CCPA Compliance Made Simple – Step-by-Step Guide
A step-by-step practical guide for the California Consumer Protection Act (CCPA)
There are thousands of articles on the web that analyze in-depth the legalese and jargon of the California Consumer Protection Act of 2018.
But as a business owner or data protection officer who handles California residents’ data, you want to know exactly what you need to do to follow the rules while avoiding hefty fines and customer complaints.
The California attorney general’s office enforces CCPA violations ranging from $2,500 PER EACH violation (non-intentional) to $7,500 per intentional violation.
This could mean per data field per person, and as we’ve seen with GDPR fines, these massive fines could be detrimental to your organization.
The California Privacy Rights and Enforcement Act of 2020 (CPRA), also called the CCPA 2.0, has been passed and will enter enforcement starting January 2023. The CPRA borrows heavily from its predecessor, so now is a great time to start if you are not yet CCPA compliant.
Let the following guide act as your roadmap to CCPA compliance.
By following this guide, your company will be able to meet the following obligations under CCPA:
- 1. Maintain a data inventory to track data processing history
- 2. Publish a compliant Privacy Policy, which needs to be updated at least every 12 months, including the consumers’ rights regarding their personal information
- 3. Notify a consumer before or at the point of data collection that the business wants permission to collect this data
- 4. Grant consumers their rights as they pertain to their personal data, including the right to access and delete their data, as well as opt-out of marketing
- 5. Create a Do Not Sell My Personal Information icon on your page if you sell personal information
The above six (6) obligations can be divided into different workstreams and addressed concurrently.
Step 1 - Is Your Company Impacted?
Step 1 will help you determine if your company is in scope for CCPA and must comply.
1.A. Who are Covered Businesses under CCPA?
The CCPA does not only affect California-based companies.
< firm>If your company collects the personal information of California residents and households AND the answer is “Yes” to ONE of the following three criteria, then you are in scope for the CCPA.
- Does your organization earn annual revenues exceeding $25 million?
- Does your organization buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices for commercial purposes? (50,000 in total; not just California consumers, households, or devices)
- Does your organization derive 50 percent of annual revenues from selling consumers’ personal information?
If you answered “No” to every question above, you are not a covered business under the CCPA.
1.B. Determine if you collect the personal information of California residents and households
This is broken into two parts: 1) personal information and 2) what is considered a California resident and household.
1.B.1. First, what is considered personal information?
If the data you collect can be used to identify an individual, household, or device, then it’s personal data. If you have customers or employees, then you collect personal information. Most common examples of personal data include:
- Home address
- Names
- Passport and other official numbers
- Employment records
- Biometric information such as fingerprints
- Email and IP addresses
- See Step 2 for a more exhaustive list
1.B.1.1. Exemptions
Personal information publicly available, meaning publicly available in federal, state, or local government records, is NOT in the scope of CCPA.
Additionally, certain financial information and medical information regulated by the Health Information Portability and Accountability Act (HIPAA) are exempt from the CCPA. Step 6 has the complete list of CCPA exemptions.
So, does your organization collect personal information? If not, you are the lucky few where the CCPA does not apply to your business.
1.B.2. Next, does the personal information you collect belong to California residents?
If you conduct business in California, it’s safe to assume that you have personal information of California residents as either customers or suppliers.
The CCPA covers only those domiciled in California, meaning they ordinarily live in California. Even if a California resident leaves temporarily, they are still in scope wherever they go.
For example, suppose Californian travel to New York and visits your site from New York (or anywhere). In that case, they’re in scope for the CCPA, and your organization must handle their data responsibly.
For that reason, most companies that conduct business in the USA and satisfy the above requirements in (1A) above widely choose to comply with the CCPA proactively.
Step 2 - What Personal Information Do You Collect?
Step 2 will walk you through identifying the data in scope, creating a data inventory, and developing a record of all the personal data you process for attestation purposes.
2.A. Identify and catalog all instances of personal information that your company collects.
As we discuss in Step 4, your organization must be able to, at a minimum, tell California residents the categories of information you collect, disclose and sell.
Additionally, your organization must be able to give California residents access to the information you collect and honor deletion requests for data that is no longer needed, all within 45 days.
Therefore, your organization must be able to quickly locate personal information across all your business systems and data repositories. To handle this complex task, many organizations have created a centralized data inventory for CCPA compliance.
2.A.1. Create a data inventory.
A data inventory is a list of data inputs and outputs for each business system and application. For CCPA, the inventory will focus on identifying the in-scope personal data and ensuring that your data handling practices meet CCPA requirements.
A data inventory is also vital for your business because it will act as a record for the data you process, which the Attorney General will request from you in case of an incident.
The following steps will allow you to create a data inventory:
2.A.1.1. Identify in-scope systems and applications.
Use resources like IT infrastructure diagrams, data flow diagrams, or network diagrams to create a list of systems and applications in your organization that handles personal information.
Suppose your organization does not have detailed diagrams. In that case, you can start with the IT assets that are sure to collect personal information, like payment gateways, eCommerce and order management software, and HR software.
Tracking the data flows from these systems either through automated integrations or manual processes. Interview system and applications owners to determine possible system integrations and interview users to see if data is transferred from these systems via manual processes (e.g., download and send).
2.A.1.2. Categorize data assets based on CCPA requirements.
Consult with your legal team on how to catalog and categorize the data assets of the affected teams. The categories of personal information and associated data fields as defined in the CCPA are as follows:
| Category | Data Fields (not exhaustive) |
| Identifiers | Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers |
| Customer records information | Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information |
| Characteristics of protected classifications under California or federal law | Race, religion, sexual orientation, gender identity, gender expression, age |
| Commercial information | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies |
| Biometric information | Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data |
| Internet or other electronic network activity information | Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement |
| Geolocation data | |
| Audio, electronic, visual, thermal, olfactory, or similar information | Professional or employment-related information |
| Education information | Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act | Inferences | Preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, aptitudes |
2.A.1.3. Prioritize your systems and applications based on risk.
Focus first on the riskiest scenarios for CCPA compliance (i.e., where you are most likely to see regulatory and customer pressure first).
For example, systems that process sensitive data categories like characteristics of protected classifications or biometric or geolocation data should be prioritized over systems that process low-risk identifiers like name or email.
2.B. Utilize Data Inventory and Mapping Technology.
If manually identifying and mapping personal information in your infrastructure is too daunting a task, several third-party software applications on the market automatically scan your business systems to identify instances of personal data. Popular examples include:
OneTrust — a comprehensive privacy management technology platform that helps organizations demonstrate accountability and compliance with global regulations like GDPR.
Big ID — capture and manage technical, business, and security metadata across your entire data environment. Automatically catalog and map sensitive & personal data with deep data insight, incorporating active metadata and classification.
The result for step 2 should be a functioning, centralized data inventory that can serve as a record for your business’s data processing activities.
Step 3 - Create a Privacy Policy
Step 3 will create a CCPA-compliant privacy policy, cookie policy, and opt-out mechanism.
3.A. Create a Privacy Policy and Cookie Policy that satisfies the CCPA requirements.
Today, all businesses that collect, store, or personal process data must already have a published Privacy Policy. So, if your Privacy Policy is already in line with the GDPR, then these obligations will be largely familiar to you.
- Publish a Privacy Policy that complies with CCPA rules and is updated at least once every 12 months
- Notify a consumer before or at the point of data collection that the business wants permission to collect this data — This is commonly done through a cookie policy
3.A.1 Draft a Privacy Policy / Use a Privacy Policy Generator.
At a high level, your Privacy Policy must include:
- List of the rights that a customer has
- Disclosure
- Access
- Opt-out of sale and marketing
- Deletion (Right to be forgotten)
- The categories of personal data you collect
- How you process and collect this data
- Why you collect the data
- If you sell personal data, and how to opt-out of sale
- How they can contact you for rights or for further information
Since this is a practical guide, we will share a suitable option. Many websites allow you to generate a privacy policy using solely your business contact information and the data you collect.
We recommend the following:
- https://www.termsfeed.com/blog/sample-ccpa-privacy-policy-template/
- https://app.privacypolicies.com/wizard/privacy-policy
- https://termly.io/products/privacy-policy-generator/
Once you have all the policies generated, send them to your legal team for review. Be sure that this policy accurately includes all the categories of data you collect, how you process and assemble it, why, and if you sell it. Most of the time, your legal team will not have specific knowledge of your data processing activities, so they will not be able to correct them.
3.A.2. Please put a link to this Privacy Policy somewhere where customers can easily find it.
Most commonly, the Privacy Policy is placed in the following locations:
- Site footer
- Email footer
- At checkout
You must also place a link to the Privacy Policy, and any associated Terms of Service, in any places where your company collects personal information. Be its newsletter, email sign-ups, SMS opt-ins, or even in-person event registrations.
3.A.3. Create a cadence to update and notify your customers.
CCPA mandates that the Privacy Policy be updated at least once every 12 months. This must include an easy-to-read summary of what has changed.
Most companies email all the users they have stored and include a section on the top of their privacy policy that details any recent changes.
Moreover, your Privacy Policy must also be updated upon any significant changes to how you process personal data.
For example, suppose your company decides to start selling personal information in a way it has not before. In that case, you must update your Privacy Policy and inform your users and customers about the new processing activity via email or another method.
3.B. Create a Cookie Policy and opt-out mechanism that satisfies CCPA requirements.
The CCPA requires businesses to notify consumers before or at the data collection point that the business wants permission to collect this data. (Notify, but not get consent, as the GDPR mandates) — In CCPA speak, this is known as the Right to Disclosure.
Cookie consent for the CCPA is based on an opt-out mechanism instead of the GDPR opt-in mechanism. This CCPA requirement explicitly governs how companies can use cookies on their site.
This means that websites can load cookies but must notify the customer and provide them with an easy way of opting out.
3.B.1. Document the Cookies placed on your site.
The first step is to gather information on all the cookies for each of your site pages, identify who owns them (internal or third party), and describe what the cookie does with personal information.
Depending on the size of your company and how many teams have access to your site code, this task could vary in complexity. Below is a step-by-step process of how you can gather all the necessary information regarding your company’s use of cookies.
- 1. Scan your company website for cookies to get an initial list. To scan, you can use online code scanners or browser-based tools like the Google chrome extension. (https://chrome.google.com/webstore/detail/cookies-scanner/mbpokgplnceehjoeifmlhkbfifjmbpee?hl=en)
- 2. Identify the Owner of the cookie, who sets the cookie, and whether its a first or third party
- 3. Confirm the purpose of each cookie
- 4. Confirm whether the cookie processes personal data, given the list in step 2. If no personal data is processed (e.g., anonymous browser data), the cookie is not in scope for CCPA
- 5. List each field of personal data that is processed, and if it is shared with a third party
- 6. Confirm if the cookie is a session or persistent cookie
- 7. Decide if the duration of persistent cookies is justifiable for the purpose
- 8. Determine if the cookie is necessary for site functionality (e.g., personal data required for sale or checkout) or if the cookie is not explicitly required, which would therefore require clear and comprehensive information and consent
Hopefully, there is a defined list of users/teams that have access to your site code, like your security team or marketing team.
Contact these teams to see if they have placed any cookies on your site and for what purpose or allowed a third party to place cookies (common examples include Snapchat, Facebook, Pinterest, etc.).
3.B.2. Draft a Cookie Policy / Use a Cookie Policy Generator
Once you have a complete list of the cookies, you collect and for what purpose, you can either include this information in your Privacy Policy or draft a standalone Cookie Policy.
Either way, you must ensure that the cookie or privacy policy provides accurate and clear information about each cookie. You may already have a cookie policy, but for CCPA compliance, your company’s Cookies Policy must:
- Disclose your use of cookies on your website and briefly explain cookies
- List and explain what types of cookies you or any third parties are using
- Inform users why you use cookies
- Explain how users can opt-out of cookies
The above privacy policy generator sites also provide Cookie Policy Generator options, and be sure to search the web for “Cookie Policy Generator.” Below are our favorites:
- https://www.termsfeed.com/cookies-policy-generator/
- https://termly.io/products/tl/cookie-consent-manager/
3.B.3 Create an Opt-out Mechanism (Cookie Banner) on your Site
When a user lands on your site, you must notify them of the collection of cookies immediately. Common practice is to include a cookie banner — the pop-up that appears on most websites informing you of their collection of cookies.
For example, go to https://trustarc.com/ and look at the bottom of the screen.
Sample cookie banner language:
“This site uses cookies and related technologies for site operation, analytics, and third-party advertising purposes as described in our Privacy and Data Processing Policy. You may choose to consent to our use of these technologies, reject non-essential technologies, or further manage your preferences. To opt-out of sharing information related to these technologies with third parties, select “Decline All” or submit a Do Not Sell My Information request.”
The cookie banner should:
- Inform the site visitor what cookies are collected and for what purpose
- Include a link to the privacy policy and cookie policy
- Give a method to opt-out to all non-essential cookies
3.C. Automate with Cookie Consent Management Tools
If you don’t have the in-house capabilities to create an opt-out mechanism for cookies, consider purchasing online tools to automate your Cookie Consent Management. Companies like TrustArc and OneTrust provide plug-and-play software capabilities to manage cookies on your site.
Step 4 - Consumer Rights Requests
Step 4 will walk you through what rights are granted to users under the CCPA and how your organization is expected to fulfill the user’s requests.
4.A. Contact and Verification
First and foremost, your company must provide contact information for customers to exercise their rights. Once you receive such a request, your company must verify its identity before proceeding.
4.A.1. Give users a method to exercise their rights.
Your company must provide digital and non-digital methods customers can contact to exercise their rights. At a minimum, you must provide a toll-free number and a web address.
Common examples include a specific email inbox, phone number, mailing address, or self-service feature designed for rights requests specifically.
In Step 3.A.1., you’ll see that your Privacy Policy must have these contact methods listed.
You may also use established channels like call centers, online chat features, email inboxes, etc. Still, you will have to train your employees/AI chatbots to direct these customers through the proper channels to your data privacy team or whoever handles consumer rights requests (CRRs).
4.A.1.1 Determine the people involved. Who are the stakeholders involved in your process? Who will your customers instinctively contact when they want to exercise their rights? This should include system/data owners, call center personnel, and your data privacy team. Consider making a RACI chart.
4.A.1.2. Develop a concrete, step-by-step process that walks the stakeholders through the specific process for your company. The process should include:
- Receive the request
- Determine the type of request
- Verify the request (see 4.A.2.)
- Find impacted systems (through scan and/or data inventory)
- Involve applicable parties
- Execute rights (where legally permissible)
- Audit
- Draft response
- Deliver response
- Record Processing Activity (see 4.G.)
4.A.1.3. Automate & Templatize. You should seek to automate these workflows using whatever existing tools you have at your disposal. As mentioned, the rights requests must be fulfilled in 45 days, so any delays in the information chain make all the difference.
Additionally, create templates of your intake forms and responses for each below rights and their various scenarios.
Responses can be delivered either electronically or by mail.
4.A.2. Verify the request.
Before granting their rights to a customer, your company must do its due diligence to verify the requestor’s identity to avoid identity theft and fraud. You can also use this process to confirm that they are a resident of California.
4.A.2.1. For a request seeking access to specific pieces of personal information (see step 4.B.), the business must verify the consumer’s identity to a “reasonably high degree of certainty,” which may include matching at least three “reliable” data points in the same manner.
Depending on what information you collect, examples could include:
- Verify date of birth
- Verify email address or username (never password)
- Verify mailing address
- Verify last login date
- Verify last order (amount, type, size, etc.)
- MFA or SMS push notifications
- Selfies
And for liability purposes, your company should collect a “signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.”
4.A.2.2. For a data deletion request (see step 4.C.), the business must verify the consumer’s identity with certainty, based on its unauthorized deletion’s risk of harm to the user. For example, deletion of Employment or Order history is more sensitive and potentially harmful than deletion of an ancient shipping address.
Here is a great example of a self-service request and verification form:
4.A.2.3. Templated scenario
If Verification is unsuccessful, provide the customer a notice that they are unverified and do not qualify for their request at this time.
If Verification is successful, you may proceed to fulfill their rights request.
4.A.3. Verification Solutions
Many verification tools, like selfie verification or driver’s license verification software, produce variable verification types. Choosing the right one for your organization depends on the sensitivity of the personal data you collect and the number of requests you receive as an organization.
4.B. Right to Access & Information
Under the CCPA, any California resident can exercise their Right to Access & Information, which means that they can request from your business the following:
- The categories of personal information you collect about them (see step 2)
- The sources from which that personal information was collected (e.g., online order histories, online surveys, marketing companies, tracking pixels, cookies, web beacons, or recruiters)
- The categories of personal information sold to third parties
- The categories of personal information disclosed for business purposes
- The categories of third parties to whom personal information was sold or disclosed (e.g., tailored advertising partners, affiliates, social media websites, service providers)
- The business or commercial purposes for which personal information was collected or sold (e.g., fraud prevention, marketing, improving customer experience)
- The “specific pieces” of personal information collected.
Your company must respond within 45 days from their request, with an additional 45-day extension period available when necessary for a giant or complicated data request.
The CCPA also imposes a 12-month lookback from the time of the request, meaning that the user can ask for the above information only up to 12 months from the request time.
It also mandates that the user receive this information in a readily usable format that allows them to transmit it to others without undue hindrance. Responses can be sent electronically or by mail.
4.C. Right to Deletion / Right to Be Forgotten
With some exceptions, the CCPA permits consumers to request that your business delete personal information collected about them on your systems and the direct service providers with which you’ve shared the personal data.
Once you’ve received and verified a deletion request, notify your service providers immediately to have ample time to satisfy the request.
Your company will still be held entirely accountable for ensuring service providers fulfill their obligations.
Your company must respond within 45 days from their request, with an additional 45-day extension period available when necessary for a giant or complicated data request. Responses can be sent electronically or by mail.
4.C.1. Right to Deletion Exceptions
Deletion is not required if the business needs personal information:
- To complete the transaction for which it was collected
- To comply with a legal obligation, such as a record retention requirement
- To protect against malicious, deceptive, fraudulent, or illegal activity
- To identify and repair errors that impair existing and intended functionality
Even if your company falls under one of these exceptions, there still exists a 45-day period to respond to the customer and explain why you cannot fulfill their deletion request.
4.D. “Do Not Sell” on Landing Page
Under the CCPA, consumers can opt out of the “sale” of their personal information.
A “sale” is loosely defined as transferring personal data to a third party for any financial compensation beyond the original purpose of the data collection.
To exercise this right, businesses that sell personal information must provide a “Do Not Sell My Personal Information” button/link on the business’s homepage that guides the user to a web page where consumers can opt out of having their personal information sold to third parties.
It’s also best practice to include a link on your landing page or at the footer of your website.
Reference: Coca-Cola footer
4.D.1. Right to Opt-out for Minors
Your company should default not to sell consumers’ personal information when they are 13-16 years old.
Still, your company must create a process to allow them to opt-in.
4.E. Right to Opt-Out of Marketing
Under the CCPA, consumers can opt out of processing their personal information for marketing purposes, either by the company or a third party.
4.F. Right to Non-discrimination
The CCPA prohibits businesses from discriminating against consumers for exercising their CCPA rights. Specifically, the business may not:
- Deny the customer access to goods or services, or provide different levels of quality depending on opt-out/opt-in status
- Charge different prices, directly or indirectly, through the use of discounts, benefits, or penalties
- Suggest that the customer will receive a different price or quality by opting out
4.G. Maintain Records of Processing
Wherever feasible for your business, maintain a record of the entire process of the rights request.
Step 5 - 3rd Party Agreements
Analyze your third-party agreements with those businesses with which you share personal data, and determine if they have addendums regarding CCPA.
5.A. Ensure your third-party agreements are compliant
Businesses are allowed to share personal information with third parties and service providers for business purposes, as long as there are stipulations in the written contract that prohibit the third-party service provider from selling the personal information themselves or using the personal data for any purpose other than the specific purpose of performing the services specified in the contract.
So, if you haven’t already, reach out to your third parties and service providers to understand what they do with the information you share.
If necessary, create addendums to your written contracts with detailed data usage requirements and retention policies. You may have to switch service providers that cannot comply with your business standards.
Step 6 - Exceptions
Understand if any exceptions cover you.
6.A. Employee Personal Information
Employee personal information is excluded from most of the CCPA’s requirements.
These include the rights and requirements that permit consumers to request:
- The deletion of their personal information
- The categories of personal information collected
- The sources from which personal information is collected
- The purpose for collecting or selling personal information
- The categories of third parties with whom the business shares their personal information.
This exclusion does not refer to all “employee” data regardless of context. Specifically, the exclusion applies to personal information collected by a business such that the person is acting as a job applicant, or an employee, owner, director, officer, medical staff member, or contractor of that business, and to the extent the personal information is processed within the context of the person’s role or former role.
Employees are still entitled to a privacy notice. Additionally, employees are entitled to commence a private right of action if affected by a data breach caused by negligence by the employer to maintain reasonable safeguards.
6.B. Health Information
The CCPA does not apply to medical information covered by the Confidentiality of Medical Information Act (CMIA) or protected health information under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Conclusion
The above guide has been a legalese-free, step-by-step guide for data privacy officers, business owners, and project managers to kick off their journey towards CCPA compliance.
You need to understand what personal data you collect, and process to better exercise the rights of your customers and better safeguard valuable data. We hope you can use the above list to kick off the workstreams.
It’s essential to remember that regulations currently drive data privacy strategy; however, someday, that may not be the case.
While compliance with regulations should be a bare-minimum strategy, consider that your customers hope to work with a business they can trust.
And trust starts and ends with privacy, so make sure that you give your customers the data privacy they expect, not just what is mandated by law.
As always, check with your legal team that your strategies align with your company’s legal counseling.