CCPA Compliance Checklist: A Guide to California Consumer Privacy Act

What Is the CCPA?

The CCPA, or the California Consumer Privacy Act, is a comprehensive privacy law enacted in the state of California. It grants consumers certain rights regarding businesses’ collection, use, and disclosure of their personal information.

The act requires businesses to provide clear and transparent disclosures about the private data they collect, allow consumers to opt out of the sale of their information, and allow them to access, delete, or correct it upon request.

Additionally, the CCPA imposes various obligations on businesses. For example, they must implement reasonable security measures and obtain consent from minors before collecting their information to achieve compliance.

Why Was CCPA Enacted?

The CCPA was enacted to enhance consumer privacy protections for residents of California and give consumers more control over their information. It was designed to address concerns about businesses’ collection, use, and sharing of this data, particularly in the digital realm.

The CCPA regulations aim to empower consumers by providing them with rights and choices, such as the right to know what personal data of California residents is collected and how it is used. Consumers can also decline to let businesses sell their information and have the right to request its deletion.

The CCPA aims to hold businesses accountable for protecting consumer privacy and increasing transparency in their data practices. Overall, the CCPA reflects growing concerns about privacy in the digital age and seeks to provide greater rights to privacy and protections for consumers in California.

What Types of Data Are Regulated by CCPA?

The CCPA regulates several types of personal data to protect the privacy of California residents. Here are the main types of data covered by CCPA:

Personal Data

According to the CCPA, personal information is any information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household in the state. This can include name, address, email address, social security number, internet browsing history, geolocation data, biometric information (e.g., fingerprints, DNA), and more.

Sensitive Personal Information

CCPA defines personal data as any government identifiers that could identify an individual. Some identifiers, like the social security number, may overlap with personal data. However, this information also includes California residents’ personal account logins, financial accounts, and credit and debit card numbers, along with any passwords, passcodes, and security codes that give them access to their accounts.

Commercial Information

The CCPA provides consumers the right to protect their data privacy rights even when purchasing or consuming. It covers records of products or services purchased, obtained, or considered, as well as transaction history and payment data. For example, if someone buys a smartphone, details such as the make, model, date of purchase, and cost are commercial information.

This category also covers any promotional items, samples, or gifts received. Any insight into a consumer’s consuming tendencies is protected information.

Internet or Network Activity

An individual’s internet activity encompasses data regarding online interactions, including browsing history, search history, and information about a consumer’s interaction with websites, applications, or advertisements.

The URLs they visit, the websites and pages they browse, and their search queries can reveal their interests, needs, and intentions. As such, CCPA gives consumers the right to keep this information private.

Inferences Drawn from Data

CCPA includes data derived from the above categories to create profiles or predictions about a person’s characteristics, preferences, behavior, and attitudes.

What Businesses Are Regulated by the CCPA?

The CCPA governs a variety of businesses and organizations that meet certain criteria. Here’s an overview of who is subject to CCPA laws and the key business criteria:

Businesses

CCPA primarily applies to businesses. Under CCPA, a “business” is defined as a for-profit entity that does business in California and meets one or more of the following criteria:

• Has annual gross revenues of $25 million or more.
• Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices annually.
• Derives 50% or more of its annual revenue from selling consumer data.

Service Providers

CCPA also applies to service providers that process personal information on behalf of covered businesses. Service providers are subject to certain contractual obligations but have limited rights to use the data for their own purposes.

Third Parties

Businesses that receive personal data from covered businesses for business purposes must also comply with CCPA requirements. These third parties are expected to handle this information responsibly and not use it for any purposes beyond those specified in their agreements with the covered businesses.

Penalties If You Don’t Ensure CCPA Compliance

Enforcement of the CCPA began on July 1, 2020, and there have been reported cases of violations and enforcement actions since then. The Office of the California Attorney General is responsible for enforcing the CCPA, and businesses that fail to comply with the law may face penalties, fines, and other consequences.

Non-compliance with the CCPA can result in significant penalties and liabilities for businesses. in the form of fines and sanctions. The specific penalties for CCPA non-compliance can vary depending on the nature and severity of the violation, but may include:

• Civil fines: The CCPA allows for civil fines of up to $2,500 per violation or up to $7,500 per intentional violation. These fines can add up quickly, especially in cases where a business has violated multiple provisions of the CCPA.
• Private right of action: The CCPA grants consumers a private right of action in certain data breaches resulting from a business’s failure to implement reasonable security measures. This can result in individual or class-action lawsuits, potentially leading to significant financial damages and legal costs for businesses found liable.
• Injunctive relief: The Attorney General may seek injunctive relief, which can require a business to stop certain data processing activities or take specific actions to come into compliance with the CCPA.
• Reputational damage: Non-compliance with the CCPA can result in negative publicity, damage to a business’s reputation, and loss of customer trust, which can have long-term financial and operational impacts.
• Remediation costs: Businesses may need to invest in additional resources, such as personnel, technology, and infrastructure, to come into compliance with the CCPA, which can result in additional costs.

Companies That Didn’t Comply With the CCPA and Were Penalized

CCPA enforcement can result in fines and penalties for non-compliance, and organizations are expected to take data privacy regulations seriously to protect the rights of California residents. Here are some examples of companies that didn’t comply with the requirements and faced penalties.

Zoom Video Communications, Inc

In March 2020, Zoom faced scrutiny for allegedly violating the CCPA. The company was accused of not clearly disclosing how it collects and shares user data. Zoom later settled with the Attorney General’s office, agreeing to improve its privacy and security practices to ensure compliance with CCPA.

Zynga Inc

In December 2020, the Attorney General announced a settlement with Zynga, a mobile game developer. Zynga allegedly violated the CCPA compliance requirements by failing to inform users how their data was collected and shared adequately. The settlement required Zynga to pay a fine and implement data privacy improvements.

Salesforce

In June 2021, the nonprofit organization Californians for Consumer Privacy filed a complaint with the Attorney General, accusing Salesforce of not complying with the CCPA. The complaint claimed that Salesforce did not honor user requests for data deletion, among other violations. Salesforce denied the allegations.

The Differences Between CCPA and CPRA

CCPA and CPRA (California Privacy Rights Act) are both data privacy laws enacted in California. However, they are different from each other in some ways. Here’s a simple comparison:

1. Scope: CCPA requires businesses to meet certain criteria and handle the personal information of California residents, while CPRA expands the scope to apply to businesses that exceed certain thresholds and process the data of California residents on a larger scale.
2. Definitions: CPRA introduces new definitions such as “sensitive personal information” and “sharing” that are not explicitly defined in CCPA.
3. Consumer Rights: Both CCPA and CPRA grant similar consumer rights, such as the right to know, the right to delete, and the right not to agree to the sale of their data. However, CPRA enhances some of these rights and introduces new ones, such as the right to correct inaccuracies and limit the use of sensitive information. CCPA mandates that businesses respond to consumer requests to access or delete their personal information within 45 days. If necessary, this period can be extended by an additional 45 days with prior notice to the consumer.
4. Businesses’ Obligations: CPRA introduces additional obligations for businesses, such as implementing reasonable security measures and conducting regular cybersecurity audits. It also introduces a new category of “service providers” with specific obligations.
5. Enforcement: Both CCPA and CPRA grant enforcement powers to the California Attorney General’s Office, but CPRA also establishes a new California Privacy Protection Agency (CPPA) to enforce the law.
6. Penalties: CCPA imposes fines for certain violations, but the CPRA introduces higher fines for violations involving the information of minors and increases the potential fines for certain other violations.
7. Private Right of Action: CCPA allows consumers to bring private lawsuits for certain data breaches, while CPRA expands the private right of action to cover additional types of breaches and introduces a new opt-in requirement for businesses to share consumer information.

GDPR vs CCPA: Consumer Right Protection and Privacy Laws

The General Data Protection Regulation (GDPR) is a data privacy and security law drafted and passed by the European Union (EU). While CCPA and GDPR share some similarities, they also have differences in scope, requirements, and applicability.

1. Scope: The GDPR is a comprehensive legislation that applies to all businesses that process the personal data of individuals in the EU, regardless of their location. In contrast, the CCPA applies to businesses that collect personal information from consumers in California and meet certain revenue or data collection thresholds, irrespective of their physical location.
2. Consumer Rights: Both the GDPR and CCPA grant certain rights to consumers regarding their data. These rights include the right to know what information is collected, access, correct, and delete, and opt out of the sale of their information. However, the CCPA also includes a private right of action for certain unauthorized data access, allowing consumers to bring lawsuits against businesses for damages, while the GDPR does not explicitly provide for a private right of action.
3. Consent Requirements: The GDPR requires that businesses obtain explicit consent from individuals before processing their personal data, with some exceptions. The CCPA compliance, in contrast, requires the right to opt out of the sale of personal information, rather than obtaining explicit consent for data processing.
4. Data Transfer: Another difference is how the two legislations handle personal information transfer across international borders. The GDPR imposes strict requirements on the transfer of personal data to countries outside the EU unless certain safeguards are in place. The CCPA does not have explicit provisions related to international data transfers.
5. Enforcement and Penalties: The GDPR provides for substantial fines for non-compliance, with penalties of up to €20 million or 4% of the global annual revenue of the previous financial year, whichever is higher. The CCPA, on the other hand, provides for civil fines of up to $2,500 per violation or up to $7,500 per intentional violation and grants consumers a private right of action for certain data breaches.
6. Business Obligations: Both the GDPR and the CCPA impose various obligations on businesses, such as maintaining proper security measures, providing clear privacy disclosures, and responding to consumer requests in a timely manner. However, the GDPR has more comprehensive requirements for data controllers and processors, including mandatory data protection impact assessments, the appointment of data protection officers in certain cases, and adherence to specific legal bases for data processing. Read more about the difference between GDPR and CCPA.

CCPA Employee Data Privacy Rights

California employees have certain rights under CCPA regarding their information. Here’s a simple explanation of CCPA employee rights:

1. Right to Notice: Employees have the right to be informed about the categories of data their employer collects and the purposes for which it is used at or before the point of collection.
2. Right to Access: Employees can request access to the information collected, used, disclosed, or sold by their employer. This includes the right to know the specific pieces of data collected and the categories of third parties with whom the information is shared.
3. Right to Deletion: Employees have the right to request the deletion of their personal information collected or maintained by their employer, subject to certain exceptions, such as legal obligations or legitimate business purposes.
4. Right to Opt-Out of Sale: Employees can opt out of their employer selling their information to third parties, if applicable.
5. Right to Non-Discrimination: Employees have the right not to be discriminated against for exercising their rights under the CCPA. This means employers cannot deny or restrict employment-related benefits, opportunities, or services to employees who exercise their CCPA rights.
6. Right to Notice of Data Collection: Employees have the right to be notified about the categories of personal information that their employer collects, as well as the purposes for which the information is used, before or at the time of collection.
7. Right to Correct Personal Information: Employees have the right to request the correction of inaccurate personal details collected by their employer, if applicable.

CCPA Compliance Checklist to Protect Personal Data

Download the CCPA readiness checklist to break down 5 areas you need to cover in order to become CCPA compliant, including:

1. Map and Inventory Customer Data
   • Identify all sources of customer data collection (e.g., websites, mobile apps, in-store interactions).
   • Create a comprehensive inventory of all personal information collected, stored, processed, and shared.
   • Categorize the data by type (e.g., identifiers, commercial information, internet activity) and maintain an updated data map.
2. Automatically Fulfill Consumer Data Rights
   • Implement systems to manage and automate responses to consumer requests for data access, deletion, and opt-out of data sales.
   • Ensure mechanisms are in place for consumers to submit verifiable requests easily (e.g., online forms, dedicated contact information, etc).
   • Track and document each request and its fulfillment status to ensure compliance with the 45-day response requirement.
3. Update Privacy Policy & Disclosure Notifications
   • Review and update your privacy policy to reflect current data practices and CCPA requirements.
   • Include detailed information about the categories of personal information collected, the purposes for collecting this information, and the third parties with whom it is shared.
   • Ensure consumers know their CCPA rights through clear and accessible disclosure notifications.
4. Define breach thresholds & privacy team workflows for breach response
   • Establish specific criteria for what constitutes a data breach under the CCPA
   • Develop a detailed breach response plan, including notification procedures and timelines.
   • Designate a privacy team responsible for managing data leaks and breaches and outline their roles and responsibilities.
5. Validate and test everything from access requests to data sharing to security policies
   • Conduct regular audits to verify the effectiveness of processes related to consumer data access requests, data sharing agreements, and security measures.
   • Perform penetration testing and security assessments to identify and mitigate vulnerabilities.
   • Train staff on CCPA compliance and best practices for handling personal information securely.
   • Document and review all test results and audit findings to ensure continuous improvement and compliance.

This checklist ensures a comprehensive approach to help you achieve and maintain regulatory compliance, covering all key areas from data management to breach response and policy updates.

Achieve CCPA Compliance with BigID

BigID enables organizations to meet and manage CCPA requirements with an automated, scalable approach to discover, map, and manage personal information that falls under the CCPA. With BigID, organizations can:

• Discover and classify all CCPA-impacted data across enterprise data sources
• Index CCPA by individual to automate data rights
• Operationalize data flow mapping and monitoring through data intelligence
• Integrate with workflows for end-to-end orchestration
• Fulfill data subject access requests (DSARs)
• Manage, monitor, and validate third-party data sharing

Would you like to see how BigID helps your organization get ahead of the CCPA?

Book a demo.