California Consumer Privacy Act (CCPA)

CCPA Compliance Planning

The California Consumer Privacy Act of 2018 (CCPA) is effective as of January 1, 2020. LexisNexis Risk Solutions has diligently worked to implement the requirements of the law and is following a detailed compliance plan. We also have a suite of data governance capabilities and industry-leading identity authentication services that can be used for your own CCPA compliance efforts.

The CCPA creates significant new privacy rights for California consumers as well as new obligations for companies that collect or sell personal information. In order to comply with the CCPA, LexisNexis Risk Solutions has reviewed its data sets and has made plans by data and product.  We are also using our proprietary linking process to verify identities and process consumer rights under the CCPA. The CCPA includes exemptions for certain data subject to the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act (DPPA). It also exempts data from government agency records.  As a result of these exemptions, many LexisNexis Risk Solutions products are either not subject to the law or are minimally impacted. LNRS is continuing to track regulatory developments from the California Attorney General’s Office and will make adjustments as necessary. 

For more information, please contact us at

Using LexisNexis Risk Solutions LexID and Authentication Services for CCPA Compliance

LexID Service

Our customers face CCPA compliance challenges due to the fact that much of the personal data they currently hold about California residents is unstructured. For example, businesses with direct consumer relationships often have an account number for each consumer. That account number is a useful tool for organizing data about  customers.  However, these same businesses usually have additional data such as email addresses that are not associated with a given account.

The LexisNexis Risk Solutions LexID service can help a business structure its personal data and associate it with a specific consumer identity. It is created using our unparalleled US consumer data set coupled with advanced artificial intelligence-driven linking techniques.

For more information about using our LexID services for CCPA compliance, please contact us at

Identity Verification and Authentication Services

A number of our customers use LexisNexis Risk Solutions identity verification and authentication services when they receive requests from consumers seeking to exercise their CCPA rights.  Authentication is particularly important when a consumer requests to be informed about what data a business holds about them. 

A key initial step upon receiving such a request is to ensure that the individual seeking such information is in fact who they claim to be. Further details on authentication requirements will likely be included in the final regulations from the California Attorney General’s office, but it is clear that authentication is required by the statute. Therefore, now is the time to plan and integrate the authentication process with your organization’s other privacy processes.

The challenge is to ensure the individual who is submitting a CCPA request isn’t a fraudster — without sacrificing a legitimate consumer’s experience or generating high authentication costs. The multiplicity of consumer touchpoints and devices makes doing this more complex, but also more critical. Our identity verification and authentication solutions help you find balance, mitigate fraud, improve end user satisfaction and easily adapt to emerging channels and trends. We have the tools to help your organization create a comprehensive, layered approach or easily plug into your existing identity management framework. Our capabilities and offerings include:

  • Out of Band solutions to help support higher levels of assurance.
  • Advanced analytics that yield perceptive insights that allow for a more tailored approach to authentication.
  • One of the largest compilations of consumer and business identity intelligence including those individuals with limited or no credit histories.
  • Administration through a single, streamlined platform.

For more information about using our authentication services for CCPA compliance, please contact us at

Frequently Asked Questions about the CCPA

What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act is a consumer privacy law that grants California residents certain rights regarding personal information that has been collected, sold, or disclosed by businesses subject to the law. The CCPA was signed into law on June 28, 2018 and is effective as of January 1, 2020.

What rights does it grant?
The CCPA grants California residents various rights including:

  • The right to be informed of the categories of personal information being collected, sold or disclosed; the categories of sources from which the information is collected; the purpose for which the information is sold and the categories of third parties to which the information is sold or disclosed; and the specific personal information being collected.
  • The right to have certain personal information deleted. 
  • The right to opt out of having personal information sold to a third party.
  • The right to not be discriminated against in pricing, goods or services if a California consumer exercises their CCPA rights.

When does the CCPA take effect?
The CCPA was signed into law on June 28, 2018, and is effective as of January 1, 2020.

Who has rights under the CCPA?
The CCPA grants protections and rights to California residents.

What is “personal information” under the CCPA?
“Personal information” is broadly defined under the CCPA and specifically includes the following:

  • Identifiers such as name, alias, address, unique personal identifier, IP address, email, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Other personal information under California law including physical description, telephone, insurance policy number, financial info, etc.
  • Characteristics of protected classifications under California and federal law
  • Commercial information including purchasing history or tendencies
  • Biometric information
  • Internet or other electronic network activity information (i.e., browsing history, search history, and interactions with websites, apps and advertisements)
  • Geolocation data
  • Audio, electronic, visual, olfactory or similar information
  • Professional or employment related information
  • Educational information
  • Inferences drawn from any of the above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

At the same time, the CCPA does not apply to “publicly available” information that is lawfully made available from a government source, data that is subject to the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or the Driver’s Privacy Protection Act (DPPA), and data that is deidentified or aggregate consumer data.

What businesses are subject to the CCPA?
The CCPA applies to for-profit entities conducting business in California that meet certain statutory thresholds. 

Is LexisNexis Risk Solutions impacted by CCPA? If yes, then how?
LexisNexis Risk Solutions qualifies as a business subject to the CCPA. The details of the CCPA are still being finalized because of pending regulations with the California Attorney General’s Office. However, because of the exemptions currently in the law many LexisNexis Risk Solutions products are either not subject to the law or are minimally impacted. 

Where do I go for more information?
For more information, please contact us at