Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


A Step-By-Step Guide to California Consumer Privacy Act (CCPA) Compliance

Data Security, IT Pros

illustration of california and lock representing ccpa compliance

California is the first state to introduce data privacy protection regulations on par with the EU’s General Data Protection Regulation (GDPR). As one of the first pieces of digital consumer data privacy legislation in the country, the California Consumer Privacy Act (CCPA) provides strong individual rights and protections around data access and collection. Read on to learn more about what CCPA entails and how to achieve compliance in a step-by-step fashion.

What is CCPA?

definition of the california consumer privacy act

Get the Free Essential Guide to US Data Protection Compliance and Regulations

When Does the Legislation Go Into Effect?

The CCPA law is designed to protect the data privacy rights of citizens living in California. It forces companies to provide additional information to consumers around how their data is being collected, stored, and used. The goal is to give consumers more transparency and control over their private data.

Citizens will now have more visibility into whether or not their data is being shared with — or sold to — third parties. The CCPA also empowers consumers with the right to opt-out of any data usage or activities they disapprove of. The CCPA was originally approved by Governor Jerry Brown in June of 2018 and took effect on schedule on January 1st of 2020.

Who Does the CCPA Affect?

image showing which businesses are held to ccpa standards

The CCPA covers business — defined as a for-profit legal entity — that collects and sells the personal information of consumers. Per CCPA, the regulation applies to businesses that meet any one of the following criteria:

  • Has an annual gross revenue of over $25 million
  • Gathers, buys, sells, or receives the personal information of over 50,000 California residents, households, or devices
  • Derives more than 50% of annual revenue from selling the personal information of California residents

Moreover, California lawmakers included language to exempt businesses that are already subject to robust federal data protection regulations. These types of companies include:

  • Health providers and insurers already subject to HIPAA
  • Banks and financial companies covered by Gramm-Leach-Bliley
  • Credit reporting agencies, such as Equifax and TransUnion, that are under the Fair Credit Reporting Act

Why do we have the California Consumer Privacy Act?

While companies previously were forced to take steps to safeguard customer data, entities weren’t held responsible for what they did with it and with whom they shared information. With consumers now able to have greater visibility into how their data is being used — and the ability to control and access that data — the CCPA represents a giant step forward in personal data privacy.

With CCPA, legislators wanted to leave no doubt that personal data belonged strictly to the consumer. The types of data where consumers now have control over the collection, usage, and sharing of include:

  • Credit and debit card numbers
  • Legal names
  • Postal addresses
  • Social security numbers
  • Demographic information
  • Income and financial data
  • Browsing and search history
  • Age and date of birth
  • Political and religious affiliation
  • Education information
  • Unique online account names
  • Drivers license and passport
  • Geolocation and biometric data
  • Any other uniquely identifiable information

What are the CCPA Requirements?

The CCPA outlines specific requirements for companies that correlate with consumer rights over their personal data. These core requirements are as follows:

  • Right to Disclosure. If you collect information about a consumer protected by the CCPA, then you must inform the consumer of your intentions at or before the point of data collection.
  • Right to Access. Consumers have the right to request you provide them with the information in a readily usable format. This must be free of charge and provided within 45 days from the request. Individuals must also have clear and easy access to your full privacy policy.
  • Right to Contact Information. You’re required to inform consumers where they can find more information about your privacy policy and CCPA compliance efforts. You also need to provide a toll-free telephone number and online contact details should they decide to contact you to exercise any CCPA-related rights.
  • Right to be Forgotten. If a consumer requests that you delete any personal data and information, you’re legally mandated to do so under the CCPA. There are very narrow exceptions in cases where you need the information to fulfill some form of superseding legal obligation.
  • Opt-out of Data Sales and Marketing. If you do sell visitors’ personal information, you must give consumers the opportunity to opt-out of this transaction. You’re required to have a web page that clearly presents an opt-out option, preferably with a link to your privacy policy page. They must also be able to opt-out of data usage for future marketing efforts.
  • Right to Fair Treatment. In no way, shape, or form can you discriminate or treat users differently based on whether or not they exercise their CCPA rights. You must provide the same level of access and service to all consumers regardless of which rights they exercise.
  • Periodic Privacy Policy Updates. You must update your privacy policy every 12 months. That way, customers know if you’re now collecting, selling, processing, or otherwise handling data differently than before. Or if you’re gathering more information than previously stated.

These requirements represent the basis of successful CCPA compliance. Now, you’re ready to put this knowledge into action by learning exactly how to begin your CCPA compliance journey.

Step-by-Step Guide to CCPA Compliance

Follow the six steps below to learn how to become CCPA compliant.

Step 1: Update Privacy Policy and Notices

The first thing you’ll need to do is review your current privacy policy, conduct a CCPA gap assessment, and update the policy where needed. Your new privacy policy should address all of the new rights as outlined above under the CCPA, and your procedures for granting said rights under various circumstances. Your privacy notices to consumers also need to be updated, informing them in more detail at the point of data collection about how their data can and will be used.

Step 2: Maintain a Sound Data Inventory

You’ll also need to maintain a data inventory, which is essentially a database that tracks all information processing activities. This includes various business processes, products, devices, and software that handles consumer data at any given time. Your CCPA data classification should identify which data types are sold, shared with third parties, or used for marketing purposes. Any rights requests for specific data types should also be recorded in the data inventory as proof that you’re CCPA compliant.

Step 3: Implement Data Rights Protocols

The new consumer data rights set forth by CCPA should be central to your compliance efforts. Therefore, you need processes and protocols in place if and when consumers decide to exercise any of those rights. If a consumer contacts you to utilize their Right to Be Forgotten, for instance, your IT team should know exactly where that data is housed and already have a streamlined process in place to dispose of the data and notify the consumer in a CCPA-compliant way. Have protocols at the ready so that when consumers exercise their rights, the process is efficient and fully compliant.

Step 4: Fortify Your Cybersecurity Stack

Under the CCPA, all covered businesses are required to protect personal data with “reasonable” security measures. While this might seem like vague, legal language, in practice it typically means taking a risk-based approach to cybersecurity. You’ll want to assess the risks to your various data types, rank them in terms of most vulnerable to least, and beef up systems and technology where the risk is greatest. While the cost of implementing a new security and privacy platform for high-risk data can be high, if there’s a breach and you’re found to have not taken reasonable measures, the fines and penalties may far exceed the upgrade costs.

Step 5: Audit Third-Party Processor Agreements

If you work with other companies to process, store or transmit consumer data, you’ll need to audit and update those contracts to become CCPA compliant. This is where working with an experienced CCPA compliance partner can be extremely useful in helping you insert standard contractual language into your partnership agreements with minimal legal headache. Your contracts should cover all the bases with regards to CCOA compliance, from how your third parties process data to how they’ll work with you during data rights requests.

Step 6: Ongoing Internal Data Privacy Training

The CCPA mandates that you ensure all individuals who are involved with the handling of consumer data — especially those who process data rights requests — undergo training in how to do so safely and securely. While CCPA leaves it somewhat open-ended in terms of the “how,” typical training mechanisms can include on-site classroom sessions, live virtual training, or standardized courses with materials and testing. While the CCPA doesn’t specifically state how often training should take place, it’s recommended that you conduct refreshers on an annual basis at minimum.

CCPA Compliance Checklist

ccpa compliance tips

CCPA compliance doesn’t have to be a stressful, all-consuming effort within your organization. Here are a few tips and action items that you can take along with ways to ensure you’re CCPA compliant now, and well into the future.

1. Preparation

  • Identify and classify your data assets
  • Understand new consumer rights
  • Conduct a data risk assessment
  • Scour systems for hidden data

2. Implementation

  • Update your data privacy policy
  • Implement rights response processes
  • Adjust permission and access controls
  • Upgrade critical systems and software

3. Maintenance

  • Review your privacy policy annually
  • Conduct regular CCPA training
  • Eliminate unnecessary data regularly
  • Streamline rights response processes

How is Compliance Enforced?

The California Attorney General has the ultimate authority to enforce CCPA. Fines for non-compliance depend on the offense and various other factors. The CCPA provides for a “private right of action” in instances where there’s theft or disclosure of non-encrypted or non-redacted personal information.

Real World CCPA Penalties

Civil penalties start at $2,500 per violation for non-compliance that is deemed unintentional. For intentional non-compliance, those fines jump to as much as $7,500 per violation. There’s also the time frame in which the business responds. The CCPA states that if a company can “cure” the non-compliance within 30 days of being notified of the offense, they get off with a warning. If they can’t remedy the situation within the 30-day window, they’re back on the hook and once again subject to fines.

Data breaches are a separate matter, giving affected consumers the right to take specific action against the offending company. Consumers can bring an action for statutory damages in the event of a data breach caused by the organization’s failure to implement reasonable security procedures.

CCPA Compliance FAQs

What’s the difference between GDPR and CCPA?

While the CCPA is similar to the GDPR, it’s not exactly the same. If you’re already prepared for the GDPR, you may be able to leverage some of the work that you did to meet your CCPA requirements.

Does the CCPA apply to any specific industries?

The CCPA isn’t geared towards any industry or company type in particular. Any company that meets the criteria outlined by CCPA is subject to the regulation. However, companies that conduct extensive digital marketing activities will need to focus on CCPA more thoroughly.

Can I achieve CCPA compliance on my own?

Yes. Nowhere in the CCPA does it state that certification by a third-party is required for compliance. However, many companies do choose to work with an experienced CCPA compliance partner to streamline the process.

What does the CCPA define as Sale of Data?

Under the CCPA, the term “sale” has a broad definition ranging from actually selling or renting personal information to even disclosing, disseminating, and making personal data available to a third-party for monetary compensation.

What happens if my company is not in compliance with the CCPA?

The California Attorney General may levy fines and penalties if you’re found to be in non-compliance at any time, especially after a data breach. You also may be subject to civil litigation from affected consumers.

What data does the CCPA cover?

The CCPA covers a variety of forms of personally identifiable data as outlined earlier. This includes things like demographic data, financial history, social security, driver’s license numbers, and any other information that can be used to identify an individual.

The CCPA is the first of its kind in the United States, provides consumers with additional rights and ultimate control over their personal data. If you’re just getting started with CCPA compliance, you should also consider an end-to-end CCPA compliance platform to help organize your data and streamline your efforts. An ounce of prevention is worth a pound of cure, so making sure you’re CCPA compliant year-round will help you avoid any unnecessary fines, penalties, or headaches.

David Harrington

David Harrington

David is a professional writer and thought leadership consultant for enterprise technology brands, startups and venture capital firms.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.