5 Things You Didn’t Know Are Covered by the CCPA


Even with the addition of several new laws from other states, the California Consumer Privacy Act remains America’s most comprehensive data-privacy legislation. This is even more true since the provisions of the California Privacy Rights Act (CPRA, or sometimes called CCPA 2.0) have take effect.

Businesses that haven’t yet become CCPA compliant or haven’t been keeping up with the latest legal updates may be surprised at just how comprehensive it is. Here are five things you may not have realized are covered by the CCPA.

1. Employee Data

This is a big one. Since its passing in 2018, the CCPA has had a number of temporary exemptions for any personal information collected in an employment context. The last of these exemptions expired on January 1, 2023, after the California Legislature declined to extend it any further.

Data collected from, or about, employees, job applicants, and contractors is treated the same as data from any other source, such as customers and website visitors. This means employers must make full privacy disclosures in advance (some of which were already required) and employees can make requests regarding their personal data—including requests to know and requests to delete.

2. Tracking Pixels and Cookies

Most online retailers use some form of tracking technology, like pixels or cookies, to deliver personalized advertising to consumers on other websites. While the CCPA does not forbid this, or even require prior consent (as opposed to the GDPR), it does require businesses to give consumers a way to opt out of this “sharing” of their personal information with third parties like Facebook and Google.

This means implementing a system in which consumers can click a button to turn off targeted advertising, or turn it off automatically via the Global Privacy Control signal.

3. Global Privacy Control

Global Privacy Control (GPC) is a browser signal that allows website visitors to automatically opt out of the sale and/or sharing of their personal information (most commonly for targeted advertising). GPC was developed in response to the CCPA, which mentions the possibility that such a signal could be developed in the future.

Many had interpreted the law to mean that responding to the GPC signal was optional, i.e., an alternative to posting a “Do Not Sell” link. However, the California Privacy Protection Agency has since clarified that businesses must treat any GPC signal from a California consumer as a valid request to opt out.

4. Cybersecurity

While it doesn’t go into great detail on the subject, the CCPA does require businesses to implement and maintain “reasonable security measures appropriate to the nature of the personal information” they collect and process. In fact, failure to implement such security measures is the one thing that can get you sued under the CCPA, if that failure leads to the unauthorized access of consumers’ personal information.

The CCPA allows for statutory damages of up to $750 per consumer per incident, which has already led to class-action lawsuits following data breaches. There is no one-size-fits-all approach to data security, but businesses should take the issue seriously and ensure that they are doing all they can to protect consumers’ personal information.

5. Contracts with Vendors

Most people don’t realize that reviewing contracts is a big part of CCPA compliance. Since the original version of the law was passed in 2018, it has recognized a special category of outside parties—called service providers—to which a business can disclose consumers’ personal information without fear that it will be considered a sale. 

A service provider is any person or company that processes personal information on the business’s behalf and has a written contract in place that provides certain privacy guarantees, such as agreeing not to sell the data or use it for any other purpose. 

In order to classify any of their vendors as service providers, businesses must first check their contracts. If the required language is missing, they can ask the vendor to execute a data processing agreement that covers all the bases.

The CPRA has gone even farther, and requires that all outside parties that have access to consumers’ personal information (even if it’s just via cloud storage or software) must have a CCPA-specific contract with the business. The contractual requirements include:

  • Stating that personal information is being sold or disclosed for limited and specific purposes
  • Obligating the outside party to comply with all legal obligations under the CCPA
  • Giving the business the right to verify whether the personal information is being used in a compliant manner

Any disclosure of personal information that is not made pursuant to such a contract is unlawful and could lead to fines.

Multi-State Privacy Compliance

The CCPA is more complicated than many realize, and it’s not the only privacy law that businesses must be concerned with. In 2023 alone, four new states have new laws going into effect, and none of them are identical. The patchwork of statutes and regulations will only grow more complex, making compliance very difficult for small and medium-sized businesses.

TrueVault US simplifies privacy compliance across multiple state laws, so that businesses can handle it on their own. With an interface that is familiar to anyone who has done their own taxes online, TrueVault guides you through every step of the process, from onboarding vendors to handling privacy requests.

Contact our team to learn more and view a demo of how TrueVault works.

Schedule Call