CCPA Compliance Guide

California Consumer Privacy Act

The World is Digital

Being connected is now a basic need. The internet is used for work, to get food delivered, shop, check the news – everything can be done online. This virtual dependency brings up new issues – most notoriously, data privacy.

Cybersecurity went from being a conversation topic by IT teams to headlining the most popular news channels, especially when enormous data breaches affect hundreds of millions of people, such as the Capital One and Equifax cases.

Since the United States Federal Government has not been able to draft a federal statute in regards to data privacy, the states have created their own legislation. On June 28, 2018, California passed the CCPA (California Consumer Privacy Act).

The bill, which became effective on January 1, 2020, covers the protection of data and privacy rights of the residents of California. Businesses now might be liable for misuse of customers’ data, and hefty fines are expected to be handed down to offenders.

What is CCPA?

CCPA will grant Californians an array of rights in regards to their personal data, including but not limited to access to their information being collected, the right to delete their data, the right to opt-out of the sale of their data, and children-specific rights.

The primary purpose of CCPA is to force companies to handle customers’ private information better. Consumer data is described as “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Does my company need to comply with CCPA?

Organizations subject to CCPA are for-profit companies that collect personal information and do business in California, whether physically or through digital means.

Companies must also satisfy one of the three following statements:


Have gross annual revenues of $25 million or more


Receive, possess, or sell the personal information of 50,000 or more Californian consumers, households, or devices


Earn more than half of their annual revenue from selling consumers’ personal information

Consumer Rights Under CCPA

There are six main areas a consumer is protected under CCPA.
  1. The right to notice – A business must notify the consumer, either at or before the point of data collection, that they will collect personal information, as well as disclosing the categories of personal information that will be collected, and what that information will be used for.
  2. The right to access – Users will have the right to request access to their collected personal information. Businesses must hand over the information within 45 days, free of charge. Companies must honor said requests up to two times in a twelve-month period.
  1. The right to opt-out – Consumers will have the right to opt-out of the sale of their information to third parties. Companies must provide a clear link on their website and privacy policy entitled “Do Not Sell My Personal Information” by January 1, 2020. Companies must wait 12 months after the completion of the opt-out process to invite consumers to opt-in again.
  2. Children’s rights – Children under 16 must provide their express consent for companies to sell their data (children under 13 must have their parents’ explicit consent). Ignoring age when collecting data cannot be used as an excuse to sell children’s data without consent.
  1. The right to request deletion – Companies must grant consumers’ wish to have their data deleted. There are, however, exceptions to the rule. Companies are not obliged to delete data that was not collected by the company itself, if the data is kept for security reasons, is needed for legal claims, or similar purposes.
  2. The right to equal services and prices – Consumers must be treated equally even if they have exercised their CCPA rights. This encompasses changing prices, providing different quality of service, or suggesting that better services or prices could be given in exchange for data.


Here’s a quick comparison of the differences between the CCPA and the General Data Protection Regulation (GDPR), which went into effect in 2018 in Europe:


  • Residents and households in California, USA.
  • Businesses must inform consumers about the categories of personal information collected and their intended use, but data capture can be done without consent.
  • There are no direct security measures imposed by the CCPA in terms of handling consumer data.
  • The CCPA doesn’t cover data rectification in case of inaccuracies or discrepancies.
  • Fines range from $100 to $750 per record per breach. Non-intentional violations can cost up to $2,500 and intentional violations up to $7,500, per instance.


  • All citizens in the European Union.
  • Companies must acquire affirmative consent for any data captured.
  • The GDPR requires data controllers and processors to take technical measures to ensure a level of security when it comes to data protection.
  • The GDPR grants customers the right to correct inaccurate or incomplete personal data.
  • Non-compliance can cost a company up to 4% of the company’s annual global revenue or 20 million euros, whichever amount is higher.

The Importance of Being Prepared

Protect your company’s reputation – Data breaches are bad for business, and running into problems with your customers is about the last thing any company wants. CCPA allows customers who had their data compromised to sue the breached companies even without proof of damages. Getting into a lawsuit over a data security issue could damage your company’s public standing, both financially and in press coverage.

Avoid costly fines – If a company is the victim of data theft, they may sustain fines ranging from $100 to $750 per California resident record stolen, or actual damages, whichever is greater. This doesn’t include any other relief pay that a court deems proper. The costs involved with intentional non-compliance are as high as $7,500 per violation. For unintentional CCPA-related violations, the maximum fine can reach up to $2,500 per violation.

Strengthen data protection policy – Companies must take preventive measures to avoid data leakage and breaches. Businesses are responsible for the safety of their customers’ information and CCPA will ensure that with strict rules and hefty fines.

Don’t wait to be fined for your company to develop a data security policy.

While CCPA doesn’t provide explicit guidance on what you need to do to be safe from penalties, incorporating the latest security technologies to safeguard your company against hackers is a significant first step.

2FA as a Security Solution

Two-factor authentication (2FA) is a practical and lower-cost option to ensure the safety of your consumers’ data.

However, it has known vulnerabilities and may not be enough to protect your company from breaches and other malicious attacks.

A recent example is the case of Twitter CEO Jack Dorsey, whose account was compromised in August 2019. If a top tech CEO aware of security threats can be hacked, what does that say about that security system?

2FA solutions that use SMS are not secure. The National Institute of Standards and Technology (NIST) pronounced the practice of SMS-based 2FA “dead” way back in 2016.

More secure methods of 2FA include the use of Yes/No questions, PINs, and through the use of your device’s biometrics such as TouchID, FaceID, or Android FingerPrint.

These are more secure in that the authentication request is sent directly to a device rather than a phone number, which can be easily compromised through simple attacks, such as SIM swapping.

Biometrics: A Path to CCPA Compliance

Passwords have been unreliable and insecure for thousands of years. The astonishing fact that 81% of data breaches involve a stolen or a weak password should settle any debate.

The first evolution of passwords resulted in insecure SMS-based 2FA. Since then, many governmental agencies such as NIST and the FBI have discouraged its use. The next evolutionary step was Secure 2FA, which makes it harder for hackers to intercept the 2FA signal while in transit. Despite its efficacy, secure 2FA is not bullet-proof.

Anti-spoofing biometrics is a nearly-impossible-to-breach solution. It does not require the user to memorize a password or to have their cellphone with them at all times. Granting access is as simple as taking a selfie, showing your palm, or saying a few numbers out loud. Most importantly, biometrics are extremely hard to duplicate, and advanced systems can detect whether the biometric sample provided is from a live person or a hacker.

Biometric systems help enterprises avoid CCPA fines in two major ways:

  1. Avoiding a breach – Data breach fines can quickly reach millions of dollars. On top of that, a breach will be an open invitation for your consumers to sue your company, since no proof of damages must be shown by the plaintiff. Being proactive and adding biometric systems to your enterprise is a win-win solution — your company will avoid fines, and your customers’ data will be safe.
  2. Low cost of user support – Under CCPA, consumers may ask companies twice in a 12-month period to have access to their stored personal information. Making sure your company is handling over personal information to the correct person is crucial. With biometrics, you can rely on identity proofing to verify a person’s identity. For instance, ImageWare’s ImageWare Authenticate is a turnkey solution where users just need to take a picture of their driver’s license, passport, or any other valid ID and provide a selfie to authenticate their identity.

Prepare for CCPA with ImageWare’s Solutions

ImageWare’s Secure 2FA, MFA, and biometric solutions are the key to secure your business from the vast majority of data threats. Whichever industry you’re in, ImageWare’s Digital Identity Platform can help secure your organization.

Below are ImageWare’s three pillars for doing business – the representation of our promise to our customers.


  • All operating systems covered: Windows, Mac, Linux, Android, and iOS.
  • Multiple biometric and non-biometric solutions: face, fingerprint, palm, voice, iris, PIN, Yes/No Question, and more.
  • Quick turnkey or customizable solutions.
  • Future-proof solutions: ready to grow with your business, prepared to authenticate 100 users today and 100 million tomorrow.
  • Proven government-level security for the enterprise.

Ethically Secure

  • ImageWare focuses on securing the whole authentication system, from onboarding to capturing to transit to storing – not only the exciting UX features used to sell you the solution.
  • Unless specifically requested, ImageWare does not store your biometric images. We store biometric templates, which is a mathematical representation of your biometric sample. Even if compromised, ImageWare’s biometric templates would be completely useless since they are virtually impossible to be reverse-engineered.
  • Biometric and personal information are stored in multiple different locations. If compromised, single pieces of data alone are useless to any hacker.
  • Irrespective of new government regulations, ImageWare’s culture includes a moral and ethical responsibility for protecting the privacy of individuals and cybersecurity for enterprises and government agencies.


  • The user experience is at the center of everything we do.
  • Frictionless solutions: the user is not required to perform unnatural movements or be subject to flashing lights.
  • Every biometric modal available to best satisfy your needs.
  • Pedigree of innovation: almost 30 patents worldwide.

Schedule a time to talk about your CCPA compliance needs with one of our solutions experts.

Disclaimer: Note that the information contained in this and subsequent materials are meant to serve only as a guide. ImageWare cannot be held liable for any issues that arise from actions based on the use of this information. For official CCPA matters, please consult with your legal team.

Contact Sales