California Consumer Privacy Law (CCPA) – Have You Implemented the Appropriate Steps?

February 21, 2020

California Consumer Privacy Law (CCPA) – Have You Implemented the Appropriate Steps?

Effective January 1, 2020 the new CCPA law went into effect and it doesn’t just affect business in California. It potentially impacts any Company that collects personal information about a California resident.

Do all businesses need to comply?
While there are exemptions it is critical to note that maintaining or collecting information of just one California resident can make you subject to the law and an evaluation should be completed. Under the law, businesses are exempt if it does NOT meet at least one of the following criteria:

  • Annual gross revenues in excess of $25 million (note this is total gross revenue, not CA specific revenue).
  • Annually, buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices in California.
  • Derives 50% or more of its annual revenues from selling consumers’ personal information.

What does CCPA classify as personal information?
Unlike past privacy laws, the CCPA classification of personal information is very broad in nature and has an expansive scope. The CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers. Some exceptions are GLBA and HIPPAA information that are required by law; however, data such as marketing & website data (browser, tracking cookies, google analytics, etc) would be in-scope.

How does the CCPA classify selling?

  • Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means to another business or third party for monetary or other valuable consideration.

What are the CCPA Compliance Requirements?

  • Consumers have the right to know – What information is collected, means in which the information will be used, and with whom it will be shared.
  • Right to be forgotten - Companies are required to delete all information they have about a consumer at the consumer’s request – with minor exceptions.
  • Access request of the collected information and purpose over the past 12 months – including what information has been shared with third parties.
  • Disclosure informing the customer of the data collected and how it will be utilized, consumer’s rights, and what information has been shared with third parties.
  • Prohibition / Opt-out – Consumers can opt out of the sale at any time and companies are required to place a clear and conspicuous link on their website outlining the opt-out rights. A form should also be in-place for opting out and providing consumer rights.
  • Discrimination – Companies are unable to discriminate against a customer based on exercising the rights of the bill.
  • Data Security – Reasonable security procedures and practices are to be in place to protect customer information.
  • Minor authorization – Minors under the age of 13 are required to maintain an opt-in consent from parental guardian. Ages 13-16 can be collected directly from the child.

What next steps should we take?

  • Establish if you qualify based on the requirements of the bill (gross revenues in excess of 25 million, sell personal information, etc.).
  • Understand your data and customers:
    • Do you maintain CA customers or have a meaningful way of tracking if you have a CA customer base?
    • Do you collect, store, and/or maintain data covered under CCPA? Note: this includes potential browsing data from a user’s website activity, such as IP address, browser, etc.
    • Establish a process to harvest the data and/or delete the data, if requested.
  • Establish a process for the customer to request disclosure, access, and/or deletion of data.
  • Update privacy notices, policies, and website. Make sure to provide detail on the consumer’s rights, including the option to opt-out, be forgotten, and what information is collected, sold, disclosed, etc. Be sure to add the “Do not sell my personal information” link to your website.
  • Review vendor contracts and practices for potential sale of information. This is a good step to add in your vendor review and due diligence process.

Failure to comply with the law can result in monetary penalties brought on by the Attorney General, which can range upwards of $7,500.  Additionally, consumers can file suit for noncompliance ranging from $100 - $750 per record, if not more. The CCPA is only the tip of the iceberg for privacy laws and regulations. Several other states have similar proposals in place, which are expected to mirror CCPA.

For additional information, contact the author Jeffrey Johns at