The California Consumer Privacy Act (CCPA) is a complex law that requires businesses to make significant changes to the way they treat California residents’ personal data. Becoming CCPA compliant is not a quick, one-day project, but for those who want a quick summary of the CCPA’s requirements, they can be divided into three major categories: Posting privacy notices, responding to consumer requests, and implementing data security measures.
This is just a starting point to understand how the CCPA works and what your business must do to be compliant. To learn more, read our Complete CCPA Guide or browse our CCPA Resources Center for other in-depth CCPA articles.
The most immediate of the CCPA’s requirements is for businesses to make extensive disclosures about their data privacy practices. Whether it’s online or at a brick-and-mortar store, before collecting consumers’ personal information, businesses must inform them of the following:
There are also additional notices that businesses must provide if they buy, sell, share, or receive the personal information of 10 million or more consumers annually.
The CCPA gives consumers the right to make several types of privacy requests to businesses that collect their personal information. Here are the five types of CCPA requests:
Each of these requests has its own set of rules, deadlines and verification requirements that must be met, as well as numerous exemptions.
The CCPA is enforced by the California Attorney General, and soon by the California Privacy Protection Agency as well. Consumers cannot directly sue businesses for violations of their privacy rights, but the CCPA does create a private right of action related to cybersecurity and data breaches. Consumers can sue businesses when their nonencrypted and nonredacted personal information is subject to unauthorized access due to a business’s failure to implement and maintain reasonable security procedures.
Consumers can recover up to $750 in statutory damages per incident without showing actual damages. This will certainly lead to class-action lawsuits in the future.
The effect of creating this private right of action is that businesses are on notice to (1) encrypt and redact personal information wherever possible and (2) implement and maintain reasonable security procedures.
Though this list does summarize the CCPA’s requirements, there is much, much more information needed to become CCPA compliant. Start with our Complete CCPA Guide to learn the basics of the data privacy law and find answers to foundational questions like what is personal information and what is a sale of personal information.
There is also a lot of work that must be done before even beginning to make all the required privacy notices. In order to fully understand exactly what personal information your business collects and how it uses that information, you must first create a data map. This is where most of the work of becoming CCPA compliant takes place. The good news is that once the data map is completed, the rest of the process is considerably easier.
Businesses that try to become CCPA compliant on their own are likely to spend months on the project, when taking into account all the research required. Even then may make mistakes that can lead to expensive fines. Other businesses may turn to law firms or specialized consultants, but that can still take weeks and is a major expense.
TrueVault Polaris is a software solution that automates the process of getting CCPA compliant from start to finish. Designed by attorneys and compliance professionals, TrueVault Polaris combines the expertise of hiring an outside firm with the savings of handling it in-house. Contact our team to find out how your business can become fully CCPA compliant in as little as a few days.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.