CCPA Compliance: A Guide to California’s Data Privacy Law as Amended by CPRA [+ Checklist]

  • April 04, 2024
Author

Anna Fitzgerald

Senior Content Marketing Manager

Reviewer

Cavan Leung

Senior Compliance Manager

When asked about managing their privacy online, only 21% of US adults say they are confident those who have access to their personal information will do what is right, according to a survey conducted by the Pew Research Center

As people share more of their personal information with businesses, they are increasingly concerned with what those businesses are doing with their data and why. Governments around the world are taking notice and passing data privacy laws, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the US. 

So how does CCPA legislation impact businesses? This article offers a straightforward introduction to the essentials of CCPA, as amended by the California Privacy Rights Act. Keep reading to learn who needs to be CCPA compliant, what the law requires, penalties for non-compliance, and more.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act of 2018 gives California residents greater insight into and control over how businesses collect and use their personal information. 

The law requires companies to implement a range of privacy initiatives, from publishing an easily accessible privacy policy to allowing consumers to opt-out of data collection. CCPA also gives California residents specific rights concerning who can collect or process their data and for what purpose.

Who needs to be CCPA compliant?

CCPA applies to for-profit organizations that collect the personal information of California residents. But not all businesses are subject to the data privacy law. To fall within the scope of CCPA as amended by the CPRA, the organization must also meet one of these three thresholds:

  • Exceeds $25 million in annual gross revenue
  • Buys, sells, receives, or shares for commercial purposes the personal information of 100,000 or more consumers, households, or devices
  • Earns 50% or more of its annual revenue from selling or sharing personal data

CCPA definition of personal information

Because CCPA regulates what companies can and can’t do with personal information, it’s important to understand what qualifies as personal data. The CCPA text defines personal information as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

To clarify, personal information is anything that can be linked to a specific consumer or household. This includes names and addresses, Social Security numbers, and device identifiers like IP addresses. 

Personal data does not include information that’s publicly available, such as property tax records. Aggregated data is also not considered personal information, nor is health information that’s governed by other legislation like HIPAA or California’s Confidentiality of Medical Information Act.

CCPA consumer rights

Under CCPA, organizations are required to respect consumer rights regarding their personal data. These rights include:

Right to Know

Consumers have the right to know what personal information of theirs is sold or shared, and to whom. So if you collect information about consumers protected by CCPA, you must inform them at the point of data collection (or before).

Right to Access

Consumers have the right to access the personal information you’ve collected from them. If you receive a request from a consumer, you have 45 days to provide them with the information in a readily usable format, free of charge. Consumers must also have easy access to your complete privacy policy. 

Right to Delete

Consumers can request that you delete their personal information and tell your service providers to do the same. There are exceptions, such as if your business is legally required to keep the information.

Right to Contact Information

Organizations are required to make it easy for consumers to find out more information about its privacy policy and efforts to comply with CCPA. This includes contact information for submitting requests related to consumer rights. 

Right to Opt-out

If your organization sells or shares a consumer's personal information, you are required to give them the opportunity to opt-out. This includes a web page that clearly offers an opt-out option with a link to your privacy policy. You must also give consumers the right to opt out of future marketing efforts. 

Right to Fair Treatment

Organizations are prohibited from discriminating against consumers who exercise their rights under CCPA. 

Right to Correct

Consumers have the right to correct inaccurate personal information that a business has about them. This is a new right given under CPRA.

Right to Limit Use and Disclosure of Sensitive Personal Information

Consumers also have the right to limit the use and disclosure of sensitive personal information collected about them. For example, they can direct a business to only use their precise geolocation data to provide them with the services they requested. This is a new right given under CPRA.

CCPA vs CPRA: Comparing data privacy acts

CPRA is a ballot initiative that passed in November 2020. It does not replace CCPA. It amends it and includes additional privacy protections for consumers.

The majority of the CPRA's provisions became operative on January 1, 2023 and are enforceable today. However, the California Privacy Protection Agency (CPPA) finalized additional regulations to flesh out the new requirements of the law on March 29, 2023. Enforcement on these new regulations began on March 29, 2024.

To help you understand and comply with the requirements that are enforceable today, here’s an overview of the key changes:

  • Established the California Privacy Protection Agency (CPPA): This agency was established to implement and enforce the law. While the CPPA has full administrative power, authority, and jurisdiction to do so, the California AG still retains civil enforcement authority.
  • Updated the qualifying criteria: Two of the three criteria for CPRA compliance changed. It now applies to for-profit organizations that buy, sell, or share the personal information of 100,000 or more consumers or households (previously, it did not include “share” and the threshold was 50,000). It also applies to for-profit organizations that earn 50% or more annual revenue based on sharing personal information, not just selling.
  • Added two consumer rights: The CPRA adds two additional consumer rights to CCPA’s original set. These new rights are the right to correct inaccurate personal information and the right to limit use and disclosure of sensitive personal information. More details on all CCPA consumer rights can be found below.
  • Defined a new subset of personal information: CPRA defines a new subset of personal information known as “sensitive personal information.” SPI may reveal a person’s racial or ethnic origins as well as passport numbers, precise geolocation, biometric data, text messages, and more. Organizations must allow consumers to opt-out of the use and disclosure of their SPI.

How to comply with CCPA requirements 

To be compliant with the law, businesses must follow the key requirements below. These include requirements from CCPA and CPRA. 

1. Establish a legitimate purpose for collecting personal information

CCPA requires covered businesses to disclose the business or commercial purpose for collecting or selling personal information at the point of collection.

In order to comply with this requirement, organizations must first determine this purpose.

Business purpose means personal information is being used for a business or a service provider’s operational purpose. CCPA defines 7 types of business purposes: 

  • Auditing interactions with consumers, such as counting ad impressions
  • Detecting and preventing security incidents
  • Debugging to identify and repair errors in functionality
  • Short-term use that does not involve building a customer profile
  • Providing services such as customer support and order fulfillment
  • Conducting internal research and development
  • Verifying the quality and safety of a device, such as performing device upgrades

Commercial purpose means personal information is used to advance a person’s commercial or economic interests. For example, a business may use personal data to induce individuals to buy property, subscribe to services, or exchange products. CCPA does not provide a list of commercial purposes like it does business purposes. 

2. Conduct data inventory

Next, perform a thorough inventory of all data collected, processed, and stored by your organization. Identify the sources of data, where it's stored, how it's used, and who has access to it. During this process, you’ll also want to understand how long you’ll retain this data.

You can formalize this in a data retention policy. This policy should specify how long consumer data will be retained and the procedures for securely deleting data that is no longer needed.

3. Add opt-out button to website

CCPA requires organizations to provide consumers with the ability to opt out of the sale or sharing of their personal information.

To meet this requirement, you must publish a "Do Not Sell or Share My Personal Information” opt-out link in a clear and conspicuous place on your website.

4. Create a process for responding to and logging customer requests

You’ll also need to develop processes for handling consumer requests related to their data subject rights. This may include requests to:

  • Obtain a copy of their personal information
  • Update personal information that’s inaccurate or incomplete
  • Opt out of or request limiting of selling or sharing their personal information
  • Have their personal information deleted

These processes must be efficient, transparent, and compliant with CCPA and CPRA requirements. Requirements vary based on the request. For example, for opt-out requests, organizations are required to provide an opt-out link and respond as soon as possible with a maximum of 15 business days from the date they received the request. For requests to know, delete, and correct, organizations must respond within 45 calendar days, or 90 days if they notify the consumer. They must also designate at least two methods for consumers to submit their requests, like a toll-free number, email address, website form, or hard copy form (unless they operate exclusively online).

5. Create and update a privacy policy annually

A privacy policy must describe your organization’s privacy practices and consumers’ privacy rights. This entails specifying the designated ways that consumers can submit their requests to know, delete, and correct, with clear instructions. 

This policy must be updated at least every 12 months to reflect your organization’s current processes for collecting, selling, processing, handling, or sharing consumer data. 

6. Create a privacy notice at collection

Organizations must have a privacy notice at or before collection to disclose to consumers what personal information they are collecting. That means an organization may link to the notice on their homepage or on a webpage where consumers place an order or provide their personal information for another reason.

This notice must include:

  • The categories of personal information it has collected about that consumer.
  • The categories of sources from which the personal information is collected.
  • The business or commercial purpose for collecting, selling, or sharing personal information.
  • The categories of third parties to whom the business discloses personal information.
  • The specific pieces of personal information it has collected about that consumer.

As required by a new provision in the CPRA, this notice must also include:

  • the categories of sensitive information collected and whether they are sold or shared
  • the length of time you to retain each category of personal information, or the criteria that would be used to determine the retention period

Additionally, the notice must contain a link to your organization’s privacy policy so that consumers can get a fuller description of their privacy rights and the organization’s privacy practices if they want. 

Privacy Notice Template

Our sample privacy notice template is written for a website that collects personal data directly from individuals. You can download it to modify the contents based on how you use data, then put it on your website to comply with CCPA requirements.

7. Implement data protection measures

CCPA requires organizations to put reasonable security measures in place to safeguard the personal information they collect. These measures may include:

  • Restricting personal information collection to the minimum necessary
  • Encrypting or anonymizing personal information you collect
  • Creating an internal data protection policy to build awareness around employee roles and responsibilities
  • Conducting data protection impact assessments (this template can help)
  • Implementing access controls
  • Conducting risk assessments and vulnerability testing to identify and address risks

8. Manage relationships with third parties

Third-party risk management is also a key part of CCPA compliance. Organizations must establish a data processing agreement with service providers, contractors, and third parties that may receive personal information from the organization. These agreements should stipulate terms that comply with CCPA and CPRA requirements, including processing personal information following your organization's instructions and assisting in fulfilling consumer rights requests.

Organizations also must complete vendor risk assessments to identify and mitigate any additional security risks. 

9. Complete CCPA training

Employee training is another security measure you can put in place to protect consumer data.

CCPA training is required for all individuals responsible for handling consumer inquiries about a company’s privacy practices. This training should explain what rights consumers have under the law and how they can exercise those rights.

All personnel involved with collecting, storing, processing, selling, or sharing consumers’ personal information should be provided with data privacy training to help them handle different categories of personal data securely. 

10. Monitor compliance

To ensure ongoing compliance with CCPA and CPRA requirements, you’ll need to regularly monitor and audit your organization's data practices and keep abreast of any updates or changes to CCPA and CPRA regulations. Automation can help simplify continuous monitoring. 

CCPA Compliance Checklist

To help you evaluate your company’s CCPA compliance readiness, download the CCPA compliance checklist below. 

Penalties for CCPA non-compliance

Organizations must respond to consumer requests to exercise their rights under CCPA within 45 days of receipt. If the organization fails to address a violation within 30 days of notification, it is subject to a penalty of up to $7,500 per violation from the California Attorney General. In the event of a data breach, consumers can pursue damages up to $750 per violation. 

While CPRA provisions are not enforceable yet, companies managing high volumes of personal data of California residents still face significant fines and penalties for violating CCPA provisions, like Sephora’s $1.2 million settlement.

CCPA and GDPR: Comparing data privacy laws

Both the General Data Protection Regulation (GDPR) and CCPA are considered some of the world’s strictest data privacy laws, and the two share several common principles. 

For one, both laws require organizations to honor a customer’s request to opt-out of processing their personal data. GDPR and CCPA also require organizations to notify consumers of a data breach. Both protect the consumer’s rights to request their personal data be erased and for data portability. 

That said, the two laws aren’t interchangeable. There are some differences in the finer points of the legislation. For example, GDPR has requirements related to international data transfers through mechanisms like Standard Contractual Clauses while CPRA does not have specific provisions for international data transfers.

But the main difference to note is that under GDPR, personal information is information that can be linked to a particular individual (data subject). GDPR has a broad definition of personal data, encompassing any information that can directly or indirectly identify an individual. CCPA also has a broad definition of personal information, but it does not solely rely on the link to a particular individual. It also includes data related to households.

Simplify security and privacy compliance with Secureframe

Whether your organization must comply with legislation like CCPA or GDPR, needs to get a SOC 2 report to satisfy customer demands, or just wants to build a more mature cybersecurity program, Secureframe can help your organization reduce the effort and costs of managing a data privacy and security program. 

With Secureframe, you can:

  • Set up the right data privacy policies and procedures
  • Deliver and track employee training
  • Automate evidence collection for CCPA compliance and other frameworks
  • Stay current with the latest data privacy requirements
  • Map controls and tests you put in place for CCPA compliance to other frameworks to speed up time-to-compliance and reduce duplicate work
  • Connect to our 150+ integrations to continuously monitor your tech stack
  • Simplify vendor reviews, risk assessments, and access tracking 

To see why 97% of Secureframe users reported strengthening their security and compliance posture, request a demo today.

FAQs

What is CCPA in simple terms?

CCPA, which stands for the California Consumer Privacy Act, is a comprehensive data privacy law that regulates what companies can and can’t do with the personal information of California residents.

What does CCPA compliance mean?

CCPA compliance means implementing CCPA regulations, which involves responding to consumer requests to exercise their rights under the law and giving consumers certain notices explaining their privacy practices, among other responsibilities.

What are the CCPA requirements?

CCPA requires companies to implement a range of privacy initiatives, including:

  • establishing a legitimate business or commercial purpose for collecting personal information from consumers
  • allowing consumers to opt-out of data collection
  • respecting other consumer rights like the right to delete their personal information
  • publishing an easily accessible privacy policy

What is an example of CCPA compliance?

An example of CCPA compliance is a business updating its privacy policy to clearly explain how it uses third-party cookies and allows consumers to fully opt-out of the sale of personal information, including in connection with targeted advertising, and simplifying the opt-out mechanism on its website for consumers to opt out of third-party cookies and the sale of personal information. You can find more examples of CCPA compliance and enforcement here.

Who must comply with CCPA?

CCPA, as amended by the CPRA, applies to for-profit organizations that collect the personal information of California residents and meet one of these three thresholds:

  • Exceeds $25 million in annual gross revenue
  • Buys, sells, receives, or shares for commercial purposes the personal information of 100,000 or more consumers, households, or devices
  • Earns 50% or more of its annual revenue from selling or sharing personal data

Does CCPA apply to non-profit organizations or government agencies?

CCPA applies to for-profit legal entities that collect the personal information of California residents. It does not apply to non-profit organizations and government agencies. 

If my business isn’t located in California, do I still need to be CCPA compliant? 

Yes. If your business sells goods or services to or collects the personal information of California residents and meets one of the other threshold requirements, you must follow CCPA.

Does CCPA compliance require audits or risk assessments?

CCPA does not include a requirement for conducting audits or risk assessments. The CPRA introduces the concept of requiring businesses whose processing of personal information presents “significant risk” to consumers’ privacy or security to perform   regular cybersecurity and risk assessments. But ultimately it's up to the CPPA to develop the specific standards and expectations through the rulemaking process.

What does “sharing” consumers’ personal information mean?

According to CPRA, sharing is defined as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to a third party for cross-context behavioral advertising. This definition applies whether or not money is exchanged.

Are the exemptions for employee data and business-to-business transactions still in effect?

No. The exemptions for employment-related personal information and personal information reflecting B2B transactions expired on January 1, 2023. This personal information will now be subject to the requirements of CCPA.

Can businesses deny a consumer’s opt-out request?

Organizations can refuse a consumer’s request to opt-out under certain special conditions. These include when selling personal information is necessary to comply with other legal obligations or defend legal claims, and when the personal information is a type that’s exempt from CCPA

Can businesses sell the personal information of a minor?

Organizations cannot sell the personal information of consumers under the age of 16 without consent. Children aged 13-16 can give consent, but children 12 and under require parental consent. Note that the federal Children’s Online Privacy Protection Act regulations apply in addition to CCPA requirements.