California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) provides and enhances consumer privacy rights and protections for California residents.

What is CCPA and Why is it Important?

California was the first U.S state to enact a privacy law. In June of 2018, California passed some of the strictest privacy regulations in the U.S. The California Consumer Privacy Act, also known as CCPA, came into effect on January 1st, 2020. Enforcement started on July 1st, 2020.

The CCPA provides and enhances consumer privacy rights and protections for California residents. California residents have the right to know what personal information a business has collected about them, receive a copy of that information, or request that the information be deleted.

Under CCPA, personal information is essentially any piece of identifiable information that can be used to identify a person. Things like names, postal addresses, email addresses, IP addresses, account names, Social Security numbers, driver's license numbers, passport numbers, biometric data, internet data, geolocation, audio/video, employment information, education information, inferences made about the individual, and anything else that can be used to identify an individual.

They have the right to know if their information has been disclosed or sold, and to whom or to refuse sale, disclosure, or use of their information, and they can't be discriminated against if they exercise these rights.

The CCPA does not apply to all companies doing business with California residents. It only applies to those who meet one or more of the following:

  • Have annual gross revenue of over $25 million.
  • Annually buy, sell, receive, or share for a commercial purpose the personal information of 50,000 or more consumers, households, or devices. 
  • Derives 50% or more of its annual revenues from selling consumers' personal information.

The middle bullet above is likely to capture any company that conducts business online through a mobile application. Take for example a company that runs an online blog that receives an average of 150 visitors per day. Over the course of a year, that will add up to more than 50,000 people. If the company's blog is collecting visitors' personal information, such as individual IP addresses or browsing history through the use of cookies, then that company will fall within the scope of the CCPA.

Where Does the CCPA Apply?

The CCPA can be enforced against any organization, anywhere. The act does not require organizations to have a physical presence in California. It merely requires that companies do business in the state and meet one of the three threshold requirements.

Just like how California emissions standards affect everybody, since no carmaker can afford not to sell cars in California, these new privacy regulations are going to affect everybody.

Realistically, every medium to large business in the United States is going to be affected. If you want to do business with anyone in California, you're going to have to comply. Consumers are tired of their data being mishandled by big companies that haven't made privacy and security a priority.

What are the penalties for not complying with the CCPA?

The CCPA creates enormous liability for companies that fail to comply. The Act allows for fines up to $2,500 per violation or $7,500 per intentional violation, and the CCPA does not place a cap on the total amount of fines. To put this in perspective, a CCPA violation affecting 10,000 California consumers can result in a penalty of $25 million for an unintentional violation and up to $75 million for an intentional one. Further, according to a study conducted by IBM, you are more likely to suffer a data breach of at least 10,000 records than you are to catch the flu this winter.

How to be CCPA Compliant:

There are 5 essential steps to take to be CCPA compliant.

  1. Determine whether or not the CCPA is applicable to your organization. The CCPA applies mainly to companies that collect, buy, or sell large amounts of personal information from consumers. However, some companies choose to comply with CCPA regulations even if the law doesn't apply directly to them which can help boost credibility with customers.
  2. After you have determined whether the CCPA applies to your business, you'll need to add an opt-out option on your website and update your privacy policy. The CCPA requires businesses to notify customers if their personal data is being collected or sold. This information must be disclosed on your company's website. You'll also need to have a system in place for processing data requests from customers. The CCPA allows customers to request access to or deletion of their personal data, and businesses need to have a plan for handling these requests.
  3. You'll also need to have a system in place for processing data requests from customers. The CCPA allows customers to request access to or deletion of their personal data, and businesses need to have a plan for handling these requests.
  4. It is also important to implement a disaster response plan and stay educated on data privacy laws. You'll need to know how your business will respond in the event of a data breach, and it's crucial to make sure all employees are properly trained on data privacy requirements.
  5. Finally, choosing a CCPA-compliant data collection platform can be extremely helpful in meeting compliance requirements.

CCPA is really a game-changer for cyber security and privacy. It gives consumers the right to know what data companies have, know that their data is being protected, and opt out of the sale of that data. Your employees need to know how to handle the data they're working with on a daily basis and it is the organization's responsibility to train them. 

Security analytics and data protection are the primary ways companies can make sure that they keep data private. Knowing what sensitive data they have, making sure it's not exposed, and only accessible by the right people goes a long way to making sure that that data is not breached in the first place.

With customer attention to privacy growing, now is the time to get started on a robust CCPA-compliant privacy program. See how Evisort can help your business be confident about CCPA compliance. Contact us here.

Quote Icon

Find out how


can help your team

Volutpat, id dignissim ornare rutrum. Amet urna diam sit praesent posuere netus. Non.

Find out how


can help your team

Test Evisort on your own contracts to see how you can save time, reduce risk, and accelerate deals.