The CCPA and Okta: What you need to know

Okta Privacy & Product Legal Team
December 24, 2019

The California Consumer Privacy Act (CCPA) will take effect in California starting on January 1, 2020 in order to strengthen the protection of individuals’ personal information data in the face of a rapidly-evolving technological landscape and increased interconnectivity between organisations.

Here’s a breakdown of what to expect from the CCPA, and how Okta can help organisations along their CCPA journeys.

What is the CCPA?

The California Consumer Privacy Act is a comprehensive piece of privacy legislation that will require companies to take certain steps to protect the personal information of Californians. Specifically, it focuses on data security obligations, rights for individuals, and increased transparency and accountability for companies regarding the collection, storage, use, or transfer of personal information about California consumers.

Critically, under the CCPA, California defines “personal information” broadly, so that the law generally covers any information relating to an identified or identifiable individual.

Who does the CCPA apply to?

The CCPA applies to any organisation (regardless of where it is located) that processes the personal information of California consumers and satisfies at least one of the following criteria:

  1. Has annual gross revenues in excess of twenty-five million dollars.
  2. Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
  3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

What rights are owed to customers under the CCPA?

Depending on their internal processes and procedures, some businesses may have to take steps to adjust their operations to reflect the CCPA’s legal requirements. The rights they must make available to consumers include:

  • The right to know about personal information being collected, disclosed, or sold.
  • The right to request the deletion of personal information.
  • The right to opt-out of the sale of personal information.
  • The right to non-discrimination for the exercise of CCPA privacy rights.
  • Consumers may designate an authorised agent to make a request under the CCPA on their behalf.
  • The right to know if service providers offer any financial incentives tied to the collection, sale, or deletion of consumer personal information.

What types of details do organisations need to disclose to consumers under the CCPA?

The CCPA also requires companies to disclose specific details to consumers, including:

  • A description of the new rights available to consumers.
  • Categories of personal information collected in the last 12 months and the business or commercial purposes for collecting that data.
  • Categories of data sources used in data collection.
  • Categories of third parties with whom businesses “share” personal information.
  • Categories of third parties to whom businesses “sell” personal information.
  • Categories of third parties to whom businesses “disclose for a business purpose” personal information.
  • Specific pieces of personal information collected about a consumer.
  • A link to an opt-out page.

When does the CCPA take effect?

The CCPA becomes operative on January 1, 2020. Although the California Attorney General will not bring enforcement actions until July 1, 2020, businesses may be subject to private right of action under the law beginning on January 1, 2020.

How can Okta support my CCPA journey?

While Okta is not a silver bullet for CCPA compliance, we are committed to our customers’ success—including facilitating their CCPA compliance efforts.

Do Okta’s customers need to opt-out of data sharing with Okta?

No. Customers are permitted to share personal information with service providers like Okta, even when a consumer has opted-out of data sharing. We are updating our contracts to reflect this.

Security through Okta

The CCPA requires companies to implement “reasonable security” measures to keep their personal information secure. Okta helps them meet this reasonable security standard through a wide range of security tools.

For example, Okta customers can monitor access and implement controls amongst their employees to establish a least-privilege access framework. Admins can set strong password and multi-factor authentication (MFA) requirements, check for reused passwords, set up security notifications, and more.

Okta provides a one-stop-shop for customers to manage user identities that can be configured to meet organisational security needs.

Get more information

Still have questions? Check out the resources below or contact us to see how we can support your organisation.

Previous
Next

April 17, 2024

What Is Single Sign-On (SSO)?

By Okta
Single sign-on (SSO) is a user authentication tool that enables users to securely access multiple applications and services using just one set of credentials…

Read now

March 14, 2024

The State of Inclusion at Okta: Working to integrate equity

By Lindsay Ward
Today, we released our fourth State of Inclusion report, an annual report in which we share an overview of our current workforce demographics and Okta’s…

Read now

March 7, 2024

Businesses at Work 2024: Fundamentals in focus

By Sagnik Nandy
For the first few years of this decade, organisations everywhere had to grapple with wave after wave of remarkable change. Sudden developments like lockdowns,…

Read now

February 28, 2024

Introducing the Okta Secure Identity Commitment

By Todd McKinnon
Earlier today, Okta CEO Todd McKinnon sent the following email to Okta employees.  Hi Everyone, Last month Okta celebrated its 15th birthday. As I’ve reflected…

Read now

February 13, 2024

Transforming enterprise operations with Okta Workflows and OpenAI

By Mick Johnson
In today's world, where keeping things running smoothly and safely online is key, Okta has become a go-to choice for companies managing who gets access to what…

Read now