Get a Quote

Does CCPA Apply To My Business?

CCPA Compliance Main Image

Is Your Business CCPA Compliant?

The California Consumer Protection Act (CCPA) went into effect on January 1, 2020.  In brief, “the CCPA grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect, as well as additional protections for minors. [1]

How Is It Different From GDPR?

The CCPA is the first law in the US to define a broad set of rules designed to protect consumers and their data.  While the specifics of the law vary from the GDPR in Europe, these laws share similar core principles.

For California residents, the CCPA creates a bundle of rights concerning their data.  Some of the key protections include “the right to know” and “the right to say no.” This means that those protected under this law will be able to see the data companies have gathered about them, data such deleted, and opt out from companies selling their data to third parties.

Notably for businesses, this law can affect any company, regardless of where they reside if the company does business in California and meets certain other requirements listed below.

Does CCPA Apply To My Company?

The CCPA applies to any company (your company is a “covered business”) if it operates in California collects the personal information of California residents, determines the purposes and means of processing that information, and one or more of the following applies:

• The business has annual gross revenues in excess of $25 million;

• The business annually buys, receives for the business’s commercial purposes, sells or shares for commercial   purposes the personal information of 50,000 or more consumers, households or devices; or

• The business derives 50% or more of its annual revenues from selling consumers’ personal information.

For more details on determining whether this applies or not see this article.

What Do I Need To Do?

If you determine your company is a covered business, you should do the following:

Update Vendor Contracts

Work with your legal team to update your contracts with vendors

There’s a lot of nuance to the changes you will need to make in order to be compliant with the CCPA.  Vendors can be split into two sub-categories: service providers and third parties. Make sure you understand where your vendors may fall and how it applies to them.

Change Your Privacy Policy


Change your privacy policy to comply with the CCPA

To comply, privacy policies must disclose:

• Consumers’ rights to access and delete personal data

• Methods for requesting information about their data

• The categories of personal data collected, sold or disclosed in the preceding 12 months

• If consumer personal info is sold, the business must provide a link to a “Do Not Sell My Personal Information” website.

Improve Data Response Processes
Provide a process for consumers handling requests access data, deletion of data and for opting out of data collection

This may require extensive data mapping to understand where such data exists and how to find it and delete it.  If processes do not currently exist, they will need to be developed.

Train Your Staff

Employee Training

The CCPA requires training for all individuals (staff) at a company that may handle personal data or inquiries about the company’s privacy practices and other aspects of their privacy program.

Transparency Is Key

The CCPA provides comprehensive protections for California consumers. This extends to companies inside and outside of California, who meet certain requirements that are subject to the CCPA. If your company is a covered business be sure to take the steps necessary to comply with the new regulations. Consider how CCPA compliance fits into your privacy program and other such regulations such as the GDPR. Many processes for one regulation may help maintain compliance with other regulations. Because the CCPA is rapidly evolving, stay tuned for changes and make sure you understand how they may impact your business.

Written by: Chris Zambuto | Chief Information Security Officer @CMITBostonCambridge

[1] CCPA


We can help. Whatever your technology problem is, chances are, we've seen it before.