17 Sep, 2019

How WSO2 Identity Server Helps with CCPA Compliance

  • Nipuni Paaris
  • Software Engineer - WSO2

The California Consumer Privacy Act (CCPA) is the latest legislation that will come into effect on 1 January 2020. Therefore, CCPA compliance will be a must for any organization that collects and processes personal information (PI) of California residents. To obtain a fundamental idea of the CCPA, refer to an overview of the CCPA and dig deep into the role of the CCPA in the IAM domain. In this article, we will discuss how WSO2 Identity Server helps your organization with CCPA compliance.

Facilitating the security and privacy aspects of consumer identity and access management (CIAM) is one of the most prominent capabilities of WSO2 Identity Server, which is a leading open-source IAM solution. However, the CCPA challenges current CIAM strategies and designs of all IAM products in the market. As a product that is already compliant with the GDPR, it was not difficult for WSO2 Identity Server to achieve CCPA compliance capabilities. The following lists the consumer rights under the CCPA. Any organization that aggregates and processes consumer information should make sure that it does not violate any of these rights.

  1. The Right to Access Personal Information (PI)
  2. The Right to Have PI Deleted
  3. The Right of Disclosure
  4. The Right to Opt-out and Opt-in
  5. The Right to Non-discrimination

WSO2 Identity Server was implemented based on the “security by default” and “privacy by default” principles from its very first product release. With the announcement of the CCPA, our team thoroughly reviewed and reevaluated the product’s architecture and design to make sure that it adheres to CCPA clauses. This made us realize that many of the product’s current features, such as consent lifecycle management support and the privacy toolkit, fulfilled the new law’s requirements.

Consent Lifecycle Management Support

Consent management can be termed as exercising the collection and management of consumers’ approval to collect and aggregate their personal information. "Consent" itself is granting permission or an agreement for a specific action to take place.

According to consumer privacy acts and regulations, such as the GDPR and the CCPA, consent is the most common and lawful base for any organization that is collecting and processing consumer personal information. Such organizations should offer a free and clear choice for consumers to make a decision on whether they are willing to allow the organization to process their personal information. Furthermore, personal data processing purposes should be transparent to individuals, and the organization must enable individuals to review and revoke already given consents as well.

WSO2 Identity Server comes with an extensive consent management solution that enables users to conveniently manage consents of their consumers and third-party applications. WSO2 Identity Server’s consent management module consists of the following key features.

  • RESTful consent APIs to manage consents remotely. For more information on consent management, please refer to our documentation here.
  • Admin portal support for organizations to define and manage consent, data processing purposes, and user attributes per consent.
  • Support for the Kantara consent receipt specification. For more information, see the Kantara Consent Receipt Specification.
  • Any self-care user profile creation, user provisioning to other systems, sharing of user attributes through SSO, and identity federation is fully based on user consent.
  • Users can review, modify, and revoke previously given consent via the self-care user portal or RESTful Consent API.
  • Consent APIs can also be used to integrate WSO2 Identity Server’s consent management capabilities with existing applications.
  • WSO2 Identity Server can be used to manage the consent of any third-party application via the RESTful Consent API.

Therefore, the above-mentioned functionalities will help to comply with the “Right of Disclosure” and “Right to Opt-out and Opt-in”.

WSO2 Privacy Toolkit

The CCPA has granted the consumer the right to request a business organization to delete whatever personal information it has recorded of the consumer. In order to provide this capability, WSO2 Identity Server introduced a privacy tool kit that can be used to delete all identifiable data from the data storage and log files whenever required. This privacy toolkit provides the following functionalities.

  • Delete the user by “Identity Admin” of the tenant. This will remove the user from any underlying “Read/Write” user store (JDBC/LDAP/AD).
  • Anonymize any retained traces of user activity.
    1. Log files.
    2. Analytics data and information related to logins, sessions, key validations, etc.
    3. Key/token data held at the database layer.
  • Delete any unwanted data retained in the database.
    1. Token(s) issued.
    2. Password history information.

Additionally, WSO2 Privacy Toolkit can be extended to clear personal data in any relational database or any textual log file. This feature enables organizations or users who use WSO2 Identity Server to comply with the CCPA’s “Right to have PI deleted” clause. For further information on the WSO2 privacy toolkit, please refer to Removing References to Deleted User Identities.

Personal Data Export API

Under the “Right to Access Personal Information (PI)” clause, consumers have a right to know what categories of personal information a business organization collects and shares with other entities. They also have the right to request specific pieces of information that the organization has collected.

In order to facilitate this, WSO2 Identity Server published an API that can be used to download profile details of consumers stored in the server in a well structured and machine-readable JSON format. Consumers can download their profiles by logging into the self-care user portal; any organization can integrate this capability to existing applications and portals with the help of the RESTful personal data export API exposed by WSO2 Identity Server. For more information, refer to Using the Personal Information Export REST APIs.


If you are trying to achieve CCPA compliance and are on the lookout for an IAM solution to accelerate this process, consider selecting a CCPA-compliant product like WSO2 Identity Server, which also offers many more benefits to manage your CIAM essentials. Download the latest version here and give it a try. If you have any suggestions, complaints, or issues, reach us through our Github repository here.


About Author

  • Nipuni Paaris
  • Software Engineer
  • WSO2

Nipuni is a Software Engineer based at our Colombo office. She has a bachelor’s degree in Software Engineering from the University of Westminster, UK. As a part of her final year research project, Nipuni developed an automated resource analysis system to optimize project management.