CCPA enforcement begins

California is the first US State to give its residents a high level of protection and control over their personal information. It won’t be the last and it hasn’t finished yet, but more about that later…

By Claire Heaphy

The Privacy Compliance Hub Information Officer

July 2020


The California Consumer Privacy Act of 2018 ‘CCPA’ came into force on 1 January 2020. As of 1 July 2020 the Attorney General begins enforcing it. For-profit businesses which meet certain thresholds, regardless of where they are based, which want to do business in California have to comply with the CCPA.  

Those organisations using the Privacy Compliance Hub to achieve GDPR compliance will find the process of complying with the CCPA much easier.  In turn, this will make compliance with future US state or federal privacy legislation simpler too.  And remember, operating within the parameters set by privacy legislation is not just about avoiding fines and adverse publicity; it’s an opportunity to build trust and engage with your customers.  

Who the CCPA applies to

Any for profit business anywhere in the world that ‘does business’ in the State of California which:

  • collects personal information of California residents; AND 
  • alone or jointly determines the purposes and means of processing consumers’ personal information; AND
  • meets any of the following thresholds:
    • has an annual gross revenue in excess of $25m;
    • buys, receives, sells or shares personal information of at least 50,000 California residents, households or devices per year (‘personal information’ is broadly defined and includes IP addresses so this threshold may be met by the number of California resident website visitors);
    • derives at least 50% of its annual revenue from selling California residents’ personal information (again, ‘selling’ is widely defined to include disclosures not just for money but other valuable consideration although there are exceptions).

The rights the CCPA gives to California residents

California residents are given the following rights over their personal information:

  • Right to know – similar to the GDPR right of access albeit limited to personal information collected in the previous 12 months;
  • Right to delete – similar to the right to erasure/right to be forgotten under the GDPR;
  • Right to opt-out of the sale of their personal information (under 16s need to opt-in); and
  • Right to non-discrimination following the exercise of any CCPA rights – examples of discrimination are charging different prices or providing different levels of service.

Organisations should consider whether they want to extend CCPA rights to all Americans as opposed to California residents only.  Some big businesses such as Netflix, Uber and Microsoft have decided to uphold CCPA rights nationally. It can involve less work as you don’t need to confirm where requesters live or segregate the personal information you hold into that of California residents and non-California residents.

The penalties for non compliance with the CCPA

The California Attorney General can issue uncapped penalties of up to $7,500 per intentional violation, or up to $2500 per unintentional violation (which has not been cured within 30 days of notice) for CCPA breaches.  Although CCPA enforcement has only just begun, it is widely thought ‘per violation’ means per California resident affected. Additionally, California residents have the right to sue in certain circumstances. 

How to comply with the CCPA

  • Undertake a personal information inventory – know what categories of California residents’ personal information you hold, where you hold it, how you hold it and who you share it with.
  • Review your processes – make sure you have a mechanism for complying with the right to opt-out of the sale of personal information. 
  • Update your privacy policy –  consumers must be notified of their CCPA rights and how to exercise them and the categories of personal information you collect, sell and disclose.   
  • Take appropriate security measures – California residents have the right to sue organisations if certain personal information is compromised due to failure to maintain reasonable security procedures.
  • Check your relationships with data processors – ensure you have written contracts with data processors (known as ‘service providers’ in the CCPA) drafted to fall within the CCPA exception to a ‘sale’ of personal information.
  • Establish record keeping and reporting procedures – records of all consumer CCPA requests and responses must be kept for a minimum of 24 months. Businesses that sell or receive at least 10m Californian consumers’ personal information each year have additional annual reporting obligations.
  • Train all your staff in how to comply with the CCPA – now and continuously.
  • Evaluate your business model – the definition of ‘sale’ encompasses more than providing personal information for money.  Organisations which rely on revenue from targeting advertising, may see that revenue fall if lots of California residents invoke their ‘Do Not Sell’ right. There’s potentially even more pressure on the adtech industry to come (see ‘CCPA 2.0’ below).

Watch Tom, Director of Brand and Strategy at Peak Brain Training explain how The Privacy Compliance Hub enabled him to concentrate on growing the business and still get compliance done.

Watch video

You ain’t seen nothing yet

The group, Californians for Consumer Privacy, who were responsible for getting the CCPA on to the statute books, are campaigning for a new privacy law which would give California residents increased rights and protections beyond the CCPA. The proposed new law is called the California Privacy Rights Act, sometimes known as ‘CCPA 2.0’. It will be on the California November 2020 ballot paper and Californians will vote on whether they want it. 

Headlines from the new act include:

  • the California Privacy Protection Agency – a new regulator;
  • a new category of ‘sensitive personal information’ with additional rights;
  • a new right to correct inaccurate personal information; 
  • new requirements of data minimisation and storage limitation; and
  • a prohibition on collecting personal information from children under 16 without consent.

A culture of continuous privacy compliance 

In our view, the only way to comply with the CCPA is through a cultural shift in your organisation.  At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with privacy rules including the CCPA and the GDPR.

More to watch and read