What is California Consumer Privacy Act (CCPA)

California approved AB 375 in late June 2018, a consumer privacy act that might have a more significant impact on U.S. businesses than the European Union's General Data Protection Regulation (GDPR), which went into effect in May 2018. Some of GDPR's more demanding rules, such as the 72-hour timeframe in which a corporation must notify a breach, are not included in CCPA law. However, it goes considerably beyond in other aspects.

The CCPA Law has significant consequences for how banks, fintech firms, and financial services companies conduct their AML/CFT duties since it entails regulating personal data.


What is CCPA?

The California Consumer Privacy Act (CCPA) is a state act aimed at improving rights to privacy and consumer protection for California, United States residents. The CCPA Law aims to offer California residents control over their data by establishing the following rights:

  • The right to know what private information about the citizen is being gathered.
  • The right to know if and to whom personal information is sold or shared.
  • The ability to refuse the sale of personal information.
  • The right to view their personal information.
  • The right to equal service and pricing, even if they use their privacy rights.

California law requires businesses to include a form (Section 1798.135) on their websites that allow customers to opt-in or opt-out of data sharing. Consumers have a right to take legal action if they cannot learn how their data was gathered or obtain copies of that information.


What is Personal Data Under CCPA?

Personal information refers to, depicts, is fairly capable of being connected with, or may reasonably be linked to a specific consumer or household, directly or indirectly. Names, addresses, social security numbers, driver's licenses, location data, sensitive information about personality attributes, religious or political beliefs, sexual preference, web activity such as browser history, IP addresses, and other information are all included.

Consumer Rights Under CCPA

CCPA compliance is essential to ensure that your company has the required policies and procedures to respect fundamental rights. With CCPA regulations, consumers now have the following rights:

  • Ask about the personal information acquired by corporations and what they do with it.
  • Refuse to enable personal information to be sold or shared for commercial reasons.
  • Sue Companies that violate the CCPA or have data breaches.
  • Have access to and download their data.
  • Demand that any personal information acquired from them be deleted.
  • Require parental or guardian consent before collecting or selling data from children under the age of 13.
  • Exercise their rights without fear of discrimination.

Who Needs to Comply With the CCPA?

Any firm that collects information on California residents should research the CCPA compliance checklist. When two requirements are met, a business is bound to comply with CCPA regulations:

  1. The company gathers personal information from California residents.
  2. The company (or its parent company or a subsidiary) meets at minimum one of the following three thresholds:
  • The  company gathers personal information on at least 50,000 California residents, households, or devices.
  • Selling information on California citizens generates 50% or more of the company’s annual income.
  • The company’s yearly gross revenue is more than $25 million.

The CCPA does not apply to the following:

  • Health care providers and insurers that HIPAA already protects.
  • Financial institutions that the Gramm-Leach-Bliley Act regulates.
  • Credit reporting agencies that are managed by the Fair Credit Reporting Act.


importance of conducting Anti-Money Laundering Risk Assessments and its help identifyingand mitigate financial crimes


How to Comply With the CCPA?

When it involves cybersecurity, CCPA compliance can be complicated and perplexing, but specialists who are knowledgeable about the procedure can provide the needed guidance to make sure that each step is taken correctly. Businesses may assure CCPA compliance by taking six simple steps:

  • Assign a team or individual to be in charge of data privacy. This position should be focused on CCPA, as well as other compliance requirements, as well as cybersecurity and data protection.
  • Inventory data to identify what has been collected and needs to be secured. Recognizing how data is obtained and transferred from one system to another gives a clear direction for putting cybersecurity precautions in place.
  • Conduct a risk assessment. The company will find data and systems that contain this data throughout the risk assessment to develop solutions that integrate unknown infrastructure.
  • Develop and implement data-protection tools. These tools might be third-party implementations or proprietary code used to provide data access controls.
  • Establish policies and control over data. These rules should monitor customer data reduction and monitoring, vendor access, and supply-chain risk management.
  • Create an audit log of all data privacy policies and procedures. By using auditing and policy trails, you may analyze your policies and highlight lessons learned to enhance them in the future.


Penalties Under the CCPA

If a company fails to acknowledge an alleged violation within 30 days of being notified, it violates the CCPA. Any corporation that violates the CCPA may face a fine of up to $2,500 for each accidental violation and $7,500 for each intentional violation.

Consumers whose data is "subject to an unauthorized access and exfiltration, theft, or disclosure" due to a business' CCPA violation can claim $100-$750 in damages, or the amount of actual damages, whichever is larger.

AML Exemptions and the California Consumer Privacy Act

The California Consumer Privacy Act's emphasis on personal data protection contrasts with many of the AML methods used by banks and financial services corporations to combat money laundering and terrorist funding. Firms that comply with the CCPA may be able to avoid disclosing sensitive personal data sought by a variety of critical AML/CFT regulations.

Because their services frequently entail acquiring personal information via IP addresses, browsing history, or geolocations, fintech may face substantial new data privacy problems under the CCPA.

However, The California Consumer Privacy Act offers an exception for fraud detection and identification purposes in order to protect the regulatory need and efficacy of US AML/CFT regulations. More precisely, if a company has to collect personal information in order to meet state or federal law, such as AML or KYC legislation, the Patriot Act, or the Bank Secrecy Act, the California Privacy Act does not apply.


KYC is a control procedure that financial institutions apply to verify the identities of their existing and new customers


AML and CCPA Compliance With Sanction Scanner

We, as Sanction Scanner AML Compliance Software, can help you implement Data Protection Policies, AML Policies, and Procedures that are in accordance with the California Consumer Privacy Act and GDPR. If you require our support or further information, please contact us.

Sanction Scanner Request Demo


You Might Also Like