California Consumer Privacy Act: a practical CCPA compliance checklist


Recently, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora to resolve allegations that the cosmetics retail giant had been in violation of the California Consumer Privacy Act and failed to remedy these violations within the 30-day window allowed by the regulation. The news sent shockwaves through the data privacy community, marking the first-ever enforcement action handed down under CCPA as well as an increasingly unyielding regulatory emphasis on protecting customers’ right to privacy.

“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable,” warned Bonta. “It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

He’s been making good on his promise. A car dealership, a grocery store chain, an online dating platform, and a pet adoption agency were all found in non-compliance with CCPA since it had come into effect in January 2020, TechTarget reported. Of the organizations notified in the first year of enforcement, 75% promptly took steps to fix non-compliance issues, Bonta pointed out in a July 2021 statement, while the remaining 25% included businesses who were still within their statutory 30-day “cure” windows or under active investigation at the time.

So what exactly makes the California Consumer Privacy Act a landmark data privacy law and what is it intended to achieve? Just as importantly, what is CCPA compliance all about and what can businesses do to foster a compliant culture? Find out from our CCPA compliance guide below.

What is CCPA and does it apply to you?

The CCPA, short for California Consumer Privacy Act of 2018, gives California consumers more control over the personal information that businesses collect about them. More specifically, it secures new privacy rights for consumers, including:

● The right to know about the personal information a business collects about them and how it is used and shared;
● The right to delete personal information collected from them (with some exceptions, for example, if the data in question is needed to detect a security incident);
● The right to opt-out of the sale of their personal information; and
● The right to non-discrimination for exercising their CCPA rights.

And who does the CCPA apply to? All for-profit businesses that do business in the state of California and meet any of the following criteria:

● Have a gross annual revenue of over $25 million;
● Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
● Derive 50% or more of their annual revenue from selling California residents’ personal information.

Who and what type of data does the CCPA data protection law protect?

Now that we’ve covered who’s subject to CCPA, let’s see who the law intends to protect. In short, California residents. Meaning any natural person, as opposed to a corporation or other business entity, who resides in the state of California, even if the person is temporarily outside of the state.

Under CCPA, businesses must grant consumers more visibility, transparency, and control over their personal data. CCPA, however, defines this type of data more broadly than typical privacy-related laws in the United States, Deloitte points out. Under CCPA, personal data is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

That said, the definition also lists several standard examples, such as social security numbers, drivers’ license numbers, purchase histories, and “unique personal identifiers”, aka persistent identifiers that can be used to recognize a consumer, a family, or a device that is linked to them. Aggregated and medical data and information that’s lawfully made available from federal, state, or local government records, don’t fall into this category.

CCPA vs. GDPR: what’s the difference?

Reading the goals and provisions of CCPA, it’s hard not to draw parallels with other milestone data protection laws, most notably, the EU’s General Data Protection Regulation (GDPR). Similarities are indeed aplenty, but there’s a key difference.

The GDPR applies to any company that collects and handles the personal data of an individual residing in the European Union. No matter the volume of data it processes or how much revenue it generates and where it comes from.

The CCPA, however, protects the rights of California residents only. Plus, it pertains to for-profit entities that are based in the same state and, as detailed above, fulfill specific criteria regarding the scale of their data collection activity and how much it contributes to their gross income.

CCPA compliance requirements: two key clusters, explained

Businesses’ obligations under California’s watershed consumer privacy protection act roughly fall into two categories.

Upon receiving a “verifiable consumer request”, which is CCPA for data access request, businesses are obliged to provide California consumers with information about:

● the categories of personal information collected about them;
● the categories of sources from which the data was gathered;
● the commercial purpose for collecting or selling the PI;
● the categories of third parties with whom the business shares PI;
● the specific pieces of PI collected about the consumer.

The information must cover the 12-month period prior to the submission of request and be handed over free of charge.

Companies subject to the CCPA must also make sure that their privacy policy or policies details what categories of personal information are collected about the consumer, from where and for what commercial or business purpose, along with the categories of third parties the information will be shared with, and what specific pieces of personal information are collected about the consumer.

In their policies or on their website, and in any California-specific description of consumers’ privacy rights, businesses must also provide consumers with a description of their rights. What they’re prohibited to do is use consumers’ sensitive personal information for any purpose other than what they’ve disclosed without providing notice to them about their data being used in new ways and their right to limit the scope of use.

CCPA disclosure requirements also stretch over selling personal information. In particular, if a business sells or discloses consumer information with third parties, the privacy notice must also contain the categories of PI sold or disclosed, complete with the categories of third parties who purchased it. Plus, a clause that informs consumers about their “right to opt-out”, as in expressly directing the entity not to sell their personal information.

CCPA security requirements: is there a gold standard?

In one word: no. “The regulations implementing the CCPA only require that a business utilize reasonable security in the context of personal information collected or processed for specific purposes – i.e., consumer requests and information provided in response to access requests,” explains David Zetoony on The National Law Review.

Non-compliance with the California Consumer Privacy Act comes with a hefty price tag, as high as $7,500 per CCPA violation. But that’s only half the story. According to a 2021 survey by Enterprise Strategy Group, concerns over reduced productivity, lawsuits, recovery costs, and reputational damages are just as strong a motivation for achieving and maintaining compliance.

CCPA compliance checklist: how to get and stay compliant

  1. Find out if you’re covered
    As we’ve pointed out earlier, CCPA doesn’t cover businesses that bring in less than $25 million in annual gross revenue, handle data for less than 50,000 Californians, or generate less than half their revenue from selling personal information.
  2. Comb through your data assets
    CCPA pertains to a broad range of personal information, plus you might not even be aware of the full scope of your organization's data collection practices. It’s crucial that you understand where and what kind of consumer information enters and exits your databases – and why.
  3. Make your privacy policy bulletproof
    Remember: under CCPA, your privacy statement or website must expressly inform consumers of their rights under the data protection law, opt-in or opt-out, and how exactly they can exercise them. Also make sure to detail the type of PI you collect and hand over to third parties.
  4. Create a request processing workflow
    Under CCPA, consumers are fully entitled to know what type of personal information you’ve gathered about them and even ask you to delete it. Set up mechanisms to ensure that each request is verified, followed up on and honored within 45 days.
  5. Bring everyone up to speed
    CCPA-covered entities must provide compliance training to employees who handle consumer inquiries about their privacy practices and anyone who’s responsible for their business’s CCPA compliance, with a focus on how consumers can exercise their rights.

How Tresorit can help you boost your CCPA compliance efforts

A zero-knowledge, end-to-end encrypted file management and collaboration platform, Tresorit empowers you to:

Make your cloud a safer place with end-to-end encryption
Every file and relevant metadata on our users’ devices are encrypted with randomly generated encryption keys. Accessing files is only possible with a user’s unique decryption key that no one else, not even Tresorit, has knowledge of. Meaning that even if our servers were breached, no one would be able to read the contents of your files.

Stay in control of what happens to your data
Implement data protection measures while collaborating on files, including controlling who has access to what data, logging file activities, and creating internal security policies for data management. No file content can be modified without you knowing about it, thanks to cryptographic authentication applied to all encrypted data in the form of HMAC or AEAD.

Set up and enforce enterprise security policies in one place
Make sure that everyone on your team is on the same page when it comes to using crucial data security tools and processes. Apply policy templates, including 2-step verification, IP filtering, timeout policies, and sharing policies, to a set of users, create different policies for each template and modify these policies at any moment through a single interface.

Keep access secure and limited
Monitor and decide which devices are allowed to access which files within the organization and from where users are allowed to log in to their company account to safeguard business-critical documents. Manage files and tresors at a granular level, ensuring that they’re only accessible to those who need them, and limit file downloads or revoke access at any time.