Is My Business CCPA Compliant?


If you’ve already determined that the California Consumer Privacy Act (CCPA) applies to your business, the next logical step is to ask, “Are we already CCPA compliant?” Obviously, any business owner or manager would prefer for this to be the case—it means you wouldn’t have to take any further action and could get back to running to your business. Unfortunately, it’s unlikely that your business’s current personal-data collection practices already match 100% with all of the CCPA requirements.

CCPA compliance requires more than just posting a privacy policy; it requires businesses to keep track of consumers’ personal information in new, more systematic ways. This starts with creating a detailed data map that covers all of your business’s data collection points, storage locations, and disclosures to outside parties. Your business’s privacy policy is simply the public facing disclosure of your business’s privacy efforts. Much of what it takes to be compliant takes place behind the scenes.

This quick CCPA compliance assessment will help you understand the current state of your business’s compliance with the California data privacy law. It’s not a substitute for legal advice or talking to a compliance expert, but it will give a general idea as to what changes, if any, you must make.

The Complete CCPA Guide

Does the CCPA apply to your business?

Privacy Notices

Your business likely already has a privacy policy posted online, but the CCPA requires that it include some specific notices to California residents (“consumers”).

Does your current privacy policy:

  • Tell consumers what personal information is collected, from what sources, and for what business or commercial purposes?

    “Personal information” is broadly defined by the CCPA, and includes everything from browsing history to biometric information to IP addresses. It will be very difficult to meet this requirement without first creating a data map.

  • Inform consumers of their CCPA privacy rights?

    The CCPA gives Californians the right to know, right to delete, right to opt out of the sale of their personal information, and right to non-discrimination.

  • Provide instructions for making verifiable privacy requests?

    Deletion requests and requests to know must be verified by the business, with the level of verification depending on the personal information involved. You must provide clear instructions, and the process cannot be too burdensome.

  • Inform consumers they can make a request through an authorized agent?

    Businesses can, and should, verify the agent’s permission to act on behalf of the consumer. These verification procedures should also be included in the privacy policy.

  • Tell consumers what personal information is disclosed to third parties and service providers, and the categories of third parties and services providers?

    Accomplishing this will require you to first classify all vendors to determine if they meet the CCPA definition of a “service provider.” Ideally, this information should also come from your data map.

  • Provide at least two methods of contacting your business and submitting requests?

    At least one of these methods should be related to how you normally interact with consumers. I.e., if you normally interact with consumers online, you must provide an online contact method.

  • Tell consumers what personal information is sold to third parties, and the categories of those third parties?

    According to the CCPA’s definition, you may be selling personal information without realizing it. Common business practices such as using retargeting or behavioral advertising are considered selling.

  • Provide information in a ADA-compliant manner that is reasonably accessible to users with disabilities?

    The format and design should follow recognized industry standards such as the Web Content Accessibility Guidelines version 2.1.

If Your Business Sells Consumers’ Personal Information:

  • Do you have a separate page or section of your privacy policy informing consumers of their right to opt out?
  • Is there a clear and conspicuous “Do Not Sell My Personal Information” link on your homepage?

    This link should take the consumer to the page or section described above.

  • Do you have an online interactive form for submitting requests to opt out?

    At least one of the two opt-out methods must be such a form.

Additional Privacy Notices

Your business may be required to include the following notices.

  • Employee and job applicants notices Though employees and job applicants cannot currently submit privacy requests, businesses must still disclose what personal information they collect from them and for what purposes.
  • Financial incentives notice

    In some limited circumstances, businesses may offer financial incentives to consumers for opting in to the sale of their personal information. If so, the business must disclose the details of these incentives.

  • Consumers under the age of 16

    If your business has knowledge that it sells personal information from consumers that are 15 or younger, it must provide information about how to obtain their consent.

  • High volumes of personal information

    If your business collects the personal information of more than 10 million consumers, it must provide additional information.

  • Brick-and-mortar business locations

    If you collect personal information at a physical store location, you must provide privacy notices there as well, include all information in your online privacy policy, and provide a toll-free number for making CCPA privacy requests.

Read more about the CCPA’s privacy notice requirements.

Responding to Consumer Requests

There are four different types of privacy requests that correspond to consumers’ rights under the CCPA: requests to know categories of personal information collected, requests to know specific pieces of personal information collected, requests to delete, and requests to opt out. Each of these request types has its own rules, requirements, and exemptions. This portion of checklist will help assess your business’s readiness to respond to privacy requests.

  • Do you know exactly what personal information must be disclosed or deleted upon request, and where it is stored?

    Without a thorough and up-to-date data map, it will be very difficult to know if you are fully complying with consumers’ requests.

  • Are there at least two methods for submitting consumer requests?

    At least one of the methods should relate to the way your business normally interacts with consumers.

  • Do you have a designated email address for privacy requests?

    While not necessarily required by the CCPA, it’s recommended to have all privacy requests and questions going to one inbox.

  • Do you have a clear verification procedure in place for requests to know and requests to delete?

    The level of verification needed varies by request type. Requests to know categories of personal information require less stringent verification than requests to know specific pieces of information. Similarly, deletion requests may vary depending on the type of consumer data to be deleted.

  • Have you identified categories of sensitive personal information?

    For security reasons, some types of personal information should not be disclosed in response to a request to know. These include social security numbers, passport numbers, account passwords, and more.

  • Have you identified which personal information need not be deleted?

    The CCPA contains a number of exceptions to the right to delete. Any data that fits in these categories should be identified in advance.

  • Do you have a way to deidentify or aggregate personal information?

    Businesses can retain personal information that is deidentified or in the aggregate, even if the consumer submits a deletion request.

  • Have you created a process for relaying consumer requests to third parties and service providers?

    Third parties and service providers also must comply with CCPA requests, but it is your business’s responsibility to forward those requests.

  • Is there a clear process for stopping the sale of a consumer’s personal information upon request?

    Businesses only have 15 days to respond to an opt-out request.

  • Are opt-out requests easy to execute, requiring minimal steps?

    Making an opt-out request can’t require more steps than the process to opt in, and it can’t be designed in a way that discourages consumers from making the request.

Read more about handling CCPA privacy requests.

Data Security Requirements

Only the California Attorney General can take businesses to court over most CCPA violations, but the law does create a private right of action for consumers in the event of a data breach. If consumers’ nonencrypted and nonredacted personal information is subject to unauthorized access due to a business’s failure to implement reasonable security procedures, they can recover either actual damages or statutory damages of up to $750 per incident. Though the CCPA doesn’t define what reasonable security procedures are, here is some general guidance.

  • Does your business encrypt the personal information it collects?

    Given the law’s emphasis on encryption, this is the logical place to start.

  • Are you using adequate and up-to-date cybersecurity tools?

    As with any of these requirements, what is adequate will depend on the situation, including what personal information is involved.

  • Do you have physical security measures in place to restrict access?

    Alarm systems, surveillance cameras, keycard access, etc.

  • Is employees’ access to personal information restricted as appropriate?

    When providing employees access to sensitive personal information, a background check may be a reasonable requirement.

  • Do you conduct regular audits of your business’s data security policies?

    Businesses should periodically update their system to close any gaps and prevent security breaches.

Read more about the CCPA’s private right of action.

How to Become CCPA Compliant

If you answered “no” to any of the questions above, then your business still has some work to do to get fully CCPA compliant.

Handling the project in-house is time-consuming and risky, while hiring a law firm or consultant is expensive. TrueVault Polaris is a software tool that automates the process, starting with data mapping and going all the way through responding to consumers’ privacy requests. Your business can be CCPA compliant in as little as a few days, and at a fraction of the cost of hiring a consultant.

Contact our team of compliance experts to learn more about TrueVault Polaris.

Schedule Call