CCPA Obligations

Obligations Under the CCPA

On a broader level, CCPA compliance can be divided into two categories: disclosure obligations and information governance.

When personal information is collected disclosure must be given to fulfil requests. Consumers must be informed of:

  • Their rights under the CCPA

  • What categories of information are being collected

  • How that information will be used (including whether it will be shared or sold to third parties)

  • What categories of information have been shared or sold to third parties within the previous year


Under the CCPA

Scope of covered information

"[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household"

Scope of sale

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.


Applies to businesses that deal with California residents data and fulfil the requirements of revenue, number of persons of which personal data is held or generates at least 50% of its revenue from selling data.

Application to employees and business contacts

Includes employee information and business contact information

Notice provisions

On the website must post a "clear and conspicuous" link on its homepage titled "Do Not Sell My Personal Information"


Limited private right of action for data breaches; attorney general can seek civil penalties of up to $7,500 per violation

Opt-In Requirements

Generally, businesses don’t require opt-in, however, when consumers opt-out of the sale of their personal information, businesses must wait 12 months before they re-engage. Another provision stipulates an opt-in requirement for consumers between the ages of 13 and 16 and parents to consent for consumers under the age of 13.

Consumer Request Response Time

Upon receiving a “verified consumer request,” a business has 45-days, with a possible 45-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 90 days.

Consumer Rights

California requires the right of access, portability, deletion, or non- discrimination.

Data Inventory and Mapping

Companies must have sufficient inventory and mapping of in-scope personal data and instances of “selling” data.

Service Level Agreements

Companies should have updated service-level agreements with third-party data processors.

Security Gaps

Companies should remediate information security gaps and system vulnerabilities.

A better way to do data.