California Consumer Privacy Act (CCPA) Compliance Guide

02 Dec 2020 | Randy Lindberg

SixFifty recommends starting with a personal CCPA assessment within your company. Look at the data you’re collecting, who you are collecting it from, how you collect it, and where it is stored. It’s also a good idea to find out what third-party vendors are doing with the data they Under the CCPA law, California residents have privacy rights regarding the personal data (used interchangeably with personal information) collected by businesses, including how it’s used and shared, the right to have that data deleted, the right to opt-out of a company selling this personal data, and the right to not be discriminated against for choosing to exercise their CCPA rights.


According to the State of California Department of Justice, Office of the Attorney General (OAG), “The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them.” It is similar to the General Data Protection Regulation (GDPR) EU law on data protection and privacy in the European Union and the European Economic Area implemented in May 2018. 


What is CCPA Compliance?

CSO Online reported, “The [CCPA] law went into effect on January 1, 2020, but enforcement began on July 1.” They went on to say, “Companies have 30 days to comply with the law once regulators notify them of a violation.”


The Hunton Privacy Blog said, "The CCPA was passed hastily by California lawmakers on June 28, 2018, to moot a ballot initiative of the same name from the November 6, 2018 statewide ballot...Due to its rushed legislative process, the CCPA contains a number of ambiguities and contradictions. Even a year after passing, significant areas of uncertainty remain. There currently are numerous proposed amendment bills winding their way through the California legislature, a number of which are designed to help clarify the law.”


The OAG states that under the CCPA law, California residents may ask businesses to disclose the personal information they have on file and what they do with it. Residents can also ask that the data be deleted and not be sold. Most importantly, “businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.”


The CCPA applies to all businesses that earn a profit, doing business in California that meet the following criteria:

  • They earn a gross revenue of more than $25 million per year
  • They buy, receive, or sell the personal data of “50,000 or more California residents, households, or devices; or”
  • Their annual revenues from selling the personal data of residents of California are 50% or higher


To be CCPA Compliant, a business must disclose what they are doing with the personal data that they obtain from California residents. They also must respond to a request to delete personal data within 45 calendar days. The OAG states, “They can extend that deadline by another 45 days (90 days total) if they notify you.”


However, a business can deny the request to delete the data if they can’t verify the request, they need to keep it on file for warranty/recall purposes, due to business security practices/legal obligations/legal claims, and/or if the data is medical information or credit reporting information.


What is considered personal data/personal information?

Under the law, “Personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:


(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”


Additional examples of personal information are:

  • Geolocation data
  • Biometric information
  • Property records
  • Employment history
  • Educational records


Click here to read the law in its entirety.


What are the Penalties for CCPA Non-Compliance?

Legal group SixFifty explained, “CCPA penalties allow for up to a $2,500 fine for each violation, and up to $7,500 for an ‘intentional violation’ of the CCPA.” They went on to say, “The law also allows consumers the right to take private legal action against offending companies for data breaches, recovering anything between $100 and $750 per consumer per incident, or actual damages (whichever is greater).”


What Can Companies Do to be CCPA Compliant?

Obtain from your company. This will give you an idea of how your company engages with and interacts with data so that you can make a plan for how to manage it going forward.


That’s the next step in being CCPA Compliant - make a plan for how to avoid CCPA Penalties. This includes things like:


  • Creating a new privacy policy that speaks directly to the CCPA law - this privacy policy should be added to your company website
  • Creating new contracts if and when they become necessary for clients, vendors, employees, etc…
  • Developing a method for the storage and deletion of personal data
  • Security awareness training for employees on your new policies and personal data management plans


Would you like help in making your company CCPA Compliant? Click here to learn about Rivial Security’s information technology and cybersecurity consulting services.