Is My Business CCPA Compliant?


If you’ve already determined that the California Consumer Privacy Act (CCPA) applies to your business, the next logical step is to ask, “Are we already CCPA compliant?” Obviously, any business owner or manager would prefer for this to be the case—it means you wouldn’t have to take any further action and could get back to running to your business. Unfortunately, it’s unlikely that your business’s current personal-data collection practices already match 100% with all of the CCPA requirements.

CCPA compliance requires more than just posting a privacy policy; it requires businesses to keep track of consumers’ personal information in new, more systematic ways. This starts with creating a detailed data map that covers all of your business’s data collection points, storage locations, and disclosures to outside parties. Your business’s privacy policy is simply the public facing disclosure of your business’s privacy efforts. Much of what it takes to be compliant takes place behind the scenes.

This quick CCPA compliance assessment will help you understand the current state of your business’s compliance with the California data privacy law. It’s not a substitute for legal advice or talking to a compliance expert, but it will give a general idea as to what changes, if any, you must make.

The Complete CCPA Guide

Does the CCPA apply to your business?

Privacy Notices

Your business likely already has a privacy policy posted online, but the CCPA requires that it include some specific notices to California residents (“consumers”).

Does your current privacy policy:

Employees and Job Applicants

Employees and job applicants are now treated like any other consumers. Your business will have to make all required disclosures and extend the full range of privacy rights to these groups

If Your Business Sells or Shares Consumers’ Personal Information:

  • Do you have a separate page or section of your privacy policy informing consumers of their right to opt out?
  • Is there a clear and conspicuous “Do Not Sell or Share My Personal Information” link on your homepage?

    This link should take the consumer to the page or section described above.

  • Do you have an online interactive form for submitting requests to opt out?

    At least one of the two opt-out methods must be such a form.

Additional Privacy Notices

Your business may be required to include the following notices.

  • Financial incentives notice

    In some limited circumstances, businesses may offer financial incentives to consumers for opting in to the sale of their personal information. If so, the business must disclose the details of these incentives.

  • Consumers under the age of 16

    If your business has knowledge that it sells personal information from consumers that are 15 or younger, it must provide information about how to obtain their consent.

  • High volumes of personal information

    If your business collects the personal information of more than 10 million consumers, it must provide additional information.

  • Brick-and-mortar business locations

    If you collect personal information at a physical store location, you must provide privacy notices there as well, include all information in your online privacy policy, and provide a toll-free number for making CCPA privacy requests.

Read more about the CCPA’s privacy notice requirements.

Responding to Consumer Requests

There are four different types of privacy requests that correspond to consumers’ rights under the CCPA: requests to know, requests to delete, requests to opt out, requests to correct, and requests to limit. Each of these request types has its own rules, requirements, and exemptions. This portion of checklist will help assess your business’s readiness to respond to privacy requests.

  • Do you know exactly what personal information must be disclosed or deleted upon request, and where it is stored? 

    Without a thorough and up-to-date data map, it will be very difficult to know if you are fully complying with consumers’ requests.

  • Are there at least two methods for submitting consumer requests?

    At least one of the methods should relate to the way your business normally interacts with consumers.

  • Do you have a designated email address for privacy requests?

    While not necessarily required by the CCPA, it’s recommended to have all privacy requests and questions going to one inbox.

  • Do you have a clear verification procedure in place?

    The level of verification needed varies by request type and the type of personal information involved.

  • Have you separately tracked sensitive personal information?

    Consumers have the right to limit the use and disclosure of sensitive personal information, which requires tracking this data separately and know how limit its use.

  • Have you identified which personal information need not be deleted?

    The CCPA contains a number of exceptions to the right to delete. Any data that fits in these categories should be identified in advance.

  • Do you have a way to deidentify or aggregate personal information?

    Businesses can retain personal information that is deidentified or in the aggregate, even if the consumer submits a deletion request.

  • Have you created a process for relaying consumer requests to third parties, contractors, and service providers?

    Third parties and service providers also must comply with CCPA requests, but it is your business’s responsibility to forward those requests.

  • Is there a clear process for stopping the sale or sharing of a consumer’s personal information upon request?

    Businesses only have 15 days to respond to an opt-out request.

  • Are opt-out requests easy to execute, requiring minimal steps?

    Making an opt-out request can’t require more steps than the process to opt in, and it can’t be designed in a way that discourages consumers from making the request.

Read more about handling CCPA privacy requests.

Data Security Requirements

Only the California Privacy Protection Agency or the Attorney General or can enforce most CCPA violations, but the law does create a private right of action for consumers in the event of a data breach. If consumers’ nonencrypted and nonredacted personal information is subject to unauthorized access due to a business’s failure to implement reasonable security procedures, they can recover either actual damages or statutory damages of up to $750 per incident. Though the CCPA doesn’t define what reasonable security procedures are, here is some general guidance.

  • Does your business encrypt the personal information it collects?

    Given the law’s emphasis on encryption, this is the logical place to start.

  • Are you using adequate and up-to-date cybersecurity tools?

    As with any of these requirements, what is adequate will depend on the situation, including what personal information is involved.

  • Do you have physical security measures in place to restrict access?

    Alarm systems, surveillance cameras, keycard access, etc.

  • Is employees’ access to personal information restricted as appropriate?

    When providing employees access to sensitive personal information, a background check may be a reasonable requirement.

  • Do you conduct regular audits of your business’s data security policies?

    Businesses should periodically update their system to close any gaps and prevent security breaches.

Read more about the CCPA’s private right of action.

How to Become CCPA Compliant

If you answered “no” to any of the questions above, then your business still has some work to do to get fully CCPA compliant.

Handling the project in-house is time-consuming and risky, while hiring a law firm or consultant is expensive. TrueVault is a software tool that automates the process, starting with data mapping and going all the way through responding to consumers’ privacy requests. Your business can be CCPA compliant in as little as a few days, and at a fraction of the cost of hiring a consultant.

Contact our team to learn more and schedule a demo.

Schedule Call