What is the CCPA?

The California Consumer Privacy Act allows consumers in California access to all of their own personal information from a company, as well as a list of third parties with which their information has been shared.

California is the first state to introduce data privacy regulations on par with the EU’s General Data Protection Regulation. However, unlike the European GDPR regulation, the CCPA is primarily concerned with the sale of data, not the collection and processing of data. Basically, legislation states that companies must provide more information to consumers about how their data is being used and give them more control over sharing of data.

Which businesses must comply with CCPA standards?

Businesses are mandated to meet CCPA compliance if they have an annual revenue of $25 million, hold more than 50k users’ or devices’ data, or earn more than 50% of revenue from selling data. Exempt businesses include health and insurances providers under HIPAA, credit reporting agencies under Fair Credit Reporting Act, and Financial companies covered by Gramm-Leach-Biley.

How can you comply with the CCPA?

The CCPA mandates a host of regulations for companies doing business in California, even if they aren’t based in the state. Companies were previously forced to safeguard customer data. However, entities weren’t held responsible for how the data was then used. Consumers now have greater visibility, insight, and control into how their data is used. CCPA leaves no doubt that personal information belongs only to the consumer, and risks from regulatory non-compliance and litigation can be severe.

CCPA Compliance Checklist

  • NCompanies should ensure procedures and policies remain aligned with changing CCPA law as it evolves.
  • N Organizations should know what and why data is collected and how it is used. Risk assessments and safeguard plans should be implemented.
  • NConsumers need access to multiple methods of data subject requests such as toll-free numbers or information-gathering process.
  • NThird party risk assessments should be performed, and policies and procedures clearly communicated for those that handle PII.

CCPA Essentials


Data privacy law responsibilities and procedures must be conveyed and understood through training.

Clear Policies

CCPA compliant privacy policies should be developed and disclosed to all parties.

Intake Systems

Data submission and subject request methods are deployed to consumers.

Risk Assessments

Third parties are vetted through processes that hold PII.

Data Breach Protocol

Plans for immediate breach disclosure and investigation communicated.

Data Map

Organizations should know how and where data is processed.

This information is not intended to serve as legal advice. Nor is it intended to act as compliance advice specific to the processes of any specific company. Application of compliance laws is a company-specific endeavor. We recommend that you contact compliance counsel to discuss the application of information found herein to your operations.