Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

The CCPA Compliance checklist [Updated 2025]

Published May 5, 2023
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

This post is also available in: Brazilian Portuguese

The California Consumer Privacy Act (CCPA) was the direct predecessor of the current California Privacy Rights Act (CPRA). The CCPA contained several similarities with the CPRA, most notably in the obligations it placed upon organizations subject to it.

For organizations hoping to become CPRA compliant, understanding CCPA and its obligations may prove a vital foundation to build their compliance strategy upon. This checklists streamlines that process and makes it easy for you to understand these obligations.

CCPA Compliance Scope

The CCPA's scope is relatively well-defined. It applies to any for-profit organization that collects users' data and fulfills either one of the following criteria:

  • Has annual gross revenues above $25 million;
  • Possesses the personal information of 50,000 or more consumers, households, or devices;
  • Earns more than half of its annual revenue from selling consumers' personal information.

Disclosures

Under the CCPA's right to be informed, organizations must disclose personal information they collect with their owners. This disclosure is in two stages with different requirements for each.

Notice Before the Point of Collection

  • The business cannot collect personal information (PI) before the consent notice is shown.
  • The consent notice should state the categories of PI collected and the purpose for which the PI is being collected.
  • The notice should also include a link titled ‘Do not sell my Personal Information’ if the business sells personal information.
  • The notice should also include a link or direction to the Privacy Notice/Policy of the business.
  • If more categories of PI are collected OR the purpose for which PI is being used changes, then an updated consent notice has to be shown.

Privacy Notice/ Policy

  • Categories of PI collected along with purpose and categories of sources;
  • Categories of PI sold/shared/disclosed (or if not) along with categories of third parties shared with and purpose;
  • Description of rights under CCPA along with a process to exercise them and how verification of the request will be done (including a button titled ‘Do not sell my Personal Information);
  • Contact information of business along with the last date of update of notice;
  • If a business knows it sells PI of consumers below 16 years of age then process for opt-in and opt-out of the sale of minor's PI;
  • Financial incentive policy if offered along with details of how a consumer's PI is evaluated and how consumers can opt-in and opt-out;
  • For businesses handling 10,000,000 consumers PI in a year (June to June), DSR metrics (requests received, accepted, rejected and median no. of days to respond).

Data Types Regulated by the CCPA

The CCPA defines personal data as "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Also, personal data doesn't always include names, addresses, and birthdates. It can also appear as images, audio clips, or other personal information if it fulfills the CCPA requirements.

Some examples include the following:

Other forms of personal data are inferences that can be drawn from the following:

  • Consumer preferences;
  • Characteristics;
  • Psychological trends;
  • Predispositions;
  • Behaviors;
  • Attitudes;
  • Intelligence;
  • Abilities;
  • Aptitudes.

Selling Personal Information

Keeping the consumer informed is not the only thing organizations need to be aware of under the CCPA. Organizations need to ensure that the information they sell is according to the requirements of the CCPA. These requirements include:

    • Operationalizing 'Do not sell', i.e., ensuring consumers who have opted out, their PI is not sold/shared by the business within 15 days of receiving the request.
    • Signing and enforcing agreements with service providers as per CCPA requirements before sharing PI.
    • Provide individuals aged 16 or more with the ability to opt-out of the sale of their Personal information at any point.
    • Detecting and accepting global opt-out preference signals/browser settings etc., for online businesses.
    • Third parties who have bought the PI from the business will have to provide notice to consumers before using their sold PI for any other purpose than for which it was initially collected.
    • Stop selling PI of individuals aged 16 or younger without their consent.
    • Businesses must limit the subsequent sale of Personal Information by a service provider on behalf of the business if a consumer opts out of the sale of their PI.
    • Honor opt-out request for at least 12 months before attempting to re-obtain consent to sell personal information again.

The Right to Access

CCPA gives consumers the right to request access to any information held by organizations on the individual. Consequently, organizations are required to ensure the following solutions are available to their customers:

  • Provide 2 options for consumers to request their personal information – an 800 number and another method, such as a web page.
  • Verify the consumer’s request, for example, via a secure email.
  • Provide all the required personal information within 45 days.
  • If personal information was sold, organizations must also identify and inform the consumer of the sources of information, its collection purpose, and the categories of third parties to whom the data was sold to.

As per the CCPA, the following information must be provided in an access request:

  • The categories of personal information the business has collected about the consumer in the preceding 12 months. For each category identified, the categories of third parties to whom it disclosed that particular category of personal information.
  • The categories of sources from which the personal information was collected.
  • The business or commercial purpose for which it collected or sold the personal information.
  • The categories of third parties with whom the business shares consumers’ Personal Information.

The right to access is one of the toughest articles for businesses to comply with because organizations need to track the location of every consumer’s personal information in all on-premises and multicloud data systems. To meet this requirement, businesses need to identify personal and sensitive data solutions to help them ensure compliance with the CCPA.


The Right to Deletion

CCPA not only gives individuals the right to access their information but also the right to request the complete deletion of their data. The CCPA also allows consumers to request the deletion of their data. If an organization receives a valid, verified request from a consumer, it must ensure the consumer’s data is deleted. To fulfill this request, organizations need to do the following:

  • Collect information from the consumer for the request. Information can easily be collected through a form or portal on the organization’s website.
  • Use the collected information to verify the consumer’s request.
  • Determine if any exceptions permit the organization to retain the records.
  • Permanently and completely erasing the personal information on its existing systems except for archived or backup systems.
  • Direct service providers to delete their records of the requesting consumers’ PI as well.

A consumer can send in a request to the business to delete their personal information, and covered businesses would have to comply if the PI is not required for:

  1. Transactional reasons.
  2. Security reasons.
  3. Identifying and fixing errors.
  4. Free Speech considerations.
  5. CalECPA Compliance.
  6. Research for Public Interest reasons.
  7. Expected Internal Use.
  8. Legal Compliance.
  9. Other Internal Uses.

Cybersecurity

The CCPA grants aggrieved consumers the right to bring private lawsuits against an organization that has had a data breach due to lax security measures in which their personal data was compromised. The damages granted in lawsuits can start from $100 and go up to $750 per individual.

Organizations are therefore required to implement a robust cybersecurity framework to protect  themselves from litigation. In case of a data breach where the organization does not have reasonable procedures in effect to maintain the confidentiality of their consumers’ personal information, they will be facing the prospect of damages that could easily reach over $1 million if more than 10,000 people are impacted.

The law does not specifically mention the procedures which are deemed reasonable.

In 2016, the AG of California released a report on Data Breaches and defined reasonable security measures to mean the implementation of 20 controls listed in the Center for Internet Security’s (CIS) Critical Security Controls to identify the minimum level of information security that all organizations that collect or maintain personal information should meet and that an organization’s failure to implement all of the controls constitutes a lack of reasonable security.

The 20 controls are:

  1. Inventory of authorized and unauthorized devices;
  2. Inventory of authorized and unauthorized software;
  3. Security configurations for hardware and software on mobile devices, laptops, workstations, and servers;
  4. Continuous vulnerability assessment and remediation;
  5. Controlled use of administrative privileges;
  6. Maintenance, monitoring, and analysis of audit logs;
  7. Email and web browsing protection;
  8. Malware defense;
  9. Limitation and control of network ports, protocols, and services;
  10. Data recovery capability;
  11. Secure configurations for network devices such as firewalls, routers, and switches;
  12. Boundary defense;
  13. Data protection;
  14. Controlled access based on the need to know;
  15. Wireless account control;
  16. Account monitoring and control;
  17. Security skills assessment and appropriate training to fill gaps;
  18. Application software security;
  19. Incident response and management;
  20. Penetration tests and red team exercises.

Privacy Training

The CCPA requires that compliance professionals who handle consumer inquiries be trained on all the rights granted to consumers (this can be done through the help of online courses and training modules to give your staff a better understanding of the data privacy sector and how to manage consumers) under the CCPA, and how consumers can exercise those rights. This would include, for example, the employee's staffing, the 800 number, and the ones who are responding to consumer inquiries and requests for information.


The CCPA Compliance Checklist

It is advisable to go through each item on this checklist to ensure your organization is compliant with the CCPA.

Update Privacy Policies
Although companies follow the strictest standards when drafting privacy policies, they need to make sure that their policies are compliant with the CCPA.
Create Methods of Accessibility
Establish a means for the customer to easily request data access and data deletion. This could be at minimum a toll-free number
Verification System
People that can verify their identification can access their information held by organizations. Verification systems will be a part of the CCPA compliance regulations
Data Governance
Prepare records, data maps and inventories of Californian’s personal data to fulfill any requests in an efficient and timely manner
Opt-Out Button
Adding in an opt-out button will help you stay compliant without the added hassle of manually updating that customer.
Obtain Consent from Minors
Minors under the age of 16 will not automatically consent under CCPA. Organizations need to develop a process by which they can obtain direct consent from those aged 13-16 years, or parents consent from minors under 13 years.

 


Risk of CCPA Non-Compliance

The CCPA was drafted and implemented to protect the data privacy rights of all Californian residents by organizations collecting their data. It does so by mandating certain obligations that all organizations must follow when collecting users' data. Failure to do so can lead to heavy fines.

The California Attorney General's Office deals with any violations of the CCPA. It can levy civil penalties of up to $2,500 for each violation or $7,500 for repeated intentional violations after due notice and a 30-day cure period.

The aforementioned fines can be levied for any of the following:

  • Failing to maintain a CCPA-compliant;
  • Privacy Policy failing to respond to consumers' requests under the CCPA rights;
  • Failing to provide adequate notice when collecting personal information;
  • Selling consumers' personal information without providing an opt-out;
  • Discriminating against consumers who exercise their CCPA rights.

Additionally, ​​consumers can file private lawsuits for between $100 to $750 damages or for actual damages for each incident of breach of their unredacted and unencrypted data stored in a business's server.

Key Takeaway

  • Companies have to comply with CCPA regulations and fulfill all customer personal data requests.
  • Failure to do so can result in hefty fines, lawsuits, and reputational damage.

Organizations that hope to comply with the CCPA using traditional methods will face several resource and time challenges. Automation is the only way to practically manage these requests. Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Request a demo and start your CCPA compliance process today.


Frequently Asked Questions (FAQs)

The full form of CCPA is the California Consumer Privacy Act. California became the first U.S. state to enact a comprehensive data privacy law, the CPPA, which took effect on January 1, 2020.

The CCPA is based on several key concepts. For data subject rights, it grants California residents the right to know what personal information is collected, request deletion, and opt out of its sale. For business obligations, covered businesses must disclose data practices, provide opt-out mechanisms, and refrain from discriminatory treatment based on opt-out choices.

GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) are both privacy regulations, but they have different scopes and apply to different jurisdictions. GDPR is a European regulation that focuses on protecting the personal data of individuals within the European Union (EU), while CCPA is a Californian law that grants privacy rights to residents of California, USA. While there are similarities in their goals, such as providing individuals with control over their data, there are differences in terms of requirements, definitions, and applicability.

Your Data+AI Command Center

Enable Safe Use of Data and AI

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
View More
Australia’s Privacy Act & Consent: Essential Guide for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Australia’s Privacy Act and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New