Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

10 Tips to Prepare for CCPA Enforcement

Published June 23, 2020 / Updated September 10, 2024
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

With the July 1 enforcement date fast approaching, California's Office of the Attorney General (OAG) has finalized the California Consumer Privacy Act (CCPA or the “Act”). Several sections of the finalized Act are critical to compliance with the act to include the following.

1. Be transparent with how your business collections and processes data.

A fundamental principle of the Act is the requirement of “...notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used. This includes the categories and sources of PII collection and a detailed description of any third-parties to which the business will be sharing this Personally Identifiable Information (PII).

2. Think carefully on which data sales are worthwhile.

Business units may wish to carry out a risk/reward analysis on how sensitive consumers are to the sale of data to certain sectors of third parties. Data collected from consumers may highlight that certain relationships are not financially beneficial to the business/seller.

3. Separate prices based on data disclosure are allowed but show your work.

The regulations allow differential pricing based on the data subject’s decision to disclose their data, provided the business offers such incentives related to price or service differences. Furthermore, under CCPA Sec. 999.307(b)(5), the statement must demonstrate how the financial incentive or price difference is reasonably related to the value of the consumer’s data.

4. Rewards programs and incentives are allowed, but show your work.

Businesses retain the right under the CCPA to offer financial incentives or price/service differentials if the difference is reasonably related to the value of the data at issue. Once again, documentation is key: “If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference”. Details are available in the text of the legislation. Note that when a business calculates the value of its consumer data, the business must be able to document and substantiate its procedure.

5. Household or joint accounts require extra caution.

Businesses not providing password protected household accounts must comply with CCPA Sec. 999.318 before fulfilling a request to access or delete household information. Specifically, these businesses must:

  1. verify that all consumers of the household jointly request access to the specific information;
  2. individually verify the identity, in accordance with Section, 999.325, of each and every household members making the household request;
  3. verify that each member making the request is currently a member of the household.

6. Check the languages in which you do business.

Regulations govern the noticing requirements provided to consumers. The most recent changes to the regulations amended the notice requirements to read “be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.’ [emphasis added]. This revised language shows an intent to limit this requirement to languages used by the company in California. Therefore, businesses must review the languages used to engage customers as part of the course of business in California. This review process should include signage at physical locations in the state, including front desks, elevators, and room heating/cooling system instructions.

7. If you already sell PII (according to the broad CCPA definition of sell), you must now get expressed customer authorization to continue this practice.

The Act dictates that ‘A business shall not sell the personal information it collected during the time the business did not have a notice of right to opt-out notice posted unless it obtains the affirmative authorization of the consumer’. Therefore, If a company continues to sell this data to third parties without receiving affirmative authorization, it will be in violation of the act. However, businesses can re-establish the right to sell by notifying the subject of their new privacy policy and acquiring affirmative authorization in the process.

8. Deidentification is sufficient.

The regulations recognize that due to how records systems were constructed, active deletion of personal information may be difficult or impossible. Therefore the deidentification or aggregation of the consumer’s personal information is sufficient to comply with a consumer request to delete under the CCPA.

9. Act quickly on requests to opt-out.

These requests are both an exception to this rule and the most common request seen under the law. CCPA Sec. 999.315(f) mandates that businesses must comply with such requests in no more than fifteen (15) business days from the date of the request. The narrow window makes streamlined reporting of CCPA requests across business units essential for response-time compliance.

10. You do not have to search everywhere for data.

Businesses are not required to search for personal information  if ALL of the following conditions are met:

  • the business does not maintain certain personal information in searchable/accessible format;
  • the business maintains the information solely for compliance purposes;
  • the business neither sells or uses the information for a commercial purpose;
  • and the business describes to the consumer the categories of personal information that went unsearched because they met the above criteria.

Therefore, security data such as security-camera footage would not be covered under these regulations. A hotel receiving an information access request from a guest would not have to search its CCTV  footage for video of the guest, as long as the hotel notified the guest that such security footage went unsearched because it met all other categories of this regulation.

In sum, businesses should prioritize being open and honest with their customers about how they handle personal information. They should take a thoughtful, risk-based approach to collecting, processing, and sharing data. At the end of the day, personal information belongs to the individual, not the company.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
View More
Key Amendments to Saudi Arabia PDPL Implementing Regulations
Download the infographic to gain insights into the key amendments to the Saudi Arabia PDPL Implementing Regulations. Learn about proposed changes and key takeaways...
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New