Complying with the California Consumer Privacy Act

November 16, 2018 by Alex Scheinman

Complying with the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. Passed as Assembly Bill 375, the CCPA expands on previous California data privacy laws, effectively producing the most comprehensive data use legislation in the United States and granting California residents “increased control” over their data. Here’s what you need to know to prepare for the compliance deadline.

What is the Purpose of the CCPA?

The CCPA allows consumers to find out what personal information of theirs has been collected, to request that businesses delete their data, and to opt out of having their information sold. The CCPA requires affected companies to create processes to comply with and facilitate consumer data requests, to update their privacy policies, and to assure that their vendors comply as well.

Who Does the CCPA Apply to?

The CCPA applies to companies that collect or process information on California residents, and meet one of the following criteria: annual revenues exceed $25M, derives 50% of revenue from selling consumer data, and buy/sell/share the personal information of 50,000 or more consumers/households/devices per year.

What are the Requirements of the CCPA?

Key CCPA requirements include:

  • Businesses must inform consumers of the general categories and purposes of personal data that will be collected, both at the time of collection and when consumers request it.
  • Businesses must erase consumer data upon verifiable consumer request (VCR) (with exceptions).
  • Businesses must inform consumers, upon VCR, of the third-party where their data has been sold and why.
  • Businesses must facilitate VCRs, including establishing toll-free request lines and prominent website request locations.
  • Consumers may opt out of the sale of their personal information. Businesses must provide prominent “Do Not Sell My Personal Information” web notification and opt-out mechanisms. Businesses should not prompt consumers to change their data privacy preference for 12 months after the consumer selects their preference.
  • Businesses may not sell the personal information of minors without obtaining the opt-in from parents or guardians.
  • Businesses must clearly display their privacy policy for consumers, including notification of consumer data rights.
  • Businesses may not discriminate against consumers based on their data privacy requests.

What Are the Penalties for Non-Compliance with the CCPA?

Non-compliant businesses could face up to $7,500 in fines per civil violation of the CCPA.

How Can My Business Prepare for CCPA Compliance?

According to the U.S. Department of Commerce, California is the world’s fifth-largest economy, so it’s important to take steps to keep your business safe before CCPA takes effect on January 1, 2020. Here are five steps your company should take to prepare for the compliance deadline:

  1. Obtain executive buy-in – CCPA compliance is a broad effort that will affect many aspects of your company and will require significant staff hours and financial resources. In addition, failure to comply can have serious financial and reputational consequences. As a result, it is crucial to gain executive buy-in to facilitate the compliance process.
  2. Understand your data collection policies and procedures – It is essential to understand what your company’s current policies and procedures are for collecting, storing, and selling data on California consumers. Prepare data maps, inventories, and other records that clearly illustrate what data your business collects and sells, and where it is sold.
  3. Perform a gap analysis – Review CCPA requirements closely and compare them with your data discovery findings. Perform a detailed delta assessment between your company’s current status and where it needs to be for compliance.
  4. Develop a compliance roadmap – Develop a comprehensive compliance roadmap of necessary action steps based on the results of the gap analysis. Prioritize tasks based on risk and level of effort.
  5. Implement the compliance roadmap – Assign leaders for the remediation effort, and delegate tasks to responsible parties. Follow up on progress regularly. Develop all necessary updates and mechanisms (e.g., privacy policies, opt-out, opt-in, web updates, etc.). Test and fix all solutions as necessary. Update due diligence policies regarding third-party vendors and vet vendors for compliance as well. Include staff training as part of the overall compliance effort.

How ACA Can Help

ACA’s CCPA compliance assistance service is designed to assess your company’s readiness to comply with CCPA requirements and help implement best practices for achieving broader privacy risk and compliance objectives across your enterprise.

ACA’s team of experienced consultants can review your company’s personal data collecting activities to build a data inventory, identify risks and gaps relative to the requirements of CCPA, and assist with building a practical action plan to address deficiencies.

For more information, contact or your ACA consultant.

Additional Resources

About the Author

Alex Scheinman is the Director of Privacy at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. In this role, he oversees ACA Aponix’s CCPA and GDPR data processing reviews and data privacy compliance efforts. Prior to ACA, Alex served as a Privacy Manager in EY’s cyber practice. While at EY, Alex oversaw multinational privacy gap assessments for Fortune 100 and Fortune 500 companies against regulatory and industry frameworks including GDPR, PIPEDA, HIPAA, and COPPA.

Earlier in his career, he served as an adjunct professor at George Mason University teaching conflict analysis and resolution. Alex earned a B.A. in English from the University of Michigan, an M.A. in Literary Theory and Cultural Studies from Carnegie Mellon University, and a Ph.D. in Conflict Analysis and Resolution from George Mason University.