The No-nonsense CCPA Compliance Checklist

Our 16-step CCPA compliance checklist can ensure you protect consumer data and meet security requirements outlined in the California Consumer Privacy Act.
Troy Fine

by Troy Fine

November 16, 2023
ccpa-checklist-hero

One of the strictest privacy laws in the United States, the California Consumer Privacy Act (CCPA), defines the responsibilities of businesses to protect California residents’ privacy rights. Becoming CCPA compliant ensures your business can fulfill these responsibilities in a way that makes sense for your California operations. The only problem? CCPA compliance is a high bar to clear. 

In its State of CCPA Compliance report, CYTRIO found that only 11% of companies meet all CCPA requirements. Here, we’ll explain its guidelines, note which organizations must comply with the CPPA, and share a checklist to help keep you compliant.

Quick Refresher: What Is the CCPA?

The CCPA is a 2018 policy defining the responsibilities of for-profit businesses to protect California residents’ privacy rights. Specifically, it was passed to protect Californians’ personal information (PI) in the wake of data leaks from companies like Facebook and Google. The CCPA holds businesses accountable for lack of cybersecurity and empowers customers by reinforcing data privacy rights. 

After a 2020 referendum, the State of California amended its CCPA with the California Privacy Rights Act (CPRA). The CPRA enhanced many of the CCPA’s original privacy protections by adding a new category for Sensitive Personal Information (SPI), expanding the requirements for consent, and introducing additional consumer rights. 

Since taking effect on March 29, 2023, the two policies work as one to protect California residents’ privacy rights, and is still referred to as “CCPA”. It is also worth noting that enforcement of the net new requirements in CPRA has been delayed until March 29, 2024.

CCPA-definition

Who Does CCPA Compliance Apply To?

Companies that do business in California and meet one of the following requirements must comply with the CCPA:

  • You have gross annual revenue above $25 million.

  • You buy, sell, receive, or share PI for commercial purposes from 100,000 or more California residents, households, and devices.

  • Your PI sales account for more than 50% of company revenue.

Companies that don’t meet these requirements are not subject to comply with the CCPA. Still, CCPA compliance may help prepare you for future growth and reinforce your company’s social responsibility programs. Once you have the policies in place required for CCPA compliance, it can also help reduce the time and effort required to comply with other industry compliance frameworks like the GDPR.

Note: The CCPA excludes government agencies, nonprofit organizations, and businesses under other privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

CCPA Scope and Types of Data Collected

The CCPA defines personal data as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." 

Examples of personal data include a customer’s:

  • Full name

  • Mailing address

  • Contact information

  • IP address

  • Consumer preferences and purchase history

  • Sensitive personal information (such as legal ID numbers, SSN, financial information, biometric data, etc.)

Publicly available information falls outside the scope of the CCPA. For example, press statements and public social media posts aren’t protected.

16-Step CCPA Compliance Checklist

As you prepare to comply with the CCPA, this checklist will provide guidance to help you understand the processes and controls you must implement. 

Interactive checklist goes here

1. Understand Your Exposure to Personal Information Regulation

The CCPA forefronts user consent when selling and storing their information. However, even with a customer’s permission, businesses must carefully manage the data they retain. Companies also need to factor in data minimization by only collecting data needed for specified business purposes. 

Companies often collect more personal information than they realize, which increases their risk posture and could lead to severe financial penalties. You should identify opportunities to reduce the data you collect or limit the time you retain that data.

Audit your data collection processes to understand:

  • What PI you collect and why

  • Where you store collected PI

  • Who has access to this PI

  • Which third parties you share this PI with

  • How are you protecting the collected PI

2. Audit Your Third-Party Exposure to CCPA Compliance

Most companies share consumer PI with billing services, credit card processors, and other third parties. The CCPA requires these third parties to comply with your company’s PI protection policies. Determine your third-party vendors’ compliance with the CCPA, their security practices, and the controls they use to comply with your privacy policies.

The CPRA adds an extra obligation for third parties. Vendor contracts restrict the use of users’ personal information outside of their contractual relationship. So, third-party contracts must explicitly state:

  • What data parties share

  • Why they shared this data

  • Who they share this data with

  • How the shared data must be protected

3. Audit and Update Your Security and Data Protection Controls and Processes

The CCPA holds businesses accountable for implementing cybersecurity controls and performing a risk assessment relevant to retaining and safeguarding customer data. If a business can’t protect its users’ PI, those customers can file a lawsuit against the company. Hence, investing in data protection and CCPA security controls is essential. The CCPA does not prescribe specific methods, leaving it to each business to choose reasonable security measures for protecting PI.

Note: Certain practices can mitigate the impact of security breaches. Consumers can’t sue companies under the CCPA if, for example, their stolen personal information was encrypted or de-identified.

4. Refine Your Data Governance

Understand the personal information you collect and evaluate your data governance approach to ensure it aligns with the CCPA. Strong data governance:

  • Emphasizes users’ data rights under the CCPA

  • Protects PI from outside threats

  • Ensures third parties meet CCPA standards

  • Records information accurately

5. Prepare an Incident Response Plan

Whether as an independent process or part of an overall risk management plan, develop incident response procedures to handle CCPA violations such as stolen PI or a breakdown in privacy practices. Assign responsibilities to specific stakeholders and perform regular simulations to prepare your responses to potential incidents.

6. Implement Identity Verification Systems

CCPA compliance requires responding to consumer requests. Prior to responding, you must have processes in place to verify the requestor’s identity. Granting someone access to another person’s personal information is a CCPA violation. In addition, identity verification should also consider the user’s age, which influences your data collection and handling activities:

  • Californians can ask companies to stop selling their personal information at any time. 

  • For minors between the ages of 13 and 16, the sale of personal data requires their affirmative authorization.

  • Companies need parental or legal guardian’s consent to sell the personal information of children younger than 13.

7. Develop a Privacy Policy

Companies must publish a statement of their privacy policies. This is often a webpage linked to the company’s home page or on its mobile app. A privacy policy describes how you collect, use, share, and sell consumer PI online and offline. The privacy policy must also explain consumers’ rights under the CCPA and how to exercise those rights.

The CPRA added principles of correcting inaccurate information and data minimization that limits how companies can retain, use, and share collected PI. In your privacy policy, note how long you intend to keep data for business purposes. You should also include this information in a notice at collection. 

8. Develop a Notice at Collection

Companies must also provide consumers a notice at collection on or before requesting personal information. Among other things, this notice must list the categories of information you collect and why you collect it. If you sell this information, then the notice at collection must include a Do Not Sell link.

9. Implement Systems to Support Consumers’ Right to Opt Out

Clear and conspicuous “do not sell my personal information” links should be available on the business’s website. This should send users to a page that allows them to opt out from data sales, even without creating an account to do so. Opt-out options like these help comply with CCPA’s website technical specification requirements. If these methods are not available, consumers should be able to submit their opt-out request in writing. The CPRA extends the right to opt out from any form of data sharing, regardless if it involves  financial compensation or not. 

Note: After opting out, businesses must wait 12 months before asking users to opt back into the sale of their personal information.

10. Implement Systems to Support Consumers’ Right to Know and Correct their Information

The CCPA also gives consumers a right to know what personal information businesses collect from them, so companies need systems that let consumers request to see their data. For example, a customer can ask you for a report detailing their personal information at any time.

When a consumer submits a request, you have up to 45 days to verify and respond with all the requested information. You can extend that window by another 45 days, however it requires that you notify the consumer in advance and the cause for delay is reasonable, such as data retrieval issues after a breach. 

From there, users can request changes to correct or update any inaccurate information related to them. Businesses can enable this through any of the following methods:

  • Web form

  • Publicly available email address

  • Toll-free number

CCPA-rights

11. Implement Systems to Support Consumers’ Right to Delete

California consumers have a right to request companies delete their personal information. Upon receiving a valid request, you have 45 days (or 90 days with valid reason and sufficient notification) to delete the information from your records. Any third parties and/or contractors you share that information with must also delete the data. 

Develop systems and processes to accept and review these requests. Additionally, create methods to verify that you, your contractors, and related third-party service providers deleted all relevant information. Failure to delete this data can lead to penalties or fines. 

12. Implement Systems to Support Consumers’ Right to Nondiscrimination

Companies may not treat consumers differently because they exercise their rights under the CCPA. Additionally, companies cannot show preferential treatment to certain data subjects. 

There are cases, however, where the nondiscrimination right does not apply. For example, you can require consumers to provide the personal information needed to complete a transaction. A consumer unwilling to provide their data cannot expect preferential treatment.

13. Train All Personnel

Any employees and contractors involved with collecting, storing, processing, selling, or sharing consumer information must follow your company’s privacy policies and procedures for protecting consumer PI. Conduct regular training sessions to ensure people understand their roles and responsibilities.

14. Use Automation to Continuously Monitor Compliance 

Manually tracking CCPA compliance is impractical for companies above a certain size. These businesses can stay within CCPA guidelines with a continuous compliance platform. While audits aren’t required by the CCPA, businesses should monitor their security practices to avoid fines in case they ever get investigated. 

Automation helps provide daily CCPA compliance. Crossing siloed tech stacks, automated CCPA compliance tools such as Drata give you a single view of your compliance posture.

15. Conduct Independent Risk Assessments

The CPRA states that high-risk organizations that retain PI or sensitive data may need independent risk assessments from an independent third party to stay compliant. These tests should resemble the data protection impact assessments (DIPAs) the GDPR requires.

After third parties check how a business manages consumer safety and privacy risks, they share the results with a regulatory agency. These tests should occur at least once a year. 

16. Incorporate Feedback to Improve CCPA Compliance Processes

Your CCPA compliance process must evolve with the regulatory and threat landscapes. Stay ahead of these changes by developing feedback mechanisms to incorporate learnings from compliance events and conduct regular reviews of your CCPA compliance program. 

CCPA Compliance FAQ

To help you cover your bases, we answered a few frequently asked questions about CCPA non-compliance costs and key ideas. 

What Are the Risks of CCPA Non-Compliance?

Companies that violate CCPA standards face fines from the attorney general and lawsuits from customers. If accidental, companies face penalties reaching $2,500 per violation. Intentional violations, however, could cost up to $7,500 per violation. In the event of a data breach, consumers may sue for up to $750 in damages per violation. 

You can face a penalty for:

  • Non-compliant privacy policies 

  • Ignoring CCPA requirements on cybersecurity

  • Not responding to user requests covered by CCPA rights

  • Lack of transparency over data retention

  • Selling customer information without giving an opt-out option

  • Discriminating against customers who exercised their consumer rights

  • Ignoring notifications from the California Office of the Attorney General

CCPA-penalties

Who Do CCPA Protections Apply To?

The CCPA protects people with a primary residence in California, regardless if the person is temporarily outside of the state. So, you're protected whether you’ve lived in California for a decade or need to stay on a yearlong work placement. 

What Are the Key Principles of the CCPA?

The CCPA places value on accountability, control, and transparency. Here’s what each principle means in context: 

  • Accountability: Businesses should ensure that they follow CCPA regulations and appropriately respond to requests from data subjects. 

  • Control: Users deserve control over their data, so they should have a say in what data gets collected and used. 

  • Transparency: Consumers must be informed how their personal data is collected, used, and shared. Additionally, businesses shall communicate how consumers can exercise their rights.

How Drata Can Help You Stay CCPA Compliant

You don’t need a large presence in California to understand the importance of the CCPA. As the bar for staying compliant rises, organizations need to meet that challenge head-on. By following our CCPA compliance checklist, you can meet the highest standards of data privacy and cybersecurity

If you can’t find a way to stay CCPA compliant, Drata can help. Our platform will automate compliance processes, ensuring you’re always audit-ready. Our approach to continuous compliance will also reduce the risk of data breaches and protect your users’ data. Finally, if you have any questions about compliance standards, our team of experts can lend a hand.

Schedule a demo to see how Drata’s compliance automation solution streamlines meeting CCPA security requirements.

Trusted Newsletter
Resources for you
Image - Drataverse '24 Agenda Preview

GRC Growth: Sneak Peek Into the Drataverse ‘24 Agenda

Join us at RSA

FOMO Alert: Why You Won’t Want to Miss Drata at RSA

Harmonize Announcement

Welcoming Harmonize To the Drata Family

Troy Fine
Troy Fine
Troy Fine is a 10-year former auditor, now Director of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
ccpa-checklist-hero

The No-nonsense CCPA Compliance Checklist

CCPA Compliance 101 Everything You Need to Know

CCPA Compliance 101: Everything You Need to Know

GDPR vs CCPA

GDPR vs. CCPA: Key Differences and Similarities