CCPA Compliance 101: Everything You Need to Know

Is your business CCPA and CPRA compliant? Learn everything you need to know about CCPA compliance with this guide.
Media - Anthony Gagliardi

by Tony Gagliardi

May 10, 2022
CCPA Compliance 101 Everything You Need to Know

In 2018, California passed one of the strictest data privacy laws ever enacted—the California Consumer Privacy Act, or CCPA. 

In the ‘90s, internet users may not have given data privacy a second thought. However, 30 years later, consumers have become savvier about the risks associated with sharing personal data such as addresses, credit card information, and even political affiliations and educational history. 

The rise of data leaks hasn’t helped either. In 2018, we saw data leaks from companies like Google, Facebook, T-Mobile, and Marriott. These leaks compromised the privacy of millions of people globally. 

In response to consumer interest, the California legislature proposed a new ballot initiative. CCPA would hold businesses more accountable to how they educate and empower their customers to protect their data. California voters cast a resounding “Yes,” to CCPA, and on January 1, 2020, the law kicked into effect. 

In the following article, we’ll explain CCPA, the rights it gives to consumers, and how businesses need to respond to stay safe and compliant. 

What is CCPA? 

Most notably, CCPA gives consumers a range of rights over their personal information and how it’s shared by businesses. One of these rights is the ability to request that their personal data be deleted. 

CCPA also establishes a set of guidelines for businesses to implement and remain compliant with the law. 

Consumer Rights

The hallmark of CCPA is that it places control of personal data back in the hands of consumers. It’s primarily focused on transparency. While many consumers may give companies permission to share their data, CCPA ensures that they know their data is being shared and have the right to revoke that right. 

CCPA ensures that consumers have the right to:

  • Know about the personal information (PI) that a business collects about them and how, why, and who it’s shared with. 

  • Delete PI that has been collected from them (there are  exceptions to this provision). 

  • Opt-out of the sale of their PI.

  • Not experience discrimination in the exercise of CCPA rights. 

To ensure these rights for consumers, businesses must comply with a certain set of regulations.

Business Obligations

As mentioned above, the primary tenet of CCPA is to provide transparency. 

Qualifying businesses must have a framework and a plan for telling consumers before they collect data from them. They must clearly communicate consumer rights and provide a link that immediately gives consumers the right to opt out—a pop-up at the footer at the bottom of a homepage with “Do Not Sell My Personal Information” is typical. 

Businesses must also respond to consumer requests within 45 days and keep a record of those requests for two years. 

Finally, businesses are obligated to be transparent about their financial incentives for sharing consumer data with third parties. 

To understand the obligations in detail, here’s a list of CCPA regulations


Businesses may be penalized for up to $2,500 per violation or $7,500 per intentional violation should they fail to respond to consumer requests and have not responded to notifications within 30 days. If there is a data breach, consumers can also take action against companies to recover damages of up to $750 per violation.

Frequently Asked Questions

Becoming CCPA-compliant can feel overwhelming for California-based businesses. Many companies were woefully unprepared for the new law. In 2019, less than 10% of qualifying companies were estimated to be sufficiently prepared for CCPA. 

To become compliant, businesses can start by asking these basic questions about the privacy protection law. 

Does CCPA Apply to My Business? 

CCPA has explicit applicability requirements, so it’s important to determine whether your business qualifies as a candidate. 

If your company does business in California AND you answer “yes,” to any of the following questions, then your business must meet CCPA regulations. 

  • Do you have a gross revenue of more than $25 million annually?

  • Do you buy, sell, receive, or share the PI of 50,000 or more California residents, households, or devices for commercial purposes?

  • Is 50% or more of your revenue from the sale of PI?

If you answered “no” to all of these questions or do not do business in California, then your organization is not required to adhere to CCPA.

Even if CCPA is not explicitly required for your organization, adhering to CCPA may be a good business decision to demonstrate your company’s commitments to privacy.

How is Personal Information Defined Under CCPA?

Personal information, or PI, is information that can be linked to or used to identify you or your household. 

That can range from basic contact information and household addresses to your purchasing and browsing history. PI can range from private information—such as social security numbers—to something as innocuous as age. 

How Does CCPA Differ From GDPR?

Though CCPA has been referred to as the “GDPR of California,” the two laws are different. GDPR, or General Data Protection Regulation, protects the data privacy of citizens in the European Union. 

GDPR is different from CCPA in that:

  • GDPR focuses specifically on individuals; CCPA focuses on the privacy of individuals


    and households. 

  • GDPR is broader in scope and applies to more businesses. 

  • GDPR follows an opt-in model whereas CCPA follows an opt-out model.

Although companies that are GDPR-compliant may have advantage when it comes to CCPA, their key differences should be noted.

What is a Third Party Under CCPA? 

To be compliant with CCPA, you’ll need to understand how a third party is defined. A third party is any entity (person or organization) that is NOT a business that collects PI from consumers under CCPA or a consumer to which the law applies. 

Broadly speaking, a third party under CCPA is a service provider. Service providers or contractors must understand what they are restricted from doing under CCPA regulations. 

To remain compliant, businesses are responsible for ensuring that their third-party partners also meet CCPA regulations. 


Here are some helpful resources for continuing to maintain CCPA compliance. 

New data privacy laws like CCPA may be complex, but they don’t have to represent a massive headache. Using a tool to help you monitor compliance on an ongoing basis helps you and your customers to stay safe—and helps you avoid legal fines and reputation damage.

To learn more about how Drata can help you remain compliant with various frameworks and regulations, schedule a demo with our team.

Trusted Newsletter
Resources for you
Image - Andy joins drata list

Meet Andy Bryars: Director of Customer Success Group in EMEA

Image - Drataverse Tony Hawk List

Drata Announces Tony Hawk As Drataverse Keynote Speaker

Image - Drataverse '24 Agenda Preview

GRC Growth: Sneak Peek Into the Drataverse ‘24 Agenda

Media - Anthony Gagliardi
Tony Gagliardi
Tony Gagliardi is Manager of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs that meet security compliance requirements. Tony is a Certified Information Systems Security Professional (CISSP) specializing in GRC, SOC 2, ISO 27001, GDPR, CCPA/CPRA, HIPAA, various NIST frameworks and enterprise risk management.
Related Resources

The No-nonsense CCPA Compliance Checklist

CCPA Compliance 101 Everything You Need to Know

CCPA Compliance 101: Everything You Need to Know


GDPR vs. CCPA: Key Differences and Similarities