CCPA Compliance Checklist

Published February 25, 2020 by 5 min read

If your organization has a presence in California or does business with California residents, then it probably needs to comply with the California Consumer Privacy Act (CCPA). 

Starting July 1, 2020, the California Attorney General‘s office was set to begin enforcing this trail-blazing law, the first data-privacy-protection law in the United States. Here’s what your IT, InfoSec, and Marketing teams need to know about being CCPA-compliant.

The CCPA: What Your Business Needs to Know

CCPA compliance is no easy task but never fear: Using this CCPA compliance checklist and our CCPA compliance guide can help smooth the way.

The first step toward compliance is knowing the law:

  • Know if you qualify. Enacted in 2018, the CCPA takes effect Jan. 1, 2020, and mandates that certain for-profit businesses in California or doing business with Californians meet its requirements. Is yours one of them? Does your enterprise:
  • Have annual gross revenues of more than $25 million or
  • Buy, receive, sell, or share personal information of 50,000 or more California consumers, households or devices per year;
  • Derive 50 percent or more of annual revenues from sales of Californian consumers’ personal information; or
  • Control, or are controlled by, a business that meets any of these criteria and shares a brand with that business?

If any of these criteria apply to your business, you will be expected to comply with the CCPA starting January 1.

  • Know the terms. The most-stringent of U.S. data privacy laws likened to the European Union’s General Data Protection Regulation (GDPR), CCPA broadly defines “personal information to include biometric data, for instance. It also sets strict limits on consumer data collection, and how for-profit businesses can use for commercial purposes the personal information of “consumers,” which is the law’s term for California residents whose personal data a business might collect, store, share, or sell.
  • Know consumers’ rights. The CCPA gives consumers rights over their data that they haven’t had before in this country. Do you allow California residents to:
  • Opt-out of your business’s keeping, sharing, or selling their information with a prominently “Do not sell my personal information” button or link on your home page?
  • Ask to see which categories of personal information you have collected or shared, and with whom the data has been shared or to whom it has been sold? Can you respond to these consumer requests in a timely manner?

What CCPA Compliance Entails
Keeping your customers’ privacy at the heart of your data-handling processes and procedures will go a long way toward fulfilling the requirements of the CCPA. To help, we’ve summarized relevant sections for you to use as guideposts on your CCPA compliance journey.

Section 1798.100: Consumer rights to data disclosure and access

  • Do you tell California residents (“consumers”) immediately, while it is happening, that your business is collecting their information, and for what business purposes you are collecting it? Are these privacy notices succinct and easy to understand?
  • Do you comply with consumer requests free of charge regarding the collection of their data? Do you first verify the identity of the person making the request?
  • Section 1798.105: Consumers’ right to have their information deleted
  • Upon receiving verified requests, do you delete California consumers’ information promptly from your data inventory? You can refrain if the data falls under one of these categories: 
    • It’s needed for legal purposes
    • Your business (or business partner) needs it to do your work
    • It’s free speech
    • It’s already publicly available elsewhere
    • You need it to complete a transaction for the consumer or fulfill a contract
    • You’re using it to identify and repair system errors
    • It’s needed as a part of scientific, historical, or statistical research in the public interest

Section 1798.110: Consumers’ right to access their data

  • Can your business provide 12 months’ worth of a consumer’s data upon receiving the consumer’s verified request for it?
  • Can you also provide the categories of third parties, such as service providers, with whom it has shared that data?

Section 1798.115: Consumers’ rights regarding sale of personal information 

  • Do you inform your customers about which of their data you are selling?
  • Do you tell them the categories of third parties to whom your business has sold their data over the previous 12 months?

Section 1798.120: “Do Not Sell” my data: Consumer rights

  • Do you verify the age of every consumer from whom you collect data?
  • Do you provide a “Do Not Sell My Data” button or link in a prominent place on your business website? 
  • Do you provide an “opt-in” feature for minors under 16?
  • Do you inform minors under 13 that their parents must give their consent for you to sell their data, and provide a way for their parents to do so?

Section 1798.125: Non-discrimination

  • Do you refrain from discriminating against consumers who make requests regarding their data by, for example, charging them a different price for products or services?
  • You may, however, offer financial incentives to customers in exchange for their permission to collect and sell their information.

Section 1798.130: Business obligations to consumers: Data access

  • Does your business provide at least two ways for consumers to request access to or deletion of their data? These may include
    • A toll-free phone number
    • An email address
    • A website address (with a way to contact you)
  • Do you verify and respond to access requests within 45 days?
  • Do you provide logs showing how you have handled their data dating back 12 months?
  • Do you include in your response the categories of entities with which you have shared or to which you have sold their data?
  • Do you allow each consumer to request access to their data two times per 12-month period?
  • Do you display on your website’s homepage a privacy policy spelling out your obligations to California consumers and their rights?
  • Do you update this privacy policy every year?

Section 1798.135: Business obligations to consumers: Data sales

  • Does your business train employees in handling consumer requests under the CCPA?
  • Do you wait 12 months after a consumer’s opt-out request before asking them again for permission to sell their data?
  • Do you provide consumers the ability to opt-out of having their data collected or sold, such as allowing them to create “guest” accounts when making purchases?

Section 1798.145 Data aggregation and de-identification

  • If you aggregate consumer information by category, do you remove the identifying components of that data so it can’t be associated with a particular consumer or household?
  • Does your business de-identify stored information using such methods as “pseudonymization,” which involves replacing identifying fields with false information, or pseudonyms?

Section 1798.150: Data security and breach management

  • Does your business encrypt the data it collects from consumers?
  • How do you secure the data you collect?
  • Do you monitor your systems continuously to detect breach attempts and incidents?
  • Do you notify data owners promptly in the event of a breach?

What Does CCPA Enforcement Entail?

The California Attorney General and could impose penalties for non-compliance with the CCPA even if you aren’t breached.

But if a data breach at your enterprise affects California consumers, those consumers can sue you for statutory damages. This so-called “Private Right of Action” is only one way you stand to pay for noncompliance.

To avoid costly lawsuits and fines, compliance is your best defense. But given the law’s complexity, even the best-intentioned enterprises could fall short of the mark.

The Easiest Route to CCPA Compliance

This checklist only scratches the surface of CCPA compliance. For a more detailed explanation of the law, check out our complete compliance guide to the CCPA.

For a complete checklist to ensure audit-readiness, consult our CCPA audit guide. But guides and checklists can only go so far if you’re still using old-fashioned spreadsheets to track your compliance efforts. Ask yourself: Do you really want to work that hard? Reciprocity’s governance, risk, and compliance software-as-a-service, ZenGRC, leaves compliance-by-spreadsheet in the dust. Zen automates much of the work of compliance by

  • Probing your systems and finding the gaps
  • Telling you what you need to do to fill those gaps
  • Tracking your vendors’ and service providers’ compliance
  • Displaying all its findings on user-friendly dashboards
  • Allowing easy, unlimited self-audits
  • Storing and categorizing the documentation you’ll need at audit time in a “single source of truth” repository.

With ZenGRC, you’ll approach CCPA compliance with confidence, knowing it’s taken care of. Then, you’ll be free to focus on other, more pressing matters, such as satisfying your customers and boosting your bottom line. Worry-free compliance: that’s the Zen way. Call today for your free consultation.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo