What is CCPA compliance?

Compliance with the California Consumer Privacy Act requires transparency, accountability, and the ability to respect rights regarding amending and deleting personal information. Failure to comply can lead to significant financial penalties, making CCPA compliance a core task for all businesses active in California.

Who must comply with the CCPA?

Understanding the scope of CCPA compliance is essential. Not all companies fall under the regulations, although most larger businesses will require compliance strategies.

To start with, the CCPA has a clear territorial scope. The Act only regulates activities within California's borders. This applies to all transactions made by California residents or companies operating from California locations. Aside from territorial scope, there are three main CCPA compliance criteria:

• Gross annual revenues: The CCPA applies to all companies whose revenues exceeded $25 million in the previous calendar year. It does not apply to not-for-profit organizations.
• Scope of data collection: Compliance applies to businesses that collect, share, or sell personal information. It also covers all organizations that handle the data of over 100,000 California residents or households.
• Data sales revenues: Companies that derive over 50% of revenues from selling or storing personal information must comply with the CCPA.

Additionally, CCPA extends to companies that control or share branding with qualifying businesses. Companies that own over 40% of a joint venture with a regulated business must also achieve CCPA compliance—even if they themselves do not deal with California residents.

What are the key CCPA requirements?

The CCPA sets out 6 core rights that businesses must provide to consumers. These consumer data rights are:

The right to know

Consumers have the right to know what personal information companies hold about them. Businesses must disclose the personal information they store, where they obtained that personal information, and how they use it.

Importantly, the right to know extends to third parties employed by companies to process or store user data. If a data breach occurs at a partner organization, the company that collected the data in California will be liable.

The right to opt out

Customers have the right to block the sale of data to third parties. Companies must provide a way for customers to opt into data sharing when they purchase products or sign up for services. This facility must be clear and available to all users.

The right to erase data

Consumers have the right to request the deletion of personal information held by CCPA-regulated organizations.

The right to deletion is not absolute. For example, exceptions apply if sensitive personal information is required by law enforcement operations or is essential to complete a transaction.

The right to portability

Under CCPA, companies must send personal information in a portable format. They must standardize data in a machine-readable format, enabling customers to choose alternative providers if they desire. Following consumer requests, businesses must also provide data at no extra charge to the individual.

One condition applies to the right of portability. Companies must only comply with two data provision requests from the same individual over a 12-month period.

The right to non-discrimination

All consumers have the same data rights. Companies cannot discriminate against groups based on gender, race, class, or any other identifying factors. Companies cannot offer different tiers of services to customers who choose to exercise their CCPA rights (for instance, opting out of data collection).

The right to limit the disclosure of personal data

This right refers to limits on disclosing sensitive personal information and was added to the CCPA via the California Privacy Rights Act (2020). It goes further than the opt-out rights described above. Under CPRA, sensitive information includes:

• Login credentials
• Social Security Numbers
• Financial data
• Private addresses
• Names and names of relatives
• Racial and ethnic origins
• Geolocation data
• Drivers license numbers
• Citizenship status
• Genetic information
• Sexual orientation
• Medical histories

Sensitive data must be private. Publicly available information is not covered by the CCPA. If data falls under the definition of "sensitive", companies must allow individuals to limit the sale and provision to third parties.

Websites must include a link allowing users to "Limit the sale or sharing of my personal information" and must comply with limitation requests within 15 working days.

What are the penalties for non-compliance with the CCPA?

Companies that fail to protect data or meet the six core privacy rights face investigations and CCPA compliance penalties.

The Office of the California Attorney General can bring civil lawsuits seeking a $2,500 fine for each unintentional violation. The amount rises to $7,500 per violation in cases of intentional non-compliance. Under CCPA, an incident involving one consumer's data constitutes a violation. This means wholesale data breach incidents can lead to massive financial penalties.

The size of penalties depends on several factors. Regulators consider the number of violations and the type of data involved. Penalties are higher if companies disclose highly sensitive personal information.

Other factors include the duration of the incident and whether the company deliberately broke CCPA rules. Penalties also tend to be higher when companies have a history of data privacy violations. However, regulators may impose lower fines if companies lack the financial means to prevent lower-level disclosures.

Companies generally have a grace period to enact mitigation measures. When they detect violations, regulators issue a 30-day notice. Penalties apply if the company fails to fix regulatory issues after that period elapses.

Organizations may also face consequences beyond regulatory penalties. For example, CCPA violations can lead to civil lawsuits under the private right of action provision.

The Act allows consumers to sue companies if they put "nonencrypted and nonredacted personal information" at risk by failing to "implement and maintain security procedures and practices." Statutory damages under private actions can reach $750 per violation, dramatically increasing the total cost of data breaches.

Penalties per violation may seem small. However, real-world examples demonstrate the scale of potential CCPA penalties.

For example, in 2024, the state fined food delivery company DoorDash $375,000 for selling customer data without consent. Settlements following adverse judgments amplify these costs. In 2022, the CCPA action led to a statutory lawsuit against T-Mobile, resulting in a $350 million settlement.

What’s the difference between CCPA and GDPR?

Cyber-attacks and high-profile data breaches have made data privacy a global priority. Companies operating internationally must consider many jurisdictions as they design systems to collect, store, and use customer data.

For example, many companies must comply with both the CCPA and the EU's General Data Protection Regulation (GDPR). But how do these two critical data privacy laws compare, and where do they overlap?

Scope

CCPA is more limited in scope. Covered organizations include companies that do business in California, have revenues above $25 million, make more than half of their revenues from selling data, or handle data from over 100,000 Californian residents or households.

GDPR applies to all organizations (not just for-profit companies) that collect and use personal data within the European Union.

Legal basis

Under both regulations, companies require a legal basis to gather and use customer data. However, CCPA is much looser. CCPA-compliant companies can process data in any way that complies with relevant data privacy laws.

GDPR specifies six lawful foundations for processing sensitive data. These include consent, meeting legal requirements, contractual obligations, public interest, legitimate business needs, and meeting other "vital" interests.

Rights

Both the CCPA and GDPR are based on data privacy rights. As discussed above, customers have six consumer rights under the CCPA.

Under GDPR, customers also have the right to access, correct, delete, and challenge personal information. Individuals can also opt out of data-based profiling systems. If desired, they can remove data in standardized formats.

Approach to data

The CCPA takes a broader definition of personal data. Under the CCPA, relevant data includes any personal information that could identify an individual, household, or device. This only applies if data is not already in the public domain or held by state or federal bodies.

GDPR only applies to data collected for commercial use relating to individuals.

Collecting data

Under CCPA, customers must be able to opt out of data collection when they begin interacting with companies. Users must also be able to opt out of cookies that collect user data.

GDPR is slightly more restrictive as customers must opt into data collection processes. Customers retain the right to opt out of data processing at any stage (as they do under CCPA). Individuals must also opt into cookies that gather user data.

Data security

CCPA itself does not include detailed data security requirements. However, companies that fail to protect data are liable for civil lawsuits brought by customers.

After the passing of the California Privacy Rights Act, the CCPA now imposes slightly heavier security duties. Companies must take extra care to secure sensitive personal information or risk higher penalties.

GDPR takes a risk-based approach to data security. Companies must assess risks and protect against relevant security threats.

Transferring data

CCPA includes no provisions relating to international data transfers.

GDPR includes rules governing data transfers between jurisdictions. Countries receiving data must protect individual privacy according to Standard Contractual Clauses (SCCs).

Enforcement

The California Attorney General brings civil lawsuits under CCPA with a maximum fine of $7,500 per violation. There is no upper limit to regulatory settlements.

GDPR fines are administered by Data Protection Authorities (DPAs) in EU states. GDPR fines can reach 2% of turnover worldwide. A maximum penalty of 20 million euros applies to severe compliance violations.

How to comply with the CCPA

Given the scope of the regulations and the potential penalties, companies must take action to become CCPA compliant. To ensure CCPA compliance, companies should:

• Assess your CCPA compliance situation: Assess how much of your revenues and operations fall under CCPA. Determine relevant rights specified by the CCPA and how they relate to your enterprise.
• Carry out a data inventory: Determine what personal information you collect, how and where you store it, and how the data is used. Do you have processes to delete unnecessary user data? Can customers access, edit, or remove their data as CCPA requires?
• Create compliant privacy notices: Privacy notices on your website must allow customers to opt out of data collection. Document what data you collect and how you will use it.
• Allow users to exercise CCPA rights: Provide simple tools to access, correct, delete, and export user data. Create streamlined processes to meet consumer requests within CCPA timescales. Verify users before providing information to avoid illegal disclosures.
• Implement strong data security: Cutting data breach risks helps avoid costly lawsuits. Encrypt data at rest and in transit. Use multi-factor authentication and access controls to prevent unauthorized access to personal data. Adopt a vigilant approach and investigate all security alerts promptly.
• Provide employees with compliance training: Employee training enhances data security and informs staff how to use data in compliance with the CCPA. Training should include handling customer inquiries and access requests.
• Include third parties: Write CCPA compliance into all contracts with third-party vendors. Only use data processing partners that understand regulatory requirements and have strong data security records.
• Record compliance data: Keep a log of customer requests under CCPA, including evidence of a successful response. Maintain clearly written policies explaining how your company meets CCPA regulations.
• Schedule regular compliance audits: Integrate CCPA rules into your annual compliance audits. Assess the six consumer rights to ensure you remain CCPA compliant. Use the audit exercise to consider new developments affecting your compliance situation.

Achieve CCPA compliance by applying the six consumer data rights and putting in place effective data security measures. It's also important to remember that CCPA fits into a global regulatory landscape. Many of the compliance measures listed above also help meet GDPR requirements, ensuring smooth data processing worldwide.