CCPA Compliance Checklist (Download Your Action Plan Today)

Ever since the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, and began enforcement on July 1, 2020, businesses across California have had to ensure strict adherence to its guidelines. Then, in November 2020 came the CPRA (California Privacy Rights Act), also known as CCPA 2.0, effective since January 1, 2023, and finally, on March 23, 2023, the long awaited CCPA Regulations were published, effective as of February 9, 2024. 

With all of these in play, businesses’ compliance became somewhat of a bumpy road because of the changes and updates made. However, still today, for any for-profit entity collecting California consumers' personal data and meeting specific revenue or data interaction thresholds, CCPA compliance is not just necessary—it's legally mandated to avoid steep penalties.

In this article we are discussing what a CCPA compliance checklist looks like so covered businesses can gain some clarity and some insight into their obligations and responsibilities, and we even offer an infographic that sums up all of this. 

Understanding CCPA in Simple Terms

The California Consumer Privacy Act, or CCPA, is California’s consumer privacy law, which aims to help protect the privacy of California residents, and one of the strictest privacy laws in the world. It applies to businesses that meet its thresholds for applicability and which collect and process the personal information of Californians.

Here’s a simpler breakdown of what CCPA means:

• Who it affects: Any business, that satisfies one or more of the following thresholds:
  • Earns annual revenues of more than $25 million;
  • Collects and processes personal information of at least 100,000 consumers, households or devices; or
  • Derives at least 50% of its annual revenues from selling or sharing consumers’ personal information.
• What is its purpose: The CCPA aims to give more control to Californians over their personal information while also making sure that businesses are careful with people’s data and telling them how they can use it. The CCPA also mandates that businesses have to keep personal information safe by having good security practices in place which prevent data from getting lost or stolen.

The CCPA grants California residents enhanced rights regarding their personal data, 

1. Right to Know: Consumers can inquire about what personal information a business collects about them and why it's collected.
2. Right to Data Portability: Consumers can access their personal data held by a business.
3. Right to Opt-out: Consumers can object to the sale of their personal information.
4. Right to Deletion: Consumers can request the deletion of their personal information from a business's records.
5. Right to Non-discrimination: Exercising CCPA rights should not lead to discriminatory treatment by businesses.

In addition to this, the CCPA offers a broad definition of "selling" personal information which covers many business activities and has to be carefully studied and understood. 

According to the CCPA, selling data means

selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

Your CCPA Compliance Checklist

Here's a CCPA compliance checklist to help your business facilitate CCPA compliance. 

• Publish a Privacy Policy: Make sure your website displays a privacy policy that meets the CCPA’s standards and outlines consumer rights and your data handling practices. CCPA requires a number of privacy policy disclosures, and you’ll need to make sure yours includes:
  • Effective date.
  • CCPA specific disclosure requirements (if you’d like, you can link to a separate California-specific privacy policy).
  • Update every twelve (12) months.
  • Web forms and contact methods (such as a toll-free phone number) for a California consumer to make a  data subject access request (“DSAR”).
  • Accurate descriptions of personal information collected, purposes of collection, and any sharing/selling activities.
  • Contact information where consumers may submit questions or concerns about the business’s privacy policy and processing activities.
• Ensure Data Processing Transparency: Clearly communicate to your website visitors - consumers - how their data is used, shared, or sold upon collection or sale.
• Maintain An Inventory of Data: Keep a detailed log of the data you collect, process, and/or share.
• Make Sure You Obtain Informed Consent at Data Collection: Before collecting the personal data of consumers, notify them explicitly of this, securing their consent.
• Facilitate Data Subject Requests: Allow consumers easy access to their rights. In order to do this, you need to establish protocols to promptly respond to their consumer inquiries and requests under CCPA, within the timeframes mandated by the law.
• Implement a "Do Not Sell or Share My Personal Information" Link: Feature this link prominently on all your website pages and anywhere data is collected if you sell personal information.
• If you process sensitive personal information, implement a "Limit the use of my sensitive personal information" Link: Feature this link prominently on all your website pages and anywhere data is collected if you process sensitive personal information.
• Understand the "Do Not Sell or Share'' Obligations: Under the CCPA, even if you indirectly share data, this can be seen as data selling. For example, if you share consumer data through an embedded YouTube video, this could very well be considered a sale of information. Make sure your website is compliant with an accessible "Do Not Sell or Share My Personal Information" link, and your privacy policy is transparent in regards to your data sharing practices, and that it differentiates between sales and exchanges of data with service providers. Some things to consider:
  • Even if your business is not a data broker, you should review your AdTech activities, such as reviewing your cookies and trackers on your website. If you’re using common tools like Google Analytics or Facebook Pixel, this may fall under the definition of “sale” of data.
  • If you’re using cookies or tracking scripts, or sharing/selling data in any way, you should outline this in your privacy policy.
  • Explore whether your sharing activities are exclusively to “service providers” or businesses that would not meet the “sale” criteria and make sure the privacy policy accurately discloses those activities.
• Understand the Scope of "Sale": The CCPA's definition of selling data is broad, capturing many forms of data transactions. Ensure you understand what "sale" means and how it applies to your business in order to facilitate compliance.
• Keep Your Privacy Policies Updated: CCPA compliance involves regular privacy policy updates to reflect the latest data practices and legal requirements of your business, along with providing clear channels for consumers to exercise their CCPA rights.
• Provide Consumers with Opt-Out Mechanisms: CCPA requires that companies provide consumers with a way to “opt-out” of data collection. One of the most common data collection points is on a company’s website, and likely the most common personal information collected is a website visitor’s IP address. If your website is using cookies or tracking scripts (most do), then it’s highly likely that you’re collecting personal information. If that’s the case, then you need to provide consumers with a way to “opt-out” of cookie collection. If you think that this can be accomplished by “Do Not Track” signals or emails, you’d be wrong. An effective opt-out mechanism for data collection, particularly around cookie use, is vital. You should consider using a cookie consent management platform to facilitate this and ensure consumer choice is respected.
• Conduct Regular Privacy Assessments (where applicable): There are specific cases where you need to conduct a risk assessment which revolve around data processing that presents a significant risk to consumers’ privacy, for example. If your data processing meets these criteria, then you need to conduct audits and to periodically review your data practices and privacy policy to ensure ongoing CCPA compliance.
• Training and Awareness: You should arrange for regular training of your employees on CCPA compliance, with a special focus on those of your employees which handle consumer inquiries and data processing.

CCPA Noncompliance Consequences

Based on the CCPA rules, if your business doesn't follow the CCPA requirements and fails to show that it has fixed the issue within the 30 days cure period, you are likely to face serious fines, of up to $2,500 per unintentional violation and up to $7,500 per willful violation.

In addition to these, if a consumer is harmed because their data got leaked following a data breach on your website, they can ask for damages and may get between $100 and $750 for each person affected by the incident, or even more if the actual harm was greater, and can even ask the court for other types of legal actions against your business in order to correct the situation or prevent further harm.

What is a best practice?

Implement a Consent Management Platform (CMP). 

Why? 

Using a CMP simplifies the way your business can meet its data-handling responsibilities. This tool offers you a straightforward way for users to manage their data preferences and for your business to record these preferences accurately. A CMP integrates seamlessly with your website, helping with compliant data sharing and staying current with ever evolving privacy regulations. By using a CMP your business can more effortlessly follow the legal requirements of the CCPA and can also cultivate trust with consumers.

How Can Clym Help You?

Clym helps businesses easily meet the requirements of the California Consumer Privacy Act (CCPA) by offering a tool that streamlines the management of consumers’ data privacy. Our platform makes it simple for businesses to notify consumers about what personal information is being collected and why, at the time of collection. 

Furthermore, Clym aids in verifying the identity of people making requests about their personal information, helping businesses prevent fraud while respecting consumer rights. We provide businesses with a way to keep track of consumer requests and responses to these. This means your business can comply with the law without hassle, avoid fines, and you can build trust with your customers by showing them that you take data protection seriously.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

CCPA Compliance Checklist - Downloadable Resource

Here is a CCPA compliance checklist to facilitate compliance for your business with the California Consumer Privacy Act:

CCPA Resources

• What Does 'Do Not Sell or Share My Personal Information' Mean in CCPA/CPRA?

• Understanding the Impact of CCPA and CPRA on Your Website's Cookie Policy: Steps for CCPA Compliance in 2024

• Email Marketing Under CCPA: Ensuring Privacy While Maximizing Impact

• What is the difference between the VCDPA and the CCPA?

• What Are The Penalties for CCPA Non-Compliance?

• New California Bill on Web Accessibility Considered for Approval
• How to Respond to Consumer Requests - CCPA (CPRA)
• To Track or Not to Track: GPC and 'Do Not Track' Signals
• A Look at CCPA Regulations and Employment Related Data

• CCPA or CPRA? Understanding California’s Data Privacy Landscape