CCPA compliance means that a covered business can demonstrate it is meeting its legal obligations under the California Consumer Privacy Act, giving California residents control over their personal data, honoring their privacy rights, and maintaining the security practices the law requires. At CMIT Solutions, we help small and mid-size businesses build IT environments where compliance is supported by design, not scrambled for after the fact.
For SMBs, the challenge is real. Growing IT complexity, an evolving regulatory landscape, and genuine cybersecurity uncertainty make it difficult to know where compliance ends and security begins.
Many businesses are still trying to figure out what CCPA actually requires in their day-to-day IT environment. What follows is a practical guide to the requirements, the checklist, and how our team can help you get it right.
Explore our business data compliance solutions to see how CMIT Solutions supports SMBs at every stage of compliance.
Does CCPA apply to your business?
CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds. You do not need to be headquartered in California for the law to apply.
If you have California customers, residents, or employees, you may be covered.
As of January 1, 2025, the California Privacy Protection Agency (CPPA) adjusted its monetary thresholds in line with Consumer Price Index changes. A business is subject to CCPA if it meets any of the following criteria:
- Annual gross revenue exceeding $26,625,000. This CPI-adjusted figure sits above the original $25 million threshold and now captures a broader range of mid-sized businesses than when the law was first enacted.
- Buying, selling, receiving, or sharing the personal information of 100,000 or more California consumers or households per year. This count includes website visitors, customers, employees, and business contacts, and is easier to reach than most SMBs expect, particularly for businesses with active websites or digital marketing programs.
- Deriving 50% or more of annual revenue from selling or sharing personal information. Under the California Privacy Rights Act (CPRA) amendments, “sharing” now includes cross-context behavioral advertising and cross-site tracking, significantly broadening this category beyond traditional data brokers.
The California Attorney General’s office and the CPPA share enforcement authority and have been actively pursuing violations across industries. CMIT Solutions helps businesses assess where they stand against these thresholds and translate those obligations into a practical IT roadmap, with cybersecurity-informed recommendations tailored to their specific operations.
What personal information does CCPA cover?
CCPA defines personal information broadly, and for many businesses, that breadth is the first real surprise. Without a clear picture of what data you hold and where it lives, the risk of accidental exposure or a compliance gap is significant.
Covered data categories include identifiers such as names, aliases, IP addresses, email addresses, and account names; commercial information including purchasing histories; internet or network activity such as browsing and search history; biometric data; precise geolocation data; professional or employment-related information; and sensitive personal information such as Social Security numbers, financial account credentials, health data, and racial or ethnic origin.
The CPRA amendments removed the previous temporary exemptions for employee and job applicant data as of January 1, 2023. HR systems, payroll platforms, and any other tools that process personal information about your own staff now fall within scope alongside customer-facing data.
Personal data rarely lives in one place. It moves through CRMs, HR platforms, email servers, backup environments, cloud applications, and log files. CMIT Solutions helps businesses map that data landscape and build the documentation and system controls that turn a complex compliance picture into a manageable, strategic plan.
💡 Additional reading: CPRA compliance
What rights do California consumers have?
CCPA gives California residents an enforceable set of privacy rights, and covered businesses must have the operational capacity to honor each of them. Under the law, as amended by the CPRA, consumers have the right to:
- Know what personal information a business collects about them, the purposes for which it is used, and the categories of third parties with whom it is shared.
- Delete their personal information, subject to defined exceptions, including from backup systems where technically feasible.
- Correct inaccurate personal information, a right introduced by the CPRA effective January 1, 2023.
- Opt out of the sale or sharing of their personal information, including through browser-based signals such as the Global Privacy Control (GPC).
- Limit the use of sensitive personal information, restricting how businesses may use categories such as precise geolocation and health data.
- Non-discrimination for exercising any of these rights. Businesses may not deny services, charge different prices, or provide inferior service to consumers who invoke their CCPA rights.
Businesses must respond to verified consumer requests within 45 calendar days, with one 45-day extension permitted if the business notifies the consumer within the original window and explains the reason for the delay. CMIT Solutions provides the strategic technology guidance and system capabilities businesses need to meet these obligations consistently, so they are not left scrambling when requests arrive.
What are the core CCPA compliance requirements?
CCPA compliance is not a one-time project. It is an ongoing operational commitment that touches IT systems, vendor relationships, internal policies, and staff.
For businesses managing multiple tools and vendors with no single point of accountability, that complexity can quickly create gaps that regulators notice even when businesses do not.
Privacy notice and disclosure requirements
Businesses must maintain a clear and accessible privacy policy, updated at least annually, that discloses the categories of personal information collected, the purposes for collection, the categories of third parties with whom information is shared, and the mechanisms by which consumers can exercise their rights. Where applicable, the policy must include a “Do Not Sell or Share My Personal Information” link and a “Limit the Use of My Sensitive Personal Information” option.
The CPPA has taken direct enforcement action against businesses for disclosure failures that go beyond missing policy language. In 2025, the CPPA fined Tractor Supply Company $1.35 million in part because submitting requests through its “Do Not Sell” form did not actually stop the sale or sharing of data, and its website failed to recognize and honor Global Privacy Control signals until July 2024.
Compliance requires functioning systems, not just published policies. Through security-first managed IT services, CMIT Solutions helps businesses ensure the technical infrastructure behind their disclosures actually works as described.
Data subject request handling
Businesses must have a working mechanism to receive, verify, and respond to consumer requests to know, delete, correct, and opt out. From an IT standpoint, this means your systems need to be able to locate all personal information associated with a specific individual across your databases and applications, delete or anonymize that data on request, correct inaccurate records, and process opt-out signals, including browser-based GPC signals automatically.
This is operationally demanding for any business without a unified data map. CMIT Solutions works with SMBs to design and document the workflows that make consumer rights requests manageable, consistent, and defensible, drawing on shared tools, systems, and best practices proven across hundreds of businesses, whether your team is handling a handful of requests or scaling to meet growing demand.
Vendor and service provider contracts
CCPA requires written contracts with any service provider or contractor that receives personal information on the business’s behalf. These contracts must restrict the service provider from using the data for purposes beyond the contracted services.
Vendor relationships that involve personal data need to be reviewed, documented, and aligned with CCPA requirements. CMIT Solutions acts as a trusted advisor in this process, helping businesses identify which agreements need updating, what provisions should be in place, and how to structure vendor relationships that support long-term compliance.
Security safeguards
CCPA does not specify a single security standard, but it does create a private right of action for consumers whose unencrypted personal information is exposed in a data breach due to a business’s failure to maintain “reasonable security procedures and practices.” Statutory damages under CPI-adjusted 2025 thresholds range from $107 to $799 per consumer per incident, with no total cap, meaning a large-scale breach can generate penalties that escalate rapidly.
Unplanned downtime from a breach compounds those costs further.
Reasonable security is generally benchmarked against established frameworks. The NIST Cybersecurity Framework is one of the most widely referenced baselines, covering access controls, encryption, multi-factor authentication, endpoint protection, network monitoring, and incident response.
The CPPA adopted new regulations in July 2025 requiring mandatory annual cybersecurity audits for certain larger businesses, with certification deadlines phased in between 2028 and 2029, depending on revenue. CMIT Solutions builds layered security environments designed to exceed baseline expectations, with continuous monitoring and threat response built in so clients stay ahead of evolving requirements rather than react to them.
Use our IT downtime calculator to estimate what an unplanned outage could cost your business.
What the CPRA changed, and why it matters now
For many businesses, the CPRA amendments were a genuine blind spot. Obligations that did not exist two years ago, such as covering employee data and recognizing automated opt-out signals, have become active enforcement priorities.
Without trusted, long-term guidance on how these changes affect IT systems and workflows, many SMBs discover compliance gaps only after regulators do.
The California Privacy Rights Act (CPRA), passed by California voters as Proposition 24 in November 2020, amended the CCPA and expanded its scope in several important ways. As the California Attorney General’s office notes, CPRA amends the CCPA rather than creating a separate law, which is why the combined framework continues to be referred to simply as “CCPA.”
The following table outlines the key changes and their practical implications for businesses:
| CPRA change | What it means in practice |
| Right to correct | Businesses must be able to update inaccurate personal information in their systems on consumer request |
| Right to limit sensitive PI use | Consumers can restrict how businesses use sensitive data categories, such as health information and precise geolocation |
| Employee and B2B data included | Temporary exemptions expired January 1, 2023; HR data and vendor contact data are now covered |
| “Sharing” added to “selling” | Cross-context behavioral advertising counts as “sharing” even where no payment changes hands |
| CPPA established | The California Privacy Protection Agency now has independent rulemaking and enforcement authority alongside the Attorney General |
| Mandatory cybersecurity audits | Effective January 1, 2026, certain businesses must conduct and certify annual cybersecurity audits |
The direction of California privacy law is clear: enforcement is intensifying, the scope is expanding, and the technical demands on business IT systems are growing. CMIT Solutions brings access to current regulatory intelligence and technology insights so our clients can focus on running their businesses with confidence, not tracking every legislative shift on their own.
💡 Additional reading: data compliance regulations
How cyber insurance requirements connect to CCPA
Cybersecurity uncertainty creates a compounding problem for businesses navigating CCPA: many assume their cyber insurance policy will cover them after a data breach or enforcement action, but the coverage they are counting on may not be there when they need it. Insurers are tightening underwriting requirements and may limit coverage or decline renewals when a business cannot demonstrate that appropriate security controls were in place at the time of an incident.
The controls cyber insurers commonly require, including multi-factor authentication, endpoint detection and response, continuous network monitoring, access controls, employee security awareness training, and documented incident response procedures, are the same controls that satisfy CCPA’s “reasonable security” standard. Building a security environment that addresses both sets of requirements means the work done for compliance strengthens your insurability, and vice versa.
CMIT Solutions delivers layered protection across systems, devices, networks, and users, with backup and recovery capabilities that support business continuity when incidents occur, all backed by responsive local support and a nationwide network of technology experts.
Take our insurance readiness assessment to see whether your current security environment aligns with modern insurer expectations.
CCPA IT compliance checklist for SMBs
The following checklist covers the core operational and technical steps for CCPA compliance. This is not legal advice.
Businesses should work with qualified legal counsel on their specific obligations. From an IT and operational standpoint, this is where to start.
Data inventory and mapping
- Identify all categories of personal information your business collects, processes, stores, or shares
- Document where personal data lives across all systems, including CRM, HR, email, cloud storage, and third-party tools
- Identify all service providers and contractors who receive personal information
- Establish a data retention schedule and a process for secure deletion at the end of the retention period
Privacy notices and disclosures
- Update your website privacy policy to reflect current CCPA and CPRA requirements and review it at least annually
- Add a “Do Not Sell or Share My Personal Information” link if applicable
- Add a “Limit the Use of My Sensitive Personal Information” option where required
- Configure your website to recognize and honor Global Privacy Control signals
Consumer rights request handling
- Establish a clear mechanism for consumers to submit requests to know, delete, correct, and opt out
- Document your identity verification process for confirming the consumer submitting a request
- Set up a workflow to locate, fulfill, and confirm requests across all data systems within 45 calendar days
- Train staff responsible for routing and responding to consumer rights requests
Vendor and contract management
- Audit all service provider and contractor relationships that involve personal information
- Confirm that written contracts are in place with the required CCPA service provider provisions
- Review any data sharing arrangements to confirm they are properly characterized and disclosed in your privacy policy
Security controls
- Implement reasonable security practices benchmarked against an established framework, such as the NIST Cybersecurity Framework
- Enable multi-factor authentication on all systems that process or store personal information
- Encrypt sensitive personal data at rest and in transit
- Apply access controls limiting personal data access to personnel who require it
- Deploy endpoint protection and continuous network monitoring
- Document, test, and maintain an incident response plan
Ongoing program management
- Update your privacy policy promptly when material changes occur to your data practices
- Conduct employee training on CCPA obligations and your internal data handling procedures
- Monitor enforcement guidance and regulatory updates from the California Privacy Protection Agency
- Work with your IT provider to assess whether your business falls under the new mandatory cybersecurity audit requirements and plan accordingly
Businesses in regulated sectors such as federal contracting can explore our CMMC compliance services for the additional security requirements that apply alongside CCPA.
How CMIT Solutions helps businesses get CCPA compliance right
CCPA compliance is as much an IT challenge as it is a legal one. The security controls, data management practices, and vendor oversight that the law requires all depend on having the right technology foundation in place.
For most small and mid-size businesses, building that foundation without a dedicated compliance or IT team is where things get complicated. That is where CMIT Solutions steps in, bringing security-first IT expertise and strategic guidance that turns compliance obligations into a stronger, more resilient operation.
With more than 30 years of experience and a nationwide network of 900+ IT and cybersecurity professionals, CMIT Solutions works with businesses across healthcare, professional services, hospitality, government contracting, and more to build IT environments that are designed, monitored, and managed with security standards that exceed baseline expectations.
We implement layered protections that satisfy CCPA’s “reasonable security” standard and modern cyber insurance underwriting requirements, and our cybersecurity-informed recommendations ensure every technology decision supports your compliance posture and your operational goals.
Our support is responsive and locally delivered, with on-site assistance available when your team needs it in person, and backed by the shared expertise, tools, and best practices of a national network. That combination gives you a trusted technology advisor who knows your business alongside the depth of resources that larger organizations rely on.
From data mapping and vendor contract reviews to endpoint protection, continuous monitoring, and incident response planning, CMIT Solutions helps businesses close compliance gaps, strengthen their cybersecurity posture, and build the operational resilience to grow with confidence.
See how that approach works in practice through our Optyx case study. Optyx, a multi-location optical retailer, partnered with CMIT Solutions to unify its IT across locations with a consistent, secure infrastructure, giving its team reliable support and a security foundation built to scale.
To find out how CMIT Solutions can help your business meet its CCPA obligations and strengthen your overall IT security posture, call us at (800) 399-2648 or reach out online to get started.
FAQs
Does CCPA apply to my business if we are not based in California?
Yes, CCPA applies to any for-profit business that serves California residents and meets at least one qualifying threshold, regardless of where it is headquartered. If your company sells to California customers, operates a website visited by California users, or employs California-based staff, you may be legally required to comply.
Does CCPA cover my employees’ personal data as well as my customers’?
Yes. As of January 1, 2023, employee and job applicant data are fully covered under CCPA following the expiration of a temporary exemption. HR systems, payroll platforms, and any tools that process staff personal information now fall within scope, meaning employees have the same rights to know, delete, and correct their data as customers do.
What do I need to do when a customer requests deletion of their personal data?
When a verified deletion request is received, your business must locate and delete the consumer’s personal information across all active systems within 45 calendar days. If the data also exists in backup systems, it must be flagged for deletion during the next scheduled purge cycle, with a record of the action kept for compliance documentation purposes.
Does my business have to honor browser-based privacy signals like Global Privacy Control?
Yes. Covered businesses that sell or share personal information are required to recognize Global Privacy Control (GPC) signals as a valid opt-out request automatically, without requiring the consumer to submit a separate form. The CPPA has already fined businesses that published opt-out links but failed to configure their websites to process GPC signals correctly.
Does being HIPAA compliant mean my business is also CCPA compliant?
Not necessarily. CCPA and HIPAA operate independently, and HIPAA compliance does not satisfy CCPA obligations.
CCPA covers a broader range of personal data and requires consumer rights mechanisms, privacy notices, and vendor contracts that HIPAA does not mandate. CMIT Solutions helps businesses in regulated industries build IT environments that address both frameworks without duplicating effort.
