CCPA Requirements: A Quick Summary

1. Posting CCPA Privacy Notices

The most immediate of the CCPA’s requirements is for businesses to make extensive disclosures about their data privacy practices. Whether it’s online or at a brick-and-mortar store, before collecting consumers’ personal information, businesses must inform them of the following:

  • What personal information the business collects, from what sources, and for what commercial purposes
  • The consumer’s rights under the CCPA: the right to know, right to delete, right to opt out, and right to non-discrimination
  • How to make a verifiable consumer request
  • What personal information is disclosed to third parties and service providers, along with the categories of those third parties and service providers
  • What personal information is sold to third parties, along with the categories of such third parties
  • Instructions for opting out of the sale of personal information, accessible via a “Do Not Sell My Personal Information” link on the homepage
  • How to make privacy requests through an authorized agent
  • At least two methods for contacting the business and submitting requests
  • What personal information is collected from employees and job applicants, and for what purpose
  • Consent requirements for consumers under the age of 16
  • Financial incentives offered when consumers opt in to the sale of personal information

There are also additional notices that businesses must provide if they buy, sell, share, or receive the personal information of 10 million or more consumers annually.

Read more about the CCPA’s privacy notice requirements ›

2. Responding to CCPA Consumer Requests

The CCPA gives consumers the right to make several types of privacy requests to businesses that collect their personal information. Here are the four types of CCPA requests:

  1. Request to know categories of personal information collected
  2. Request to know specific pieces of personal information collected
  3. Request to delete any personal information collected
  4. Request to opt out of the sale of their personal information

Each of these requests has its own set of rules, deadlines and verification requirements that must be met, as well as numerous exemptions.

Read more about how to handle CCPA consumer requests ›

3. Implementing Data Security Measures

The CCPA is enforced by the California Attorney General, and soon by the California Privacy Protection Agency as well. Consumers cannot directly sue businesses for violations of their privacy rights, but the CCPA does create a private right of action related to cybersecurity and data breaches. Consumers can sue businesses when their nonencrypted and nonredacted personal information is subject to unauthorized access due to a business’s failure to implement and maintain reasonable security procedures.

Consumers can recover up to $750 in statutory damages per incident without showing actual damages. This will certainly lead to class-action lawsuits in the future.

The effect of creating this private right of action is that businesses are on notice to (1) encrypt and redact personal information wherever possible and (2) implement and maintain reasonable security procedures.

Read more about the CCCPA’s private right of action ›

A Quick Summary Is Just the Beginning

Though this list does summarize the CCPA’s requirements, there is much, much more information needed to become CCPA compliant. Start with our Complete CCPA Guide to learn the basics of the data privacy law and find answers to foundational questions like what is personal information and what is a sale of personal information.

There is also a lot of work that must be done before even beginning to make all the required privacy notices. In order to fully understand exactly what personal information your business collects and how it uses that information, you must first create a data map. This is where most of the work of becoming CCPA compliant takes place. The good news is that once the data map is completed, the rest of the process is considerably easier.

Read more about the process of becoming CCPA compliant ›

CCPA 2.0

On January 1, 2023, the California Privacy Rights Act (CPRA) goes into effect. Approved by voters in 2020, the CPRA makes many significant changes to the CCPA. Among the changes are the addition of two new privacy rights, new rules for “sharing” personal information, updated threshold requirements, and much more. To make it more complicated, the CPRA also has a 12-month look-back provision, meaning businesses will have to implement some of the changes by January 1, 2022.

Read more about the California Consumer Privacy Rights Act ›

CCPA Compliance That Is Actually Easy

Businesses that try to become CCPA compliant on their own are likely to spend months on the project, when taking into account all the research required. Even then may make mistakes that can lead to expensive fines. Other businesses may turn to law firms or specialized consultants, but that can still take weeks and is a major expense.

TrueVault Polaris is a software solution that automates the process of getting CCPA compliant from start to finish. Designed by attorneys and compliance professionals, TrueVault Polaris combines the expertise of hiring an outside firm with the savings of handling it in-house. Contact our team to find out how your business can become fully CCPA compliant in as little as a few days.

Schedule Call