Skip to content

CCPA Compliance Guide

A comprehensive guide to understanding and complying with the California Consumer Privacy Act (CCPA).

Need inspiration from other industries? Explore HabitForge - Habit formation and behavior change platform to see how specialized teams communicate compliance updates.

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state statute enacted to enhance privacy rights and consumer protection for residents of California, United States. It became effective on January 1, 2020.

The CCPA gives California consumers the right to know what personal information businesses collect about them, why they collect it, and with whom they share it. It also gives consumers the right to delete their data and opt-out of the sale of their personal information.

Who Must Comply with CCPA?

Your business must comply with CCPA if it:

  • Does business in California and collects personal information from California residents
  • Meets at least one of these thresholds:
    • Has annual gross revenues exceeding $25 million
    • Buys, sells, or shares personal information of 100,000 or more California consumers or households
    • Derives 50% or more of annual revenues from selling consumers' personal information

Note: Even if your business doesn't meet these thresholds, implementing CCPA-compliant practices is good for building customer trust and preparing for future regulations.

Consumer Rights Under CCPA

Right to Know

Consumers can request to know what personal information a business has collected about them, including categories of data, sources, purposes, and third parties with whom it's shared.

Right to Delete

Consumers can request deletion of their personal information, with certain exceptions (e.g., completing transactions, detecting security incidents).

Right to Opt-Out

Consumers can opt-out of the sale of their personal information. Businesses must provide a "Do Not Sell My Personal Information" link on their homepage.

Right to Non-Discrimination

Businesses cannot discriminate against consumers who exercise their CCPA rights (e.g., charging different prices, providing different service levels).

CCPA Compliance Checklist

1

Update Your Privacy Policy

Clearly disclose what personal information you collect, how you use it, and with whom you share it. Include information about consumer rights under CCPA.

2

Add "Do Not Sell" Link

If you sell personal information, add a clear and conspicuous "Do Not Sell My Personal Information" link on your homepage and wherever you collect data.

3

Implement Request Handling Processes

Create systems to receive, verify, and respond to consumer requests (right to know, delete, opt-out) within 45 days. Provide at least two methods for submitting requests.

4

Train Your Staff

Ensure employees who handle consumer inquiries understand CCPA requirements and know how to direct or respond to consumer requests.

5

Update Contracts with Third Parties

Ensure contracts with service providers and third parties include CCPA-required provisions about data use, retention, and consumer rights.

6

Implement Data Security Measures

Use reasonable security procedures to protect consumer personal information from unauthorized access, destruction, use, modification, or disclosure.

Common CCPA Compliance Pitfalls

❌ Slow Response Times

Failing to respond to consumer requests within 45 days (or 90 days with proper notice). Set up automated systems to track and manage requests.

❌ Inadequate Verification

Not properly verifying consumer identity before responding to requests. Implement reasonable verification methods to prevent data breaches.

❌ Hidden "Do Not Sell" Link

Making the "Do Not Sell My Personal Information" link hard to find or unclear. It should be easily accessible and clearly labeled.

❌ Incomplete Privacy Policy

Not fully disclosing data collection, use, and sharing practices. Be transparent about all categories of personal information you collect.

Penalties for Non-Compliance

Civil Penalties

  • $2,500 per unintentional violation
  • $7,500 per intentional violation
  • • Violations are calculated per consumer affected
  • • 30-day cure period for first violations

Private Right of Action

  • $100-$750 per consumer per incident for data breaches
  • • Applies when unauthorized access results from failure to maintain reasonable security
  • • Class action lawsuits allowed
  • • 30-day cure period before filing suit

Need Help with CCPA Compliance?

Use our Privacy Policy Generator to create a CCPA-compliant privacy policy for your business in minutes.

Generate Privacy Policy