CCPA is Coming! Be prepared.

Are you ready for upcoming data privacy regulations? Assess your risks and how you can tackle them today.

CCPA is Coming! Be prepared.

We have identified that there are five key requirements you need to know about the California Consumer Privacy Act. Be sure to seek legal counsel and be aware that requirement violations include penalty thresholds that may expose large California-based businesses to substantial risk.

Both organizations with existing privacy capabilities, such as those developed for General Data Protection Regulation (GDPR) compliance, and those without any previous preparation may need the entire grace period before the deadline to deploy necessary capabilities. 

Companies that employ or serve California residents may find these five CCPA requirements have the biggest impact on their business:

  1. Data inventory and mapping of in-scope personal data and instances of “selling” data
  2. New individual rights to data access and erasure
  3. New individual right to opt-out of data selling
  4. Updating service-level agreements with third-party data processors
  5. Remediation of information security gaps and system vulnerabilities


In many ways the CCPA is the “American” version of GDPR as it will require organizations to focus on user data and require transparency on how they’re collecting, sharing and using such data. In our research we have found that certain aspect of GDPR overlap with CCPA but there are still several policies, processes and systems that will need updating to address differences between the two laws.

Comparison Chart: What You Need to Know






EU personal data processed

California residents’ personal data collect (narrower)

Right to access


Right to access all EU personal data processed

Right to access California personal data collected in last 12 months, delineated between sold and transferred (narrower)

Right to portability


Must export and import certain EU personal data in a user-friendly format

All access requests must be exported in user-friendly format, but there is no import requirement (narrower)

Right to correction


Right to correct errors in EU personal data processed

Not included in CCPA

Right to stop processing


Right to withdraw consent or otherwise stop processing of EU personal data

Right to opt-out of selling personal data only; must include opt-out link on website

Right to stop automated decision making


Right to require a human to make decisions that have a legal effect

Not included in CCPA

Right to stop third-party transfer


Right to withdraw consent for data transfers involving second purposes of special categories of data

Right to opt-out of selling personal data to third parties

Right to erasure


Right to erase EU personal data, under certain conditions

Right to erase personal data collected, under certain conditions

Right to equal services and price


At most, implicitly required

Explicitly required

Private right of action damages


No floor or ceiling 

Floor of $100 and ceiling of $750 per consumer per incident

Regulator enforcement penalties


Ceiling of 4% of global annual revenues

No ceiling – $7,500 per violation

Data Covered Under CCPA

CCPA is about the control, protection, and insight of personal data. In other words, the consumer must be aware—at the point of data collection—that information is being collected, informed as to how the data will be used and then given the option to opt-out from sharing or selling that personal data.

CCPA defines “personal information” as:

  • Name
  • Address
  • Personal identifiers
  • IP address
  • Email address
  • Social security number
  • Drivers license number
  • Passport number and similar identifiers

Additionally, there are restrictions on collecting data pertaining to class information, personal property, products and services purchased, purchasing history, browsing history, geodata, biometric data, profiling, employment, and education-related data. Basically, if data can be tied back to a person or identifies an individual, it’s considered “personal data” and is protected by CCPA.

Note that personal information does not include publicly-available information from state, federal or local governments, but the caution here is how you intend to use that data and if that purpose is compatible with the other criteria of CCPA.

Need to assess if you have the right programs, systems, and processes in place to ensure CCPA (or GDPR) compliance? Contact us to determine how you can minimize your risk before it’s too late!



Share the Post

About the Author


No comment yet.

Leave a Reply

Your email address will not be published. Required fields are marked *