On a broader level, CCPA compliance can be divided into two categories: disclosure obligations and information governance.
When personal information is collected disclosure must be given to fulfil requests. Consumers must be informed of:
Their rights under the CCPA
What categories of information are being collected
How that information will be used (including whether it will be shared or sold to third parties)
What categories of information have been shared or sold to third parties within the previous year
Under the CCPA
Scope of covered information
"[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household"
Scope of sale
Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.
Applies to businesses that deal with California residents data and fulfil the requirements of revenue, number of persons of which personal data is held or generates at least 50% of its revenue from selling data.
Application to employees and business contacts
Includes employee information and business contact information
On the website must post a "clear and conspicuous" link on its homepage titled "Do Not Sell My Personal Information"
Limited private right of action for data breaches; attorney general can seek civil penalties of up to $7,500 per violation
Generally, businesses don’t require opt-in, however, when consumers opt-out of the sale of their personal information, businesses must wait 12 months before they re-engage. Another provision stipulates an opt-in requirement for consumers between the ages of 13 and 16 and parents to consent for consumers under the age of 13.
Consumer Request Response Time
Upon receiving a “verified consumer request,” a business has 45-days, with a possible 45-day extension when “reasonably necessary” and by providing notice to the consumer, for a total of 90 days.
California requires the right of access, portability, deletion, or non- discrimination.
Data Inventory and Mapping
Companies must have sufficient inventory and mapping of in-scope personal data and instances of “selling” data.
Service Level Agreements
Companies should have updated service-level agreements with third-party data processors.
Companies should remediate information security gaps and system vulnerabilities.