17 Sep, 2019

The CCPA and IAM: A Deep Dive

  • Jayanga Kaushalya
  • Associate Technical Lead - WSO2

The California Consumer Privacy Act (CCPA), which will come into effect on 1 January 2020, grants consumers new rights regarding the use and collection of their personal information. Since it is a must to comply, now is the right time to move into a CCPA-compliant solution. Gaining knowledge about the new law and how to use identity and access management (IAM), to be compliant with CCPA, will provide an advantage to select the right solution for your business.

To understand how IAM can help to comply with CCPA, first, we have to understand the requirements and what they mean. As mentioned in the previous article Are You Ready for the CCPA?, clauses in the CCPA can be mainly categorized into five different areas.

  1. The Right to Access Personal Information (PI): This means that residents of California have the right to know what categories of personal information a business organization collects and shares with other entities. Consumers also have the right to request specific pieces of information that the organization has collected.
  2. The Right to Have PI Deleted: Consumers will be able to request that a company delete the personal information it has collected about them.
  3. The Right of Disclosure: Companies collecting consumers’ personal information for commercial purposes (sell or disclose to a third party) shall disclose the categories of PI collected, the sources through which the PI was collected, the purpose for the collection, the entities which the PI was shared with or sold to, and the specific pieces of PI that was collected or sold.
  4. The Right to Opt-out and Opt-in: Consumers will be able to direct a company to not sell their personal information to third parties.
  5. The Right to Non-discrimination: Consumers have the right to not be discriminated against exercising any of the rights provided by the CCPA.

According to the above clauses, the CCPA centers around personal information (PI) and how it should be collected, stored, and managed inside a system.

Consent Management

A CCPA-compliant system first needs a mechanism to manage user consent of those that the business collects information on. Consent lifecycle management plays a key role when complying with the CCPA.

When it comes to consent management, there are a few key aspects that we should not overlook.

In the following instances, the system should obtain user consent.

  • User self-registration.
  • User provisioning to third party systems or from third party systems.
  • Sharing user attributes through single sign-on (SSO).
  • Federating identities.

And, the user should have the following capabilities.

  • Review given consent.
  • Modify given consent.
  • Revoke given consent.

Currently, there is an open standard regarding Consent Receipt Management from the Kantara initiative. An IAM provider who supports such open standards will provide leverage over proprietary protocols when adopting such capabilities to a system.

Data Processing

The next most important and essential part when it comes to CCPA compliance is how PI is processed in the system. The system should handle PI based on the clauses discussed above in consent management.

The Right to Access Personal Information (PI)

Any user who has given his or her PI to the system should have the following capabilities:

  • Remove sections of the information.
  • Modify information.
  • Download any kind of information stored in the system in a human-readable manner.

An IAM provider should have at least the above capabilities to provide CCPA compliance. Ideally, an IAM solution should also provide a self-care portal to end-users, capabilities to modify PI without impacting existing processes, and the ability to download PI through it or via separate APIs.

The Right to Have Personal Information Deleted

Similar to the GDPR, the CCPA also mandates the right to erasure or completely remove the existing PI from the system. Even though it sounds simple, this requires the complete removal of any kind of PI that is related to the requested user from the system. This includes logs, audit records, and any stored media, which will eventually keep contextless data in the system.

An IAM provider should use Anonymization and Pseudonymization to support the right to erasure, as specified in the CCPA. By anonymizing data stored in a system, after an erasure, there won’t be any information left in the system to identify PI. Pseudonymization helps the system to keep the context related to the operation without keeping the actual PI.

Identity Governance

Even though this is not directly mandated in the CCPA, having identity governance capabilities in the IAM solution will help to achieve CCPA compliance much easier than an IAM provider that does not.

The following are some of the identity governance features that should be considered from an IAM provider.

Visibility Levels

PI plays an essential role to achieve CCPA compliance. Security related to PI and how it is processed is a key factor. Having the ability to allow who controls the PI within the system and who can see the granularity of PI according to pay grades will allow systems to limit data breaches and unwanted data access.

An IAM provider that supports authorization levels, such as role-based access control (RBAC) will provide the capability to achieve such use cases.

Fine-grained Access Control and Security Policies

Sometimes, having only simple authorization is not enough for a system to adopt good practices of PI management. IAM providers who give fine-grained access control over PI will allow administrators to define more secure and reliable security policies that will help to keep PI more securely within the system.


Having a single point of failure always reduces a system’s integrity. Having multi-levels of approval will help to reduce such situations.

Defining multi-levels of workflows to mission-critical operations is a good practice when it comes to user information management. Having such capabilities in an IAM provider is a plus point when it comes to CCPA compliance.


Picking the right IAM provider to meet CCPA compliance is a tricky process. In addition to all the required capabilities, ease of use is a key component when considering an IAM provider. Learn how WSO2 Identity Server provides these capabilities in the next article of this article series How WSO2 Identity Server Helps with CCPA Compliance.


About Author

  • Jayanga Kaushalya
  • Associate Technical Lead
  • WSO2

Jayanga is a member of WSO2's Identity Server team. He has almost half a decade of experience in IAM and related domains. At WSO2, he has been instrumental in making our products GDPR complaint. Jayanga has contributed to multiple open-source projects. His interests are in enterprise application development, application security, and distributed computing.