by David Cartmel

June 03, 2019

California Consumer Privacy Act-ion Plan

The California Consumer Privacy Act (CCPA) was signed into law on July 2018 with enforcement beginning on or after January 1, 2020, and no later than July 1, 2020.  While the law is commonly referred as the “GDPR of the US,” there are some major differences. The CCPA comes from an “Opt-Out” framework whereas GDPR is “Opt-In.”  This means that even the “similarities” in the laws cannot be handled in the same way or with the same tools.

The CCPA was written and passed within a 36-hour period. Due to the short approval period, there are inconsistencies that are driving confusion among organizations on how to comply.  Privacy experts are working to resolve many of these questions, but in some cases, it is simply that the law itself has conflicting statements.  One of the most vexing of these shortcomings is seen in Personally Identifiable Information (PII). It has been so broadly defined, that almost any data could be considered PII under the CCPA. One example of how broadly the definition is written is discussed in a post on The Privacy Law Blog, where the author points out that the CCPA’s definition of personal information “…includes information that is identifiable to a household, not necessarily a consumer.”

Fines for violating the CCPA are administered per record and have no maximum limit, whereas the GDPR politely limits total potential damages to 4% of global revenue. 

Now that we’ve established that the law has a few vagaries, but also has the teeth to levy expensive fines, let’s get into some details.  Here is a short primer.

Who Does It Affect?

The CCPA is designed to protect California residents only.   For-profit organizations will need to comply with the CCPA under the following guidelines:

  • The organization does $25M in revenue annually. (It is unclear if this is revenue only from California or worldwide.)

  • The organization controls more than 50,000 PII records that are bought or sold, directly or indirectly, on an annual basis. (The law indicates these are California records.)

  • More than 50% of revenue is based on the sale of personal information. (Again, the law does not specify if this only applies to California or total records.)

Businesses that fall under HIPAA health care or Gramm-Leach-Bliley Act financial regulations have special but narrow exceptions, so it is important to know exactly how the law applies for these specific circumstances.

Working Towards Compliance

If you have determined your organization will likely fall under the regulation, it was time to get moving yesterday. This is not one of those laws where checking a few boxes will get you to the finish line of compliance, so urgency is paramount.  The following recommendations will help your organization work towards compliance, but care must be taken to ensure the deadlines are met. 

Review Your Security Policies

Security frameworks and policies are the backbone of privacy.  The CCPA allows consumers to seek damages for breached personal information if it is the result of a business violation.  It is the duty of the business to implement and maintain reasonable security procedures and practices.  Policy should be reviewed to ensure the CCPA standards are integrated into them, before following through with implementation.

Update Privacy Disclosures

The CCPA gives consumers the right to know exactly what personal information is being collected about them. To comply with this right, businesses must communicate to the customer what personal information is being collected, for example at the point of sale.  Businesses must inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. All privacy policies must be updated annually.

Map Consumer Data

If your organization is regulated under CCPA, start by mapping all the personal information under your control.  Some of the basic questions are:

  • What personal information do you collect or possess?

  • How do you collect it?

  • Where and how do you store it?

  • Do you share it with other entities?

  • Is shared data part of a sale, a provision of service, or used for some other purpose

Consumers have the right to request their information and have the option for a 12-month look-back period to see how their data was used.  This means it is important to map out information flows, so the requests can be fulfilled. If your organization uses 3rd party providers for marketing assistance, make sure they are also in compliance since the responsibility ultimately falls on the primary organization.

Remediate Systems

Complying with the CCPA will likely require modifications to your systems and procedures.  Working through your policies and data mapping will set the foundation for remediation.  Depending on the system complexity, this could be a substantial effort.  System remediation needs to integrate compliance requirements, minimize data, and protect privacy which can increase planning and implementation efforts.  Make sure your IT team has as much time as possible to incorporate changes into systems before the January 1, 2020 deadline.

Create Privacy Links

According to the law, businesses must have a privacy link on the homepage of their website.  It must be titled “Do Not Sell My Information,” and linked to a page that allows consumers to opt out of having their personal information sold.  The link to the homepage must be visible by January 1, 2020 as well.

Process for Handling Data Subject Requests

Organizations need to be ready to respond to consumer requests about their personal information that will be allowed under the CCPA. These requests must be processed free of charge and within 45 days. Entities must develop appropriate procedures and technologies for processing consumer inquiries such as:

  • Requesting a copy of their personal information

  • Requesting that their personal information be deleted

  • Finding out what categories of their personal information are being sold

  • Requesting to opt-out of the sale of personal information for those over 16 years old

  • Requesting to opt-in for the sale of personal information for those between the age of 13 and 16

  • Obtain consent from a guardian to sell personal information from a consumer under 13 years old

It is important that covered entities pay attention to these age requirements, as the law indicates that, “a business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.”


The above roadmap should help you begin to position your organization for compliance with the CCPA and prepare for the majority of its’ requirements.  Each organization has specific challenges, so be aware of your own unique context. You should also expect additional components of the law to come into effect as it develops.

The CCPA will significantly affect the way privacy is handled in the US Organizations.  US organizations must be compliant by January 1, 2020 to avoid the penalties administered by the State of California. Other states are also in the process of creating their own legislation that will have similar regulations on consumer privacy.  Consumer privacy within organizations will become of greater in importance in the following years.

David Cartmel

David Cartmel is a 25 year veteran of the Industry with a focus on IT security, governance, and privacy. He currently maintains the CISM, CIPM, CBCP, and CISSP certifications to support clients.

search posts