applies to Californian residents. They do differ in terms of their requirements also. Please refer to this short video for additional information.