No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

5 Steps to Prepare for California’s Consumer Privacy Act

How to Get Ready for the CCPA 2020 Deadline

by Anupam Sahai
April 30, 2019
in Data Privacy, Featured
california key on black keyboard

Cavirin‘s Anupam Sahai discusses the factors that determine whether the CCPA impacts an organization, what the requirements are if so and what action you can take to prepare for it.

Just when you thought you had a handle on GDPR, businesses have a new legislation to worry about: the California Consumer Privacy Act (CCPA). The CCPA stipulates that California residents should have greater access to and control over personal information held by businesses. In particular, the law seems targeted to online social media firms (e.g., Facebook) that have been reckless with their users’ personal information over the past few years. With the number of data breaches to date, are we really that surprised that something like this is coming into effect?

CCPA will become effective on January 1, 2020, but will not be enforced until six months afterward. However, the new law enshrines a few fundamental rights for consumers to access the information that companies hold on them and to control what is collected, stored and shared within the previous 12-months. So, come July 1, 2020, if a company has collected personal information from January 1, 2019 onward, the consumer has the right to find out exactly what data a business has collected, they can opt out from the company selling their data and they have the right to ask for their data to be deleted – or, as the GDPR regulation puts it, the right to be forgotten. 

Key Takeaways Regarding CCPA

It’s only fitting that California would be the first state to enact something that people are referring to “America’s GDPR.”  After reviewing the bill, here are some of the key takeaways. The CCPA:

  • Is the first U.S. consumer privacy law addressing consumer rights outside of federally regulated entities. 
  • Provides legal rights to the consumer, any California resident, in deciding what personal data collected over the past 12 months can be kept and/or used (under certain conditions).
  • Requires businesses to make disclosures about the consumer information they store and for what purpose — any of the information is being transferred/purchased by third parties.
  • Requires businesses to make it easier for consumers to request information. All access requests must be exported in a user-friendly format and all consumer requests for the past 12 months must be tracked, because companies can charge after two requests.
  • Requires businesses and their service providers to delete personal information based on consumer requests (opt-out option).
  • Allows consumers can restrict businesses from selling their personal information to third parties (opt-out option).
  • Prohibits discrimination against the consumer for opting out and/or charging the consumer who opts out a different price for the same service.
  • Prohibits businesses from selling the consumer data of minors under the age of 16 unless there was an appropriate opt-in selected. Teenagers between 13 and 16 years of age can directly opt in, while children under the age of 13 require parental consent.
  • Grants enforcement power to the California Attorney General.
  • Goes into effect on January 1, 2020, but will not be enforced until July 1, 2020.
  • Is looking to stop companies that have been leveraging consumer information (sometimes without the consumer’s knowledge) to obtain financial benefit, which may not be aligned with the consumer’s understanding of the information usage. These types of organizations are: internet providers delivering value added via over-the-top (OTT) services (AT&T DirecTV, Verizon Oath, etc.); social media firms; advertisers; online retailers; and non-banks (fintech firms).

Prior to this law, consumers had little to no control of their information (excluding federally regulated entities), nor did they have the ability to find out what was kept or sold and/or who had access to that information.

If a company is notified of a CCPA violation, it is granted a 30-day period to meet compliance and avoid penalties. If non-encrypted or non-redacted consumer information is compromised because of the failure to have reasonable security measures in place, consumers may seek damages from $100 to $750 per consumer per incident.

Are You Impacted?

The new legislation will affect businesses located inside and outside of California. It specifically applies to for-profit businesses (sole proprietorships, partnerships, limited liability companies, corporations, associations or other legal entities) that collect and process the personal information of California residents and sell inside/into the state of California.

Additionally, impacted businesses must fall into one of the following categories:

  • Annual gross revenue is in excess of $25 million;
  • Annually possess the personal information of more than 50,000 California consumers, households or devices (Note: This one is a bit tricky, since the definition of a device is “any physical object that is capable of connecting to the internet [directly or indirectly] or another device (i.e., USB stick, mobile phone, vehicle diagnosis information, etc.);
  • Earns more than half of its gross annual revenue by selling consumers’ personal data; or
  • Controls or is controlled by a CCPA-covered business or shares common branding with a covered business.

How Do I Prepare?

First off, don’t delay! CISOs and management teams should not wait to plan and execute a compliance plan, since CCPA goes into effect January 1 and the information collection has already begun.

Start by following these five steps:

  1. Initiate A Readiness Assessment – Look at the regulations and procedures already in place at your organization in order to evaluate whether processes need to be updated or created altogether.
  2. Incorporate New Business Processes
    • Document all uses of the data and map where personal (consumer) data is stored and transmitted
    • Update data service provider agreements to ensure they comply with CCPA (including ability to de-identify the consumer data)
    • Toll-free telephone number for request for information by consumers
    • Authentication of consumers
    • Track number of consumer requests in past 12 months
    • Timeframe to deliver the data after the consumer request is authenticated (45 days)
  3. Update Website to Address New Requirements – Clear and conspicuous link on the business’s internet homepage titled “Do Not Sell My Personal Information” that allows the consumer to opt out; consumer password-protected account and/or for consumer-authorized representative.
  4. Improve Cybersecurity – Implement a well-defined security program (ISO 27001, NIST CSF); encrypt all consumer data at rest (prevents inappropriate usage); strengthen your organization’s cybersecurity posture with up-to-the-minute compliance and risk analysis and remediation, utilizing a scoring system that assesses the threats to data, ranks the risks of the detected vulnerabilities and addresses the high-risk gaps first.
  5. Train your team – Updated employee training is mandatory for those who will be facing consumers and handing the consumer information.

How CCPA Compares to Current and Proposed Federal Regulations

Given the new Congress, there are a number of initiatives in play to extend CCPA-type regulations to the federal level, as well as other state regulations. One issue is that many of the larger internet properties are pushing for what some call a “watered-down” version of the privacy act, which would be at odds with California and others.

How this will play out is anyone’s guess, and as of this month, it is the main sticking point in debate. Turning back to the present, CCPA does not override any of the current federal laws that organizations may be subject to. These include GLBA (Gramm-Leach-Bliley Act) for financial institutions, HIPAA for health care, FCRA (Fair Credit Reporting Act) for consumer credit rating, FERPA (Family Educational Rights and Privacy Act) for educational institutions and the DPPA (Driver’s Privacy Protection Act) for driver records. In parallel, both the California Electronic Communications Privacy Act and the California Confidentiality of Medical Information Act are not impacted.

I believe if you implement a well-defined security program (ISO 27001, NIST CSF) or you have implemented the GLBA requirements on a global level, then CCPA will be a piece of cake.


Tags: California Consumer Privacy Act (CCPA)
Previous Post

Why Security and Compliance Have a Permanent Seat at the Boardroom Table

Next Post

How to Fine-Tune Performance Management and Transform Your Organization

Anupam Sahai

Anupam Sahai

Anupam Sahai is Vice President of Strategy and Business Development at Cavirin. Anupam brings to Cavirin 25+ years of experience in the high-tech industry. Anupam has deep domain expertise in cloud services and SaaS, cybersecurity and risk management, vulnerability management, threat analysis and management, information security and operations, governance, risk and compliance, cloud and network security, data science and analytics and enterprise software. Anupam is an accomplished technology leader, with extensive experience directing large teams to develop and launch globally renowned products used by hundreds of millions of users. Most recently he was the Co-Founder and CEO of Aegify, a cloud-SaaS-based cybersecurity and risk management solution built for the enterprise. His career history also includes various management roles with companies including Ixia, Polycom, Avistar, Hewlett-Packard and Microsoft Corporation. Anupam holds a master’s degree in engineering and an MBA from MIT, as well as a master’s and an undergraduate degree in computer science and communications from the Indian Institute of Technology (IIT), Kanpur and Kharagpur, India.

Related Posts

todd snyder runway show scarf

Lessons Learned: Todd Snyder CCPA Enforcement Action

by Richart Ruddie
May 29, 2025

Third-party risk, overcollection of data and lax training all cited by California data privacy enforcer

federal trade commission building

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting
April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

data governance concept

The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

by Brian McGinnis and Maddie San Jose
April 16, 2025

Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and...

examining data on laptop screen

Privacy Rights Surge Forces Rethink of Data Management

by Gal Ringel
March 14, 2025

As global privacy regulations multiply, organizations face mounting pressure to efficiently respond to data subject requests amid complex data environments

Next Post
monarch butterfly emerging from cocoon

How to Fine-Tune Performance Management and Transform Your Organization

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights