Reports / What is CCPA Compliance EN
Content grade
Suggested: A-
Word count
Typical: 2,660
Typical: College

The California Consumer Privacy Act of 2018 (CCPA) gives Californian consumers greater transparency into how their personal data is being handled.

Under the CCPA, California residents have a right to:

  • Know when their personal data is collected by a business.

  • Know when their personal data is being sold to, or shared with, a third party.

  • Deny the sale of their personal data.

  • Have their personal data deletion request honored.

California's landmark move to greater privacy laws mirrors the consumer data protection posture outlined in the GDPR and Canada's propositions in Bill C-11.

Guidance for complying with the CCPA is outlined through CCPA regulations. anchor linky

The CCPA was signed into law in June 2018 as a response to growing instances of businesses exploiting data privacy either through poor data handling policies or data breaches.

CCPA regulations offer Californian businesses guidance on how to best adhere to this law.

California was the first state to implement such strong data collection and handling laws, and its data security framework will likely become a blueprint for all other States.

Similar data privacy laws are either being considered or are already implemented in Nebraska, New York, and Washington.

To learn how this law impacts your business, and how to become CCPA compliant, read on.

Who Must Comply with the California Consumer Privacy Act?

The CCPA only applies to for-profit businesses that have business operations in California and meet any of the following criteria:

  1. Gross annual revenue of $25 million or more.

  2. Process personal information for at least 50,000 Californian residents, households, or devices (includes buying, receiving, or selling data).

  3. Attribute the sale of California residents' personal data to at least 50% of their annual gross revenue.

CCPA compliance is not limited to businesses physically located in California. 

Any business located outside of California must still comply with CCPA regulations if it:

  • Offers Californians the opportunity to purchase their products or services,

  • Collects any personal information from Californians (such as IP addresses of web visitors), or

  • Shares branding with a business that's bound to the CCPA.

How Does the CCPA Define Personal Data?

The intensity of this law depends on the CCPA's classification of personal data.

Under the CCPA, a consumer's personal information includes any data that identifies, connects, or relates to an individual and/or their household.

This includes the following categories of personal information:

  • Email addresses

  • Social Security numbers

  • Records of purchased products

  • Internet browsing history and search history

  • Geolocation data

  • Biometric data

  • Driver's license numbers

Or any inferences from other sources that could be used to create a profile about an individual's preferences and characteristics.

How Does the CCPA Differ From the GDPR?

The CCPA has a broader classification of personal data compared to the European Union's GDPR. Unlike the GDPR, the CCPA expands its threshold of privacy practices to also households. 

This means that any data subject that could potentially identify an individual or household could be liable to CCPA regulations.

Another difference between the two regulations is that the General Data Protection Regulation (GDPR) applies to any organization establishing a private data inventory for EU citizens.

CCPA compliance, however, is only expected of businesses that meet any of CCPA's three thresholds. -> anchor link to 'who must comply'

CCPA and the Current California Data Breach Notification Law 

The CCPA does not impact current data breach notification obligations under Section 1798.82 in the State of California.

Businesses and state agencies must still notify Californian residents whenever their unencrypted personal data is acquired by an unauthorized party in a data breach.

Businesses suffering a breach impacting more than 500 California residents must submit a single sample copy of breach notification to the California Attorney General. This notification must exclude any personal information identifiers.

Businesses should submit data breach notifications via this online portal.

California residents have the right to access all data breach notification submissions via this search engine

How Should Businesses Respond?

In response to the resilient security posture expectations that still apply to all Californian businesses, the following data breach mitigation actions should be implemented.

  • Review mandatory cybersecurity frameworks - Businesses should review all mandatory cybersecurity regulations in their industry such as HIPAA, PCI DSS, COBIT, NIST, ISO, etc.

  • Implement cybersecurity frameworks - Even in the absence of mandatory compliance, the implementation of popular cybersecurity frameworks could significantly raise cyber resilience levels. 

  • Secure third-party attack surface - 60% of data breaches are a result of a compromised third party. A third-party attack surface monitoring solution will surface any third-party vulnerabilities increasing the risk of supply chain attacks and third-party data beaches.

  • Review Incident Response Plan - Ensure incident response plans support the rapid containment of data breaches and their notifications.

How to Comply with CCPA Requirements


Each of the key provisions of the CCPA detailed below is supported by a summary of how businesses should respond to attain compliance.

Automatic disclosure of personal data processing practices QUOTE

Under the CCPA, businesses must:

  • Notify consumers of the categories of personal data being collected at, or before, the instance of the collection. 

Businesses must also update the following details in the data collection policies on their website every 12 months:

  • A detailed description of consumer rights under the CCPA. This should include the right to data deletion and the right to opt out of the sale of personal data.

  • A detailed description of how to submit data deletion requests.

  • An honest breakdown of all the categories of personal data sharing and selling practices in the last 12 months.

Businesses are not obligated to honor requests to disclose personal data handling practices from the same customer more than twice in a 12-month period.

How Should Businesses Respond?

In response to this provision businesses should:

  • Publish a description of consumer rights under the CCPA and make this information readily accessible from the homepage.

  • Publish privacy notices describing the commercial motivations behind the collection and sale of personal data.

  • Establish internal policies for accurately responding to all CCPA privacy protection inquiries.

  • Implement processes that accurately identify the categories of consumer personal data being collected, shared, and sold.

Consumers have the right to request the complete deletion of their personal information.  QUOTE

Under the CCPA, consumers have the private right of action to request the deletion of all collected personal data. 

In most situations, businesses must immediately comply with these requests, however, exceptions apply for the following scenarios:

  • When this data is necessary to complete a transition or to provide a service requested by the customer.

  • When this data is required to debug or repair expected product functionality.

  • When this information is necessary for the detection or investigation of cyber threats.

How Should Businesses Respond?

In response to this provision businesses should:

  • Establish internal processes to rapidly honor consumer requests to delete personal data storage.

  • Establish reliable communication channels for responding to data deletion requests.

  • Create an internal document delineating probable scenarios where deletion requests are denied.

Consumers have a right to opt out of the sale of personal information QUOTE

The CCPA empowers consumers to opt out of the sale of their personal data at any time. 

Before any customer PII is sold, businesses must provide ample notice to impacted consumers of their intention to sell, alongside instructions on how to opt out of the inclusion of their data in the sale.

Any third-party service provider that purchased consumer data, cannot resell that data unless impacted consumers are given clear notice and provided with an opportunity to opt out of the sale.

How Should Businesses Respond?

In response to this provision businesses should:

  • Include a link on their homepage titled "Do Not Sell My Personal Information" which directs users to a web page explaining how to opt out of the sale of their personal data.

  • Not require consumers to create an account to effectuate their intention to opt out.

  • Establish processes for tracking all opt-out requests.

All consumers have the right to equal service and non-Discrimination QUOTE

Should a consumer, or website visitor, elect to exercise their reasonable security rights set forth in the CCPA, the requestee must not:

  • Impede the availability of goods and services to the consumer.

  • Reduce the quality of customer service for the consumer.

  • Charge the consumer different rates.

  • Deny such consumers the use of discounts or coupon codes available to all other consumers.

Penalties for Non-Compliance

Organizations have up to 45 days to respond to any consumer requests under the CCPA.

If these requests are not actioned within 30 days, the offending business may be charged a maximum penalty of $7,500 per violation.

Consumers impacted by the unauthorized handling of their data as set forth in the CCPA, can exercise a private right of action entitling them to the $750 in recovery damages per violation.