CCPA Obligations

Obligations Under the CCPA

On a broader level, CCPA compliance can be divided into two categories: disclosure obligations and information governance.
When personal information is collected disclosure must be given to fulfil requests. Consumers must be informed of:
  • Their rights under the CCPA
  • What categories of information are being collected
  • How that information will be used (including whether it will be shared or sold to third parties)
  • What categories of information have been shared or sold to third parties within the previous year
Under the CCPA
Scope of covered information
"[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household"
Scope of sale
Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.
Applies to businesses that deal with California residents data and fulfil the requirements of revenue, number of persons of which personal data is held or generates at least 50% of its revenue from selling data.
Application to employees and business contacts
Includes employee information and business contact information
Notice provisions
On the website must post a "clear and conspicuous" link on its homepage titled "Do Not Sell My Personal Information"
Limited private right of action for data breaches; attorney general can seek civil penalties of up to $7,500 per violation
Opt-In Requirements
Generally, businesses don’t require opt-in, however, when consumers opt-out of the sale of their personal information, businesses must wait 12 months before they re-engage. Another provision stipulates an opt-in requirement for consumers between the ages of 13 and 16 and parents to consent for consumers under the age of 13.
Consumer Request Response Time
Upon receiving a “verified consumer request,” a business has 45-days, with a possible 45-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 90 days.
Consumer Rights
California requires the right of access, portability, deletion, or non- discrimination.
Data Inventory and Mapping
Companies must have sufficient inventory and mapping of in-scope personal data and instances of “selling” data.
Service Level Agreements
Companies should have updated service-level agreements with third-party data processors.
Security Gaps
Companies should remediate information security gaps and system vulnerabilities.
The information provided in this resource base and on the Datawallet website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. The content on this posting is provided “AS IS;” no representations are made that the content is error-free.

A better way to do data.