Prepare your organization for the CCPA

What you need to know to start your CCPA journey

Starting on January 1, 2020, a new landmark privacy law, the California Consumer Privacy Act of 2018 (CCPA), will take effect. Although there is no “silver bullet” for CCPA compliance, the Okta Identity Cloud provides comprehensive privacy and security protections that can assist our customers with their efforts to comply with the CCPA.

Please note that the content on this page (including links) is not legal advice and is only provided for informational purposes. For legal advice, you’ll want to consult with your own organization’s legal team.

What is the CCPA?

The state of California’s CCPA is the first comprehensive privacy law in the United States. It arose, in large part, as a reaction to the increased cultural awareness around data and to strengthen the protection of individuals’ personal data in light of the rapidly-evolving technological landscape, increased interconnectivity and globalization, and more elaborate transfers of personal data between companies. 

The CCPA introduces specific new changes for companies with regard to their obligations around personal information. These fall within three main categories: data security obligations, rights for individuals, and increased transparency and accountability for companies regarding their collection, storage, use, or transfer of personal information about California consumers.

Who does the CCPA apply to?

Any organization (regardless of where it is located) that processes the personal data of California consumers needs to comply with the CCPA if they fall within the law’s scope. That is, if they meet at least one of the following criteria: 

1. Has annual gross revenues in excess of twenty-five million dollars.
2. Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Critically, under the CCPA, California defines “personal data” broadly, so that the law generally covers any information relating to an identified or identifiable individual.

Can Okta support my CCPA journey?

Yes. The CCPA requires companies to implement “reasonable security” measures, including to secure account credentials. As part of your organization’s CCPA compliance journey, you can use Okta to configure your security policies, such as by implementing access management controls appropriate for your organization and leveraging features such as multi-factor authentication to help meet the reasonable security standard based on the organization’s particular needs.

Okta as a service provider

As a service provider to our customers, Okta limits how it can use Customer Data in its contracts. For example, in our Master Subscription Agreement and Data Processing Addendum, Okta promises not to retain, use, or disclose Customer Data for any purpose other than providing the Service. Similarly,  Okta does not sell Customer Data.

Service provider requirements

The CCPA requires service providers to adhere to use and disclosure limitations as well as return or delete data at the end of an engagement. Okta describes how it adheres to these requirements through its contracts with customers.

Use limitations
Under the CCPA, service providers can only use personal information to the extent necessary to perform the services described in the contract between the business and service provider. Service providers are not permitted to otherwise sell or use personal information outside of the agreed-upon business relationship.  

Disclosure limitations
Service providers are required to keep personal information they receive from a business confidential.

Return or deletion of data
Service providers must delete or return data at the end of the engagement with the business.

More information

Additional information about our assurances to customers are available in our Master Subscription AgreementData Processing Addendum, and in our Trust and Compliance Documentation