What is CCPA Compliance?

If your for-profit business does business in California or with California residents, it will need to comply with the California Consumer Privacy Act (CCPA). In practical terms, this means that almost every large enterprise in the United States must comply with the CCPA.

The CCPA went into effect in 2020. For businesses to achieve compliance, they must uphold a long list of “consumer” (California residents) rights guaranteed by the law to control the use of their personal data.

One central pillar of CCPA compliance is that businesses must honor consumers’ requests to review their information in your databases. Since you must provide one year’s worth of data history, you should already have begun taking steps to comply.

Non-compliance with the CCPA can result in serious consequences, ranging from monetary penalties to civil charges. If a consumer can prove the lack of “reasonable security procedures and practices appropriate to the nature of that information” caused the breach of their data, damages may include:

  • $100 to $750 per consumer per piece of data compromised, or actual damages, whichever is greater
  • Injunctive or declaratory relief
  • Any other relief the court deems proper

In other words, if a business had 1,000 records stolen during a data breach, it might pay as much as $750,000 plus other damages.

CCPA Enforcement Alert: What To Do NOW To Avoid Penalties

CCPA Requirements at a Glance

Do you need a compliance program? When the California Consumer Protection Act went into effect, businesses were expected to provide a full year’s data history to consumers who requested it. So if you’re doing business in California or with California residents, then the answer is most likely, yes.

CCPA requirements include:

The right to know

Consumers have the right to know what personally identifiable information (PII) a business collects on them, how it's used, and with whom the PII is shared. Read more

The right to delete

Consumers have the right to have their PII deleted (with some exceptions). Read more

The right to opt-out

Consumers have the right to opt out of the sale of their PII. Read more

The right to non-discrimination

A business cannot penalize or otherwise discriminate against a consumer who exercises his rights under the CCPA. Read more

Additionally, businesses are required to give consumers a written notice that explains their data privacy practices.

CCPA Compliance Checklist

To help you prepare for your CCPA compliance audit and build the appropriate control framework, we’ve compiled the following checklist based on our complete CCPA compliance guide.


Take a data inventory and categorize all data associated with California residents.


Perform a risk assessment. Document all potential security risks facing the personal data you collect.


Assure that your website follows CCPA guidelines. The CCPA requires a homepage privacy policy disclosure. That policy must be easy to understand. It also must clearly state how you use the data you collect, and include an opt-out button for consumers who don’t want their information shared (also referred to as “cookie consent”).


Create a process for personal data access and deletion when it’s requested.


Always have an audit trail, and document your data collection and consent management processes.

The Future of CCPA

On March 15, 2021, the California attorney general’s office announced additional regulations added to CCPA that expand the protections of Californians who seek to control the sale of their PII. These new rules strengthen the language used in CCPA that protects consumers from unethical business practices.

Meanwhile, an even newer law approved by voters in November 2020, the California Privacy Rights Act (CPRA), modifies the regulations set forth in the CCPA because it adds GDPR-like provisions to the CCPA and extends the requirement for consent to cover more scenarios.

Watch the Recording to Learn how to Prepare For a CCPA Audit

Register for webinar

Reciprocity Has Your CCPA Compliance Solution

If you’re wondering whether or not you need a compliance program, look no further.

Our Reciprocity GRC experts can walk you through the entire CCPA compliance process, helping you to examine your environment and policies and to shore them up before your formal audit.

We can also advise on documentation best practices and provide a template that will help you to assure that you are fully prepared and have done your due diligence before your audit.

Our flexible, integrated ZenGRC software solution allows you to ditch your Excel spreadsheet and streamlines your CCPA requirements through our intuitive dashboard. It automates many of the tedious manual processing activities and reduces the time and resources required to manage them.


ZenGRC CCPA Capabilities

  • Built by compliance experts for faster time-to-value during the implementation
  • A single source of truth to assign, capture and track fulfillment of regulatory requirements
  • Uses automation to streamline compliance workflows and task tracking
  • Universal control and data mapping to fulfill requirements across multiple frameworks, like GDPR, CPRA and others
  • Identifies gaps in your compliance so you can focus on filling them and get audit-ready faster
  • Real-time, continuous monitoring of your compliance stance

Frequently Asked Questions

Any for-profit organization that does business in California or with California residents will need to comply with the data protection requirements set forth in CCPA.

For individuals who reside in California, the CCPA privacy law provides consumer rights to know what data is being collected and how it’s being used, the right to delete your personal information, the right to opt out of data collection, and the right to non-discrimination when you exercise your CCPA privacy rights.

For organizations that do business with Californian residents, they are required to uphold those rights within their internal business practices. Furthermore, they are required to provide written proof to customers that specify their privacy practices, how they collect data, and what they do with it.

The CCPA is a legal requirement only for for-profit businesses. That means that not-for-profit businesses and charitable organizations do not need to comply with CCPA.

The CCPA provides consumers a higher level of transparency from companies and forces them to be accountable for the information they collect as well as what they do with it.

For companies, CCPA compliance provides a greater competitive advantage. It allows them to cast a wider net and attract consumers who are more likely to gravitate toward companies that give them more privacy.

Companies that implement CCPA privacy compliance measures also tend to have more robust security and risk management controls to protect them from privacy risk

CCPA differs from GDPR in that its privacy regulations cover residents in the state of California within the United States. The GDPR covers citizens of the European Union (EU). Moreover, while both laws are similar in their fundamental approach — namely, that individuals have certain rights over their personal data — the exact rights that each law offers are somewhat different.

The maximum fine for CCPA non-compliance is $100 to $750 per consumer per piece of data compromised, or actual damages, whichever is greater.