zesty.io

Product

Use Cases

Integrations

Learn

Not Categorized

The CCPA Compliance Website Checklist You Need

Inspired by Europe’s GDPR, the CCPA is the most substantial statewide privacy law change in a generation. Thanks to the CCPA, Californians can now ask to see all kinds of personal information that a business operating in the state holds on them.

Large companies like Microsoft have created self-service privacy dashboards where users can access all the relevant CCPA information. Many other companies, however, are lagging behind. With hefty fines and lawsuits the results of non-compliance, it’s vital your company adopts the necessary changes before it’s too late.

What is the CCPA?

The CCPA (aka AB 375) is the California Consumer Privacy Act. It’s a new privacy law (on top of GDPR compliance) that lets Californians demand to see all the personal information a company has saved on them, as well as a full list of third parties with whom their data has been shared.

The CCPA became effective on January 1, 2020, but consumers have the right to request all the data a company has collected on them over the previous 12 months. This means companies need to have had the necessary data privacy tracking systems in place since the start of 2019.

Who Does the CCPA Protect?

The law protects all California residents by giving them a higher level of ownership over their consumer data. A California resident is defined by the CCPA as anyone in California for more than “a temporary or transitory purpose” and anyone “domiciled in the state” but outside of the state for a “temporary or transitory purpose.” So, for example, a consumer who is from California but out of state for college, would still be covered by the CCPA.

Who Does the CCPA Apply To?

Unlike the GDPR, the CCPA doesn’t apply to everyone. Businesses are only subject to the CCPA if one or more of the following three statements are true.

The CCPA applies to all businesses serving California residents, whether the business is based in California or not. And, if a business handles the personal information of more than 4 million consumers, then it will be subject to some additional obligations, regardless of its annual gross revenue.

Notable exceptions to the CCPA include insurance institutions, agents, and support organizations, as they’re already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).

Definition of Personal Information

With ‘personal information’ at the core of the CCPA, we must break down exactly which specific pieces of personal information fall within this category. It’s a wide-ranging list and includes:

  • Identifiers such as name, alias, postal address, username, password, email address, social security number, driving license number or passport number

CCPA Consumer Rights

The CCPA grants four new privacy rights to Californians. They are:

  1. The Right to Know

Consumers have the right to know what personal information a business has collected, used, shared, or sold. It needs to be able to provide every specific piece of personal information it has gathered, and not just the categories.

Businesses have 45 days to respond to consumer requests regarding the sale of personal information. And, the consumer’s personal information provided has to cover the previous 12 months.

  1. The Right to Delete

Consumers have the right to demand that businesses delete all the personal information that they, or any of their associated companies, holds for business purposes. Businesses need to have mechanisms in place to remove a user’s information from the data sold to third parties. If that’s not possible, they shouldn’t sell the data at all.

  1. The Right to Opt Out

Consumers have the right to opt-out of the sale of their personal information for commercial purposes. The situation is a bit more complicated when it comes to children: Under-16s must provide opt-in consent, while under-13s must have the consent of a parent or guardian.

  1. The Right to Non-Descrimination

Consumers have the right to non-discrimination - businesses can’t charge different prices or offer different levels of service to those that exercise their rights under the CCPA.

CCPA Penalties

Unintentional violators face a $2,500 fine, while intentional violators will have to cough up $7,500. Businesses have 30 days to comply with the rules once notified by authorities or the heftier of the two fines is levied.

Individuals have the right to sue businesses that don’t comply with the law. If violations aren’t rectified within 30 days of a written complaint, and the California Attorney General declines to prosecute, then a business could be hit with a class-action suit.

Differences between CCPA and GDPR

CCPA vs. GDPR: If you're compliant with one regulation are you compliant with the other? TLDR: Somewhat. This article goes into depth on the similarities and differences between CCPA and GDPR, but we'll summarize it for you here.

The CCPA is California’s answer to the EU’s GDPR (General Data Protection Regulation.) Both aim to guarantee strong protection for individuals regarding their data. And, both apply to businesses that collect, use, or share personal information. Like the GDPR, the CCPA’s impact will be felt worldwide, given California’s status as the fifth largest global economy. Here are five of the most significant differences:

How You Should Prepare for the CCPA: CCPA Compliance Checklist

  1. Update Privacy Notices and Policies

Your privacy policy must be updated every 12 months to comply with the California Consumer Privacy Act and should include:

  1. Update Data Strategies, Inventories, and Business Processes

Data inventories are directories for managing sensitive data throughout a business. These inventories have to be well managed and maintained to be CCPA-compliant. If your business is already GDPR compliant, then its data inventory will mostly be sufficient for the CCPA’s privacy regulations. Still, there are a few columns that will have to be added to the offline data inventory or data inventory web page. These include:

  1. Use Protocols to Ensure Consumer Rights 

The CCPA crystalizes certain consumers’ rights (discussed above - see “CCPA Consumer Rights”), and a business must have protocols in place to ensure that these rights are granted. 

At a minimum, businesses have to provide a toll-free telephone number and an “interactive webform” that handles access requests and opt-out requests. A clearly labeled “Do Not Sell My Personal Information” link must also be posted on the business’s homepage.

  1. Make Security Updates

Businesses covered by the CCPA must protect personal data with “reasonable” security. This means assessing threats to data within the organization, ranking the detected vulnerabilities in order of risk, and addressing the highest risks first. How far down the list your business goes depends on your budget and attitude to risk.

  1. Update Third-Party Contracts and Processor Agreements 

When building a website, you'll likely use multiple vendors for CRM, analytics, CMS, and more. First, create a list of all the vendors, service providers, and other third parties that receive data from your organization. Then, update third-party contracts and processor agreements to include things like the provision of processing records, requirements for the syncing of consumer response processes, and more.

Third-parties that have paid your business for information must go a step further. They should have processes in place to accommodate consumer requests to opt-out of selling and make it easy to delete the relevant data.

Ensure that all vendors are CCPA compliant and have a disclosure that ensures that they are compliant. If they process or hold any PII, be aware of their processes and how they house, distribute, or sell consumer data. Better yet: select a CMS that allows you to fully own your customers data that will ensure your compliance.

  1. Educate Employees

Ensure that employees have the necessary training to make sense of the CCPA requirements. Not only will this protect a business against fines, it’s required by law. Employees handling consumer inquiries must have good knowledge of the statute and know how to direct consumers to exercise their rights. 


This may seem like a lot to add to your to-do list, but we've made it easier to manage. Downlolad the checklist for a printable PDF to keep track of your CCPA readiness!

By Chloe Spilotro

Hooked onto the platform since first using it through the Zesty.io Incubator Program at the University of San Diego. Passionate about all things marketing, IoT, and helping businesses leverage technology to grow and become major players in their industries.

Related Articles

Subscribe to the zestiest newsletter in the industry

Get the latest from the Zesty team, from whitepapers to product updates.