CCPA/GDPR and Nogin

The California Consumer Privacy Act(CCPA) is an important piece of legislation that is designed to strengthen and unify data protection laws for all California citizens. The regulation takes effect Jan. 1, 2020.

Additionally, GDPR went into effect in May 2019 – although the law is intended to protect data privacy for European Union Citizens, Nogin is making a concerted effort to become GDPR ready for clients that are operating in Europe.


Nogin is fully committed to complying with its obligations under the CCPA and GDPR.

What is Nogin doing about the CCPA/GDPR?

Mid 2019, Nogin began to dedicate internal resources to the consumer privacy act to ensure that the right steps are taken to address the requirements under the new laws (CCPA/GDPR). At Nogin, we take compliance and enforcement of data security seriously and are working to obtain Type 1 SOC 1 certification and US Privacy Shield certification.

Nogin has also engaged with our in-house counsel and other consultants in our pursuit of CCPA/GDPR readiness.

Here’s a snapshot of our CCPA/GDPR Roadmap and where we are on our Data Protection journey:


  • Continued assessment of our compliance and introduction of any necessary updates as practice and guidance develops.
  • Develop a strategy and requirements to address the areas of our product impacted by CCPA/GDPR.
  • Thoroughly research the areas of our product and our business impacted by CCPA/GDPR
  • Implement required changes to our internal processes and procedures.
  • Develop Data Privacy Team
  • Appoint a Data Protection Officer
  • US-EU-Swiss Privacy Shield Application
  • Rewrite/Amend our Data Protection Agreement
  • Perform necessary changes/improvements to our product based on the requirements
  • Thoroughly test all of our changes to verify and validate compliance with CCPA/GDPR.


  • Notification of Nogin’s commitment to work through and to obtain initial guidance.


We are taking many steps across the entire company to prepare our company for the CCPA/GDPR, from updating our contractual documentation to introducing the required internal processes, policies and working to become Type 1 SOC 1 certified to help define an Information & Security Policy and Procedure. As we move towards CCPA/GDPR compliance, Nogin intends to also become US Privacy Shield certified to provide the legal framework for personal data transfers between our national offices and, where relevant, from other locations directly to our CA hosting centers. Nogin client infrastructure is hosted on AWS/Google which complies with the CISPE code of conduct. The CISPE Code of Conduct helps cloud customers ensure that their cloud infrastructure provider complies with data protection obligations under the CCPA/GDPR.


The GDPR imposes a set of obligations and requirements on Data Controllers (those who decide how and why information about individuals is processed) and Data Processors (those who process such information on behalf of data controllers) to: 1) strengthen the security and protection of personal data and 2) give greater protection and rights to individuals whose data is being used by companies. Although Nogin is taking steps to prepare for the GDPR both as a Data Controller (the personal data we process about our employees and about you, our customers) as well as a Data Processor (the personal data we process on your behalf), our customers will also need to ensure they are ready to meet their obligations under the GDPR. All of our customers will, of course, need to assess their own obligations under the GDPR and take legal advice, as appropriate. In relation to your relationship with Nogin, each customer will need to sign our “CCPA/GDPR addendum” which will add clauses required by the CCPA/GDPR to our contractual relationship with you.

What is CCPA?

The California Consumer Privacy Act (CCPA) is the most comprehensive privacy law in the country. Targeted at companies that collect and/or sell personal information, it is designed to give Californians more control over their own data.

The following are among the major new data protections CCPA introduces:


Consumers in California will be able to know the “what, who, and why” surrounding their personal information. Specifically, they can request the following, which must be provided in a digestible format:

  • Which categories of information were collected and sold
  • From whom this information was collected, with whom it was shared, and to whom it was sold
  • Why it was collected


Consumers in California will be able to request that a company delete the personal information it has collected about them.


Consumers in California will be able to direct a company to not sell their personal information to third parties (although the definition of “sell” in the bill is broader than simply monetary exchange).

Although it was passed in June 2018, California Consumer Privacy Act will go into effect on January 1, 2020. As a result, companies can expect California legislators to continue to clarify and amend CCPA leading up to the enforcement date. A number of amendments have already been passed, including the introduction of a six-month enforcement grace period to July 1, 2020. 

In summary, here are some of the key changes that will come into effect: expanded rights for individuals, compliance obligations, data breach notification and security, restrictions on profiling and monitoring, and increased enforcement with high fines.

What is GDPR?

The GDPR is widely considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive.

The GDPR regulates the “processing” of personal data about individuals in the European Union. “Processing” includes doing anything with personal data, such as collecting, storing, transferring it or using it in any way. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

This legislation gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.

The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.

In summary, here are some of the key changes that will come into effect: expanded rights for individuals, compliance obligations, data breach notification and security, restrictions on profiling and monitoring, and increased enforcement with high fines.

If you have any questions, please don’t hesitate to contact us at