top of page

Understanding the California Privacy Rights Act and CMP Consent

Updated: May 9, 2023

Understanding the California Privacy Rights Act and CMP Consent

The California Privacy Act requires all companies to inform customers regarding the data they collect and how they use it. Because online consumer information is more valuable than ever, a lot of regulation has been going on.

The new law was implemented in California in November 2020, so it is vital to understand what the California privacy act is in full. A good Consent Management Platform (CMP) can help you stay compliant. CMP consent is really important when it comes to navigating these new laws!

What is the California Privacy Act an CMP Consent?

The California Privacy Act is a law that protects your personal information from being shared without your consent. It also gives you the right to know what information companies have about you and gives you the right to request a copy of that information.

The act applies to all California residents who are over 18 years old. Children under 18 are subject to other provisions of the law and require a CMP parent consent form.

The California consumer privacy act is similar to other private right of action laws passed in other states across the nation, such as Massachusetts’s Consumer Protection Act and New York’s Personal Data Protection and Security Act.

Why is the California Privacy Act Important?

The California Privacy Act was an effort to protect consumers' personal information and safeguard their privacy. The act also aims to ensure that consumers have control over their data.

The new law affects businesses across industries, including technology companies such as Google, Facebook, and Amazon. The California Privacy Act is important for several reasons:

  • It requires companies to disclose how they collect and use personal data, as well as how they protect it from unauthorized access or disclosure.

  • Requires companies to provide notice of any data breach within 72 hours.

  • Grants consumers certain rights, such as the private right of action regarding their personal data.

  • Prohibits discrimination based on age or disability in providing access to services or goods (Including health care)

  • Prohibits charging more for goods or services based on age or disability, and

  • Provides for enforcement by the attorney general or private rights of action

Who Can Bring a Claim?

The California Privacy Act sets forth who can bring a claim based on the violations of the Act.

First, an individual can bring a claim under the California Consumer Privacy Act if they are harmed by any violation of the Act or have attempted to enforce their rights under the Act.

In addition, an "aggrieved business" may also bring claims, which includes any entity that conducts business in California and has suffered damages as a result of a violation of the Act.

Finally, "aggrieved governmental entities" can also bring claims for violations of the Act.

A business may be considered an aggrieved party if it is harmed by another business's violation of the Act or is forced to expend resources to comply with its own obligations under the law. For example, if Company A shares personal information with third parties but Company B receives that information from Company A, then Company B could be considered an aggrieved party because it had to expend resources to ensure compliance with its obligations under the law and protect its customers' data from further disclosure.

The 5 Steps Businesses Need to Take Now for the New California Privacy Act

The new California Privacy Act is here. And it's going to change the way you do business. Here are five things you should do:

1. Review your privacy policies and terms of service to ensure they comply with the new law. Try a Consent Management Platform (CMP) to stay in compliance.

2: Update your privacy settings and opt-in requirements, so they comply with the California private right of action requirements.

3: Create an internal compliance process for ensuring employees comply with the California Consumer Privacy Act requirements.

4: Create an internal compliance team or designate someone on your team as an internal compliance officer who will oversee all aspects of compliance with California Consumer Privacy Act requirements.

5: Educate your customers about what personal information is collected from them, why it's collected, and how it's used. This includes a CMP parent consent form for children under 18.

California Right to Financial Privacy Act

The California Right to Financial Privacy Act (RFPA) is a law that protects your right to financial privacy. The law limits the availability of your financial records, including credit reports and debit/check card transactions, to businesses that have a legitimate purpose for requesting them.

What Does the Law Do?

The California Right to Financial Privacy Act prohibits businesses from disclosing your personal information unless they can provide some proof of their “legitimate business purposes.”

This means they must show they need the information for a specific reason related to their business. If you decide not to provide this information, the business cannot use that as an excuse to deny you service or access.

Certain organizations are exempt from the requirements of this law: banks; credit unions; consumer reporting agencies; insurance companies; attorneys; attorneys general; government agencies investigating consumer complaints or other legal matters; and any person who obtains confidential information under a court order or subpoena.

How Do Credit Reporting Companies Obtain My Information?

Credit reporting companies get your personal information from a variety of sources.

In most cases, they buy it from other companies that collect and sell personal information. This is called “database marketing” or “data brokering.” For example, one company might sell lists of people who have recently moved, while another might sell lists of people who are late on their payments.

These companies may also sell your name and address to telemarketers or junk mailers as part of their marketing efforts.

If you have ever applied for a credit card, loan, or other financial product or service, the company that provided the service will report your payment history to one or more credit reporting agencies. Other companies that obtain personal information about you include:

  • Banks, savings and loans, credit unions, and other depository institutions

  • Department stores

  • Utilities (gas, electric power and water)

  • Cellular telephone providers

  • Landlords

  • Government agencies (including local governments)

How to Use California’s “California Right to Financial Privacy Act” to Protect Your Identity & Information

The California Right to Financial Privacy Act (SB-17) is designed to protect your identity and financial information from being shared without your permission. It also creates more transparency around how companies use your personal data.

The new law gives individuals two options for how they want their information shared with businesses:

You can opt-in

If you have an account with a financial institution (bank, credit union, etc.), you can choose to opt-in to sharing your personal information with third parties for marketing purposes.

If you don't want businesses using your personal information for marketing purposes, then you can opt out by calling the bank directly or visiting its website. You may be able to do this through your online banking portal as well if it offers that option.

You can opt-out

If you agree to have your data shared, then companies will be able to share it with anyone they want. But if you don't agree, then they won't be able to share it at all — even with their own affiliates or partners. They also won't be able to sell it for marketing purposes or use it for research unless it's for statistical purposes (like analyzing trends).

A Consent Management Platform (CMP) is a great way to keep up with these requirements and ensure that you are in compliance with the law.


The California Privacy Act of 2020 is an important reminder to all companies doing business in California that they have specific responsibilities for CMP consent under the Act, which must be not only met but exceeded.

It's a comprehensive law that has far-reaching consequences for firms that deal with any type or form of personal information, and it is recommended that all businesses pay special attention to it.

bottom of page