CCPA

What is CCPA?


The CCPA, or California Consumer Privacy Act, is a state law in California that aims to grant residents control over their personal information collected by businesses. It’s considered one of the most comprehensive data privacy laws in the United States.

The CCPA went into effect on January 1, 2020, and in November 2020, California voters passed the California Privacy Rights Act (CPRA), which amended and expanded the CCPA. The CPRA updates came into effect on January 1, 2023.

The CCPA applies to businesses that collect personal information from California residents and meet one of the following criteria:

  • Have annual gross revenues exceeding $25 million

  • Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices

  • Derive 50% or more of annual revenue from selling California residents’ personal information


Businesses that meet the above criteria have the following duties:

  • Present consumers with a privacy notice on collection and a privacy notice to opt-out

  • Present consumers with a privacy policy

  • Allow consumers to opt out of the sale or sharing of their personal information

  • Honor opt-out by using universal opt-out mechanisms

  • Honor consumer requests

  • Conduct risk assessments or cybersecurity audits where required

  • Train employees on data privacy


The CCPA, as amended by the CPRA, grants Californian consumers the following rights:

  • Right to know. Consumers can request that businesses disclose what personal information they have collected about them, the categories of information they share with third parties, and the specific purposes for which they use their data.

  • Right to access. Consumers can request to see the actual personal information businesses have collected about them.

  • Right to delete. Consumers can request that businesses delete their personal information from their records.

  • Right to opt-out of sale or sharing of personal information. Consumers can prevent businesses from selling their personal information to third parties.

  • Right to data portability. Consumers can request a copy of their data to transfer to another controller.

  • Right to rectification. Consumers can request businesses to correct their inaccurate personal information.

  • Right to non-discrimination. Businesses cannot discriminate against consumers for exercising their CCPA rights.


MergeBase and CCPA


MergeBase does not meet the thresholds for CCPA applicability, so this law does not apply to us. However, we are striving for the highest standards in data security, so we already meet the security-related requirements.

When it comes to consumer data privacy, complying with the Canadian data protection laws by default means that we already meet the consumer data privacy standards set out by the US states.


How Can MergeBase Help You Comply with the CCPA?


MergeBase is your partner in navigating the complexities of CCPA compliance regarding data security. The California Consumer Privacy Act leaves the interpretation of ‘appropriate data security measures’ open-ended, granting you the flexibility to define what that entails for your organization.

At MergeBase, we understand that this freedom comes with its own set of challenges. That’s why we’re dedicated to supporting your unique security needs. Our approach is comprehensive: we proactively identify potential risks and vulnerabilities, ensuring that your chosen security measures are robust and effective. By reducing your exposure to cyber threats and streamlining your response time to any vulnerabilities, we fortify your defenses, making your data security under CCPA not just compliant but exemplary.