California Consumer Privacy Act (CCPA)

What is CCPA?

California’s landmark consumer privacy law, the California Consumer Privacy Act (CCPA), was passed by the state legislature and signed by the governor on June 28, 2018. It went into effect on January 1, 2020 and while no fines have been issued as of June 2022, for-profit organizations that target or collect the personal data of California residents must follow this law.

Organizations that fail to comply with CCPA can be fined up to $2,500 per unintentional violation and $7,500 per intentional violation. The California Privacy Protection Agency (CPPA) was recently established as a dedicated privacy regulator to enforce the CCPA and the California Privacy Rights Act (CPRA).

Who does CCPA apply to?

CCPA applies to companies that collect the data of California residents AND HAVE any one of the following:

  • Have $25 million or more in annual revenue.
  • Possess the personal data of more than 50,000 “consumers, households, or devices”.
  • Earn more than half of their annual revenue selling consumers’ personal data.

What are the CCPA requirements?

Current CCPA compliance requirements include:

  1. Providing California residents a way to know if their personal data has been collected.
  2. Allowing California residents to opt-out of personal information sales, request disclosure of their collected personal information in a portable format, and request deletion of their personal data.
  3. Documenting and tracking personal information collection, processing, and sharing activities.
  4. Implementing security controls and policies to safeguard personal information.
  5. Assessing CCPA compliance for vendors that receive personal information.
  6. Training personnel with access to personal information on CCPA requirements.

Do I need an audit to prove CCPA compliance?

No, though you may have customers who will ask you to have an audit as an extra step to prove that you are compliant.

Was this article helpful?

Have more questions? Submit a request



Article is closed for comments.