Chapter 3: Getting CCPA Compliant

The California Consumer Privacy Act (CCPA) imposes a lot of new responsibilities on businesses and requires them to change the way they think about consumer data. For the most part, businesses can continue collecting and using personal data as they were before, but they must be more transparent about it and be prepared to respond to consumer requests regarding their rights.

In this chapter, we’ve outlined the major actions a business must take in order to become CCPA compliant, from data mapping to preparing for your first privacy request.

Important Update

On August 31, 2022, the California legislative session adjourned without having extended the CCPA's exemption for employee and B2B data. This exemption expired on January 1, 2023. Businesses should plan to incorporate employee and B2B data into their CCPA compliance strategy.

Data Mapping

Data mapping is the first step to becoming CCPA compliant, and generally the most labor-intensive one as well. During this process, businesses must precisely determine what personal information they are collecting, who they are collecting it from, and who they are sharing it with.

This large task is easier to understand when broken down into two halves: personal information that comes in and personal information that goes out.

Inbound Information

Businesses tend to collect a lot of consumer data. In fact, they usually collect more data than they are aware of. That’s why CCPA compliance starts with figuring out who you are collecting personal information from and what categories of personal information you are collecting.

Let’s start with the “who” question. The best way to do this is to identify what groups of consumers you collect information from. Here are some of the most common consumer groups for businesses:

  • Customers
  • Prospective customers
  • Email newsletter subscribers
  • Website visitors
  • Employees
  • Job applicants

Notice the diversity of groups in this list of examples. Businesses may just be thinking of customers as “consumers,” but the CCPA defines the term simply as any California resident. The CCPA even covers personal information collected for internal or non-commercial purposes, such as from a job applicant. 

Identifying the various groups of consumers helps businesses better understand the categories of information they are collecting. Often it is as simple as reviewing the forms used in that particular context. For example, a newsletter subscription may just require an email address, while an online purchase usually involves much more (name, phone number, shipping address, etc.).

Having mapped out your different consumer groups and determined what information you are collecting from them, the next step is to determine which of the information categories are personal information for CCPA purposes. The CCPA defines personal information very broadly, including not just identifiers like names and email addresses, but also IP addresses, search history, geolocation data, and much more. As a practical matter this step is more about finding exceptions, i.e., consumer data that is not personal information. These include:

  • Information that is deidentified or in the aggregate, which cannot reasonably identify or be linked to a particular consumer
  • Publicly available information, i.e., data from government records or that the consumer has made publicly available themselves
  • Information collected pursuant to other federal or state laws, such as HIPAA

Creating a thorough and accurate map of your business’s inbound consumer data will make the rest of the CCPA compliance proceed more smoothly. It will also help your team better respond to consumer requests to know and requests to delete.

Outbound Information

After you’ve mapped the inbound data, you must next examine each category of disclosures of personal information to outside parties. The CCPA deals extensively with the disclosure of consumers’ personal information, and these disclosures are treated differently according to how they are characterized. The most critical question to ask of any disclosure will be: Is this a sale or sharing of personal information?

Deciding what is or is not a sale or sharing of personal information is important for two reasons. First, if a consumer submits a request to know, the business must disclose the categories of personal information it has sold to or shared with third parties. Second, the CCPA gives consumers the right to opt out of the sale and sharing of their personal information. In order to honor consumers’ opt-out requests, the business must first know which transactions qualify as selling or sharing.

  • Selling: Disclosing personal information in exchange for money or other valuable consideration such as free software or access to personal information from other businesses.
  • Sharing: Disclosing personal information about the consumer's activity on your website in order to deliver personalized advertising on another site. In other words, retargeting or interest-based advertising.

The most important exception to the CCPA’s definition of selling is the disclosure of personal information to service providers. If a vendor qualifies as a service provider, the transfer of personal information to that vendor is not a sale and is not affected by consumer opt-out requests.

The onboarding of vendors to your CCPA compliance system is therefore critically important, and often the most time-consuming part of the whole compliance project. In order to qualify as a service provider, the vendor contract must meet certain requirements, such as prohibiting the vendor from retaining, using, or disclosing consumers’ personal information for any other purpose besides performing the specified service. This means your compliance team will have to examine each vendor contract to see if it contains the necessary language. If it does not, businesses will either have to update the contract or else potentially treat any transfer of information to the vendor as a sale, and thus subject to opt-out requests.

Your business’s data map forms the foundation of all future CCPA compliance. Once it is completed, the rest of the project will be significantly easier.

Privacy Notices

Keeping consumers informed regarding data collection and their privacy rights is a major component of the CCPA. Once a business has finished its data map, it will need to make some changes to its privacy notices. Fortunately, this is usually a pretty straightforward process.

Privacy Policy and CCPA Addendum

Most companies that collect consumer data online already have a privacy policy in place on their website. Businesses should take the opportunity at this point to review their existing policy, compare it to the data map they’ve just created, and make any necessary changes. It’s often the case that businesses have made changes to their data collection practices without updating their privacy policy.

The next step is to add a CCPA addendum to the privacy policy. This addendum makes all the necessary disclosures to consumers regarding the collection and use of their personal information. It should be in plain, non-technical language and be reasonably accessible to consumers with disabilities, following recognized industry standards such as the Web Content Accessibility Guidelines version 2.1. Here are the points it should cover:

  • Inform consumers of their privacy rights under the CCPA: right to know, right to opt out, right to delete, and right to non-discrimination
  • Inform consumers what personal information you collect, from what sources, and for what purposes
  • Inform consumers what sensitive personal information you collect and for what purposes
  • Inform consumers for what length of time you intend to retain each category of person information.
  • Inform consumers what personal information you disclose to service providers, contractors and third parties, and the categories of those parties
  • Inform consumers what personal information you sell to or share with third parties and the categories of those third parties
  • Provide instructions for submitting privacy requests
  • Provide at least two methods for submitting privacy requests, at least one of which relates to the business’s normal way of interacting with consumers (e.g., a primarily online retailer must provide at least one online method)

Once the CCPA addendum is completed, it must be posted at or before any point of collection. For example, if a retailer offers discount codes to consumers in exchange for signing up to receive promotional emails, this is a point of collection. The retailer must include a link to its privacy policy near the point of data collection.

Additional Notices

Depending on their practices, businesses may need to include other notices in their privacy policy.

Employee and Job Applicant Notices

As noted in the previous section, even internal data collection from employees and job applicants is covered by the CCPA. A business must disclose what personal information it is collecting and for purposes it is used. This notice must be given at or before the point of collection (e.g., in the job application or employment agreement).

"Do Not Sell or Share My Personal Information" Page

Businesses that sell or share consumers’ personal information to third parties must provide an additional notice to consumers. This notice can be its own web page or added to the main privacy policy. It must inform consumers:

  • What personal information is being sold or shared
  • How to opt out of the sale or sharing of their personal information

These businesses must also post a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their homepage. The link should send consumers to this notice.

Additionally, businesses that sell or share personal information collected while interacting with the consumer offline must provide an offline disclosure of their right to opt out and instructions for making a request. If a business operates a brick-and-mortar store, they can fulfill this obligation with a disclosure on the forms used to collect the information, or by posting signage in the area. If the information is collected over the phone, the business may orally inform the consumer of their opt-out rights.

Notices Regarding Consumers Under the Age of 16

There are special rules for the sale or sharing of personal information from consumers who are between the ages of 13 and 15, and for consumers under the age of 13. If your business has knowledge that it sells or shares the personal information from consumers in these age groups, it must provide a process for obtaining their affirmative consent (or their guardian’s consent) to opt in, and also describe this process in the privacy notice.

Notice of Financial Incentive

Businesses cannot discriminate against consumers for exercising their CCPA rights, but they can offer consumers financial incentives for opting in to the use and sale or sharing of their personal information. They can also charge a different price to consumers who opt out, as long as the price difference is related to the value provided to the business by that consumer’s personal information. Businesses that do either of those things must explain it in their privacy notice.

High Volumes of Personal Information

Businesses that buy, receive, sell, or share the personal information of 10 million or more consumers per year must compile and disclose additional information in their privacy policy. They must tell consumers how many privacy requests they received in the previous year, as well as how many of those requests were denied, complied with in part, and complied with in whole. They must also disclose the median number of days they took to respond to privacy requests.

Responding to CCPA Privacy Requests

With all the necessary privacy notices out the way, the final component of CCPA compliance is responding to privacy requests from consumers. Businesses should already have a plan in place for handling these requests before they ever receive one. Going through a few trial runs will help identify any gaps in the system and ensure that requests can be processed in a timely manner.

This section does not include a detailed description of each privacy right—you can find that in Chapter 2—but rather identifies the key issues that businesses should be aware of when responding to each type of privacy request.

Request to Know

Because there are security concerns associated with disclosing personal information, requests to know must be verifiable. When determining the level of verification necessary, businesses should take into account the sensitivity of the information. For requests to know less sensitive personal information, an email verification is usually sufficient. Requests to know more sensitive information may require additional security steps, or perhaps an account login if they have an online account (businesses cannot require a consumer to create an account in order to process the request).

There are also several types of specific information that a business cannot disclose to the consumer. These are:

  • Social security numbers
  • Driver’s license numbers (or other government-issued ID numbers)
  • Financial account numbers
  • Medical or health insurance information
  • Account passwords
  • Security questions and answers
  • Unique biometric data

In these cases, the business should just describe the type of information collected.

Businesses must acknowledge receipt of the request to know within 10 days, and have 45 days to comply. This can be extended for an additional 45 days when reasonably necessary, provided the consumer is notified before the original 45-day period has lapsed.

Request to Delete

Requests to delete personal information involve many of the same issues as requests to know. Like requests to know, businesses must verify the request before complying. The level of verification required depends on the type of information being deleted. For example, before deleting sensitive information such as family photos, the business must verify the consumer’s identity to a higher degree of certainty.

Complying with the deletion request does not necessarily require deleting the information. Deidentifying or aggregating the data—changing it so it can no longer be linked to a specific individual—also fulfills the business’s obligation. If the business determines that it does not need to delete because one of the CCPA’s exceptions applies, it must inform the consumer of this decision.

Businesses must also notify service providers, contractors, and third parties of the request to delete, unless notification would be impossible or involve disproportionate effort.

Businesses must acknowledge receipt of the request to delete within 10 days, and have 45 days to comply. This can be extended for an additional 45 days when reasonably necessary, provided the consumer is notified before the original 45-day period has lapsed.

Request to Opt Out

Businesses must provide at least two methods to submit opt-out requests, including an interactive form accessible via its “Do Not Sell or Share My Personal Information” link. Websites must also treat opt-out preference signals such as Global Privacy Control as valid requests to opt out.

Businesses may give customers the option to opt out of specific types of information selling, as long as there is a prominent option that opts out of the sale of all personal information. Once a consumer has opted out, the business must wait at least 12 months before asking them to opt in again.

The opt-out request must be easy to execute and require minimal steps. CCPA regulations offer several example of prohibited practices:

  • The process for submitting an opt-out request cannot require more steps than the process for opting in to the sale of personal information.
  • Businesses cannot use confusing language, such double negatives.
  • Businesses cannot force consumers to click through or listen to a list of reasons why they should not submit an opt-out request before confirming the request.
  • The process for submitting an opt-out request shall not require the consumer to provide personal information that is not necessary to implement the request.
  • After clicking on a “Do Not Sell Link,” businesses cannot require a consumer to search or scroll through the text of a privacy policy to find the mechanism for opting out.

Unlike requests to know and delete, requests to opt out do not need to be verified. However, businesses can deny a request if they have a good-faith, reasonable, and documented cause to believe the request is fraudulent.

Businesses must comply with a request to opt out within 15 days of receiving it.

Request to Correct

Businesses must respond to consumer requests to correct inaccurate personal information. Similar to requests to know and requests to delete, requests to correct must be verifiable. Businesses have 45 days to comply with the request, though that may be extended to 90 days if reasonably necessary and the consumer is notified. Businesses are only required to make “commercially reasonable efforts” to correct the information.

Request to Limit Use and Disclosure of Sensitive Personal Information

The CCPA now gives consumers the right to limit use and disclosure of their sensitive personal information. This addition brings the California law closer in line with the data privacy protections of the European Union’s privacy law, the General Data Protection Regulation (GDPR).

In order to respond efficiently to a request to limit, businesses should identify in advance what sensitive personal information they process, and the necessary procedures for limiting its use.

Authorized Agents

Consumers may submit privacy requests through an authorized agent. In order to maintain data security, businesses may require the agent to prove it has signed permission to make the request. It may also require the consumer to:

  • Verify their own identity directly with the business, or
  • Directly confirm with the business that they provided the authorized agent permission to submit the request on the consumer’s behalf

These requirements would not apply when the consumer has provided the agent with power of attorney.

Data Privacy Security Requirements

The CCPA also imposes cybersecurity requirements on businesses that collect personal information. The law creates a private right of action for consumers in the event of a data breach where nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices.

In order to avoid potential class-action lawsuits, businesses should encrypt and redact consumers’ personal information wherever possible, and implement and maintain reasonable data security procedures. Neither the law nor the regulations give specific guidance on what security measures are required, so it is likely to depend on the situation and personal information involved.

Next: Staying CCPA Compliant

With a complete data map, updated privacy notices, and practiced responses to privacy requests, CCPA compliance is a very manageable goal. For the most part, becoming CCPA compliant is a one-time process, coupled with the handling of privacy requests as they come up. There are a few ongoing, periodic tasks that businesses must perform in order to maintain their compliance.

The next chapter, “Staying CCPA Compliant,” discusses these maintenance tasks and gives businesses a sense of how much effort is involved.