Skip to main content

What is CCPA?

The California Consumer Protection Act (CCPA) went into effect on 1 January 2020.  It protects the data and privacy rights of California residents, even when they are out of state. Please note that the new California Privacy Rights Act (CPRA) amends CCPA starting January 2023. Read about CPRA here.

The scope of CCPA

The CCPA is a data protection law that protects California residents even when they are outside the state. CCPA regulates all for-profit organisations that do business in California if they meet any one of the following conditions:

  • Annual revenue over $25 million
  • Processes the personal information of at least fifty thousand Californians per year
  • 50% or more of yearly revenues are from the sale of personal information

The CCPA does not apply to nonprofit organisations or government agencies, and it may not apply to very small companies. You may wonder if you are subject to the CCPA, since your business is not located in California. In short, any company, based anywhere in the world that fits under the CCPA’s definition of a business must comply. So, if you have a for-profit company that meets any of the conditions above and you do business with California residents, you probably need to meet CCPA standards.

Fines in the CCPA

Fines are per violation, up to $2,500 per unintentional violation and $7,500 per intentional violation. There is no set limit for total fines under CCPA.

Since even unintentional violations are subject to fines, it’s vital to take responsibility for the data you store and be sure you protect it. This includes all the data your employees store. Employee errors are the most common cause of data breaches. For this reason, you should make training and monitoring employee data use a top priority.

Types of data protected

CCPA defines personal data as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA does not exclude anonymised or pseudonymised data.

The key to comply is to know how much personal data you store and where it is. Then, make sure you protect it.

Special category data

CCPA does not use the term “sensitive personal information”. However, it does require you to handle certain items with special care. This includes Social Security numbers and Driver’s License numbers, genetic data, biometric data, and more.

To comply you must check your systems for ID numbers and make sure you protect them properly.

Consent requirements

Consent is a commonly used legal basis for collecting data. However, CCPA does not require your company to obtain consent before collecting or using personal information. You do need consent if you are going to sell someone’s data.

According to CCPA you must get consent if you intend to sell the information to a third-party. Make it easy for users to opt out of the sale of their data at any time.

Privacy policy requirements

Using a privacy policy to describe your data processes shows transparency and lets people know you keep their data safe. You must provide consumers with a comprehensive description of their online and offline practices. This includes how you collect, use, disclose, and sell personal information. You should also list the consumer’s rights when it comes to their personal information.

Make sure you track your data processing procedures, then outline them in a simple privacy policy that lets your customers know they can trust you. Draft a privacy policy that is:

Easy to read and understandable to consumers.
Use plain, straightforward language and avoid technical or legal jargon.
Use a format that makes the policy readable, including on smaller screens, if applicable.
Available in the languages you use for contracts, disclaimers, sale announcements, and other information you provide to consumers in California.
Reasonably accessible to consumers with disabilities.
Posted online through a conspicuous link using the word “privacy” on the business’s website homepage or on the download or landing page of a mobile application.

California consumers have the right to know about the personal information you collect about them, how you use it, and whether you share it. You must give consumers this information in a ‘notice at collection’ listing:

The categories of personal information you collect about consumers.
The purposes for which you use the categories of information.

If you sell consumers’ personal information, the notice at collection must include a Do not sell link. It should also include a link to your privacy policy for a more complete description of your privacy practices and of people’s privacy rights.

Data subject rights requests (DSARs)

People can make a variety of requests about their data. The deadline to respond to a privacy request is 45 days from the receipt of the consumer’s request. You may be able to have the deadline extended, when reasonably necessary. People can make up to 2 requests per 12-month period.

To comply, first make sure you verify each requestor’s identity. Confirm receipt of the requests within 10 business days. Fulfil all requests within 45 days.

CCPA and Right to know

You need to disclose the categories and specific pieces of personal information you have collected about a consumer upon request.

According to CCPA you must send a detailed response, when someone asks for more information about their data.

CCPA and Right to access

Consumers have the right to request that a business disclose:

The categories of personal information you collect.
The categories of sources from which you collect personal information.
The business or commercial purpose.
The categories of third parties with which you share their personal information.
The specific pieces of personal information you hold about them.
If you sell personal information or discloses it for business purposes, consumers have the right to request the categories of information so sold or disclosed.

Search and collect the data you store about a person, then send a detailed response to their questions about how you use, store and protect it within 45 days.

CCPA and Right to deletion/blocking/restriction

Consumers have a right to request the deletion of their personal information collected by the business. The business should respond promptly to inform the consumer if their request has been completed. The CCPA’s right to delete is broad and unrestricted, however, companies can challenge requests.

Search and collect the data you store about a person, erase it from your systems, and then send them confirmation that you have done so within 45 days.

CCPA and Right to data portability

In response to consumer requests, a business must securely provide personal information “in a readily useable format”. It should be easy for the consumer to transmit the information “from one entity to another entity without hindrance”.

Search and collect data you store about the person and send it to them securely, in an easy-to-use format.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

CCPA and Right to opt-out

CCPA introduces a new right, the right to “opt out” from the sale of their data. Consumers have the right to direct businesses that sell personal information about the consumer to third parties to stop this sale, at any time.

Make it easy for people to opt out of the sale of their data. Always stop selling a person’s data when they opt out. Then, wait at least 12 months before asking consumers to allow their data to be sold.

Security measures and data breaches

The CCPA does not specify data security requirements. However, it does discuss “reasonable security practices and procedures appropriate to the risk”. It also has rules about taking action in case a data breach occurs. For example, ones that result from “violations of a business’s duty to implement and maintain reasonable security practices and procedures”.

To comply make sure to use encryption to protect data and reduce your liability.

Records and documentation

CCPA requires you to keep records of consumer requests. In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have special record-keeping and training obligations.

To comply, you must maintain records of all consumer requests. You should also keep documentation of how you responded to requests received for at least 24 months prior. Keep records in a ticket or log format. Include the date of request, the type of request, a description of how the person made their request, the date of your response, and a description of your response. If you deny a request, keep a record of the basis for the denial. Keep records secure.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Help with CCPA compliance

California is the fifth-largest economy in the world, after the United States, China, Japan, and Germany. This means that many for-profit companies worldwide will need to comply with CCPA, because they may they collect data belonging to California residents. At Safe Online we develop solutions that help companies protect their sensitive data and comply with privacy regulations such as the CCPA. Our solutions are:

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit