CCPA Compliance: Frequently Asked Questions


By Blog

The California Consumer Protection Act (CCPA) is having a significant effect on business privacy activities across all technological, media, and entertainment, as well as telecommunication sectors. 

Regarded as the most stringent privacy law in the US, CCPA gives residents of California the privilege to oversee how companies handle their data. For this reason, once the CCPA is implemented, businesses in the state will be required to honor data subject requests for access, deletion, and opting out of the sharing or sale of their information.

In this article, we answer the five questions business owners frequently ask about CCPA compliance.

  • Who Does CCPA Apply To?

This law targets for-profit enterprises that gather and control personal data, operate in California, and satisfy at least one of these thresholds;

  • Post yearly gross revenues of more than $25 million
  • Receive or reveal the personal data of 50,000 or more California residents, households, or gadgets annually
  • Generate 50% or more yearly turnover from selling personal information belonging to residents of California.

In this context, it is important to note that non-profit organizations, and smaller firms that do not satisfy turnover thresholds, or those that do not transact large amounts of personal data from residents of California and don’t share a brand with an affiliate that is covered by the CCPA will not be obliged to comply with this law.

  • Do I Need to Comply with CCPA if my Company is not located in California?

As long as you collect personal information of California residents and you exceed any of the thresholds, the CCPA applies to you.

It doesn’t matter where in the world your company is located.

  • When does the Enforcement of CCPA Begin?

CCPA came into effect on January 1, 2020. Following its enforcement consumers will have the right to request that a company reveals specific pieces of data for the preceding year that the business has collected or processed about the subject.

Additionally, consumers can demand to know whether this information was sold or shared with a third-party. This point implies that businesses should have records from as early as January 1, 2019.

Nonetheless, it is crucial to take into account that the California Attorney General will delay enforcement actions for six months after the law comes into effect.

  • What is Personal Information under the CCPA?

The description of personal information under this regulation is broader compared to other privacy-related laws in the US. Under the CCPA, personal information refers to; ‘information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.’

The standard examples of personal information include social security and driver’s license numbers, as well as unique personal identifiers such as device identifiers and online tracking technologies, among others.

However, publicly available data such as property tax information from federal records are excluded from the scope of CCPA. This law also excludes aggregated data, as well as medical or health information gathered by an individual or entity controlled by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

  • What type of Disclosures do Impacted Businesses need to Make?

Under CCPA, businesses should come up with privacy notices and a detailed privacy policy that are presented to consumers when personal data is gathered. 

The required privacy notices are;

  • Notice about collection, if you collect personal information
  • Notice on the right to opt-out of the sale of personal information, in case you sell consumers’ personal information to third parties, and
  • Notice the financial incentives program, if you have any in place.

In addition, to privacy notices, you need a privacy policy which should contain at least:

  • The categories of personal information you collect and/or used
  • How the information is collected and/or used
  • Why the information is collected and/or used
  • The methods to request access, change, move, or deletion of their personal data
  • The method for verifying the identity of the person who submits a request
  • Sales of users’ personal data and how they can opt-out of the selling of their data
  • Details on any financial incentives program, including the method for opting-in

CCPA will also oblige companies to publicly reveal and make customers aware of the existence and nature of their privileges under this law. The privileges include;

  • The consumer’s right to submit data requests
  • The right to opt-out of the sale or sharing of their data with third parties or opt-in for such sale.

Our objective at Secure Privacy is to help you view data privacy and security as a way of gaining a competitive edge in your line of business as opposed to being a risk management issue. That is why we have a tailored complete CCPA compliance solution that is helping leading companies build their brand and corporate reputations.

Book a call with us today and get expert guidance on the measures you need to take to meet and maintain CCPA compliance. If you need to learn more about this regulation, check out our comprehensive step-by-step guide on what CCPA entails.