California Consumer Privacy Act (CCPA) Compliance Checklist

The California Consumer Privacy Act (CCPA) and amendments to the CCPA text under the California Privacy Rights Act (CPRA) give Californians extensive privacy rights, including the right to opt-out (“Do not sell”) from having their personal information shared or sold.

For more information on the main CCPA rules and Californians’ privacy rights under CCPA/CPRA we recommend reading TrustArc’s guide to the California Consumer Privacy Act (CCPA): Main Rules.

Top 3 Critical Must-Dos for CCPA Compliance

As a pioneer of privacy programs, TrustArc has extensive experience in helping businesses of all sizes identify and address the critical steps needed to strengthen a business’s privacy stance.

Our privacy experts strongly advocate that all companies embrace data privacy because we believe it’s not about checking a box for compliance – it’s about fostering deep trust between consumers and the company.

In fact, building consumer trust should always be the top reason for having a strong privacy program. Consumers are increasingly aware of their privacy rights, and – unfortunately – privacy threats can explode quickly, causing damage to a business’s reputation, ability to serve customers and profitability.

So, in your journey to CCPA compliance we recommend the following must-dos:

1. Identify and assess where privacy threats exist across all your business processes, systems, and procedures
2. Establish privacy threat-mitigation processes and procedures to allay known privacy risks before they can explode
3. Make it easier for consumers to opt-out of having their personal information shared or sold. This approach can go a long way to helping alleviate many consumers’ concerns about privacy risks.

…And 2 Vital Ways to Build Trust in Your Privacy Stance

Your business can build greater trust with consumers by clearly demonstrating you take privacy seriously. We recommend focusing on strengthening three key elements of your privacy stance:

1. Review and improve data management practices including your business’ internal data security and privacy processes and procedures. You will also need to review all CCPA compliance-related data management practices of your service partners, third parties, and contractors.

   Note: Under CCPA regulations businesses are required to conduct regular CCPA compliance training to ensure all employees and contractors adhere to the promises made to consumers regarding CCPA compliance.

2. Update your privacy policy and other CCPA notices related to consumers’ privacy rights.

Data Management Practices for CCPA Compliance

TrustArc recommends businesses regularly review data management practices to ensure ongoing CCPA compliance. We provide a suite of solutions to help you achieve this, including:

• Data inventory and mapping technology to fully automate the discovery of personal information (including sensitive personal information)
• Privacy and Legal Solutions for implementing and maintaining data management policies and procedures, as well as addressing CCPA compliance requirements in contracts with service providers, third parties, contractors and other entities
• Risk and Compliance Solutions and TrustArc CCPA and CPRA Compliance Solutions and Tools for conducting security audits and risk assessments of all data management-related technologies, as well risk assessments of third parties’ compliance processes and procedures
• TrustArc Privacy Training including CCPA essentials training, to help employees understand and enforce CCPA compliance policies and procedures across your organization, as well as identify potential issues in data processing.

Privacy Policy and Other CCPA Rights Notices

Any business collecting personal information from consumers in California must maintain and clearly communicate CCPA consumer privacy rights notices. These notices must be in plain language – i.e. easy to understand – and in plain sight.

The main notice is the privacy policy, which must describe:

• Categories of personal information collected; the specific pieces of information collected; and timeframes for keeping each category of information
• Business purpose/s for collecting personal information
• Business purpose/s for sharing or selling personal information
• Categories of sources from which the business collects personal information – including those sources the business controls, and other sources (e.g. sources controlled by partners or third parties) from which the business buys or acquires consumers’ personal information
• Categories of service partners, third parties, contractors or other entities to whom the business discloses or sells personal information – along with details of the categories of personal information disclosed/sold
• Descriptions of consumers’ privacy rights under CCPA, accompanied by links to webpages with details on how consumers can exercise their CCPA privacy rights, including:
•  Notice of Right to Opt-out of Sale or Sharing of Personal Information accompanied by mechanism to exercise this right.
  AND
  – Notice of Right To Limit Use Of Sensitive Personal Information accompanied by a link to exercise this right.
  OR
  – Alternative opt-out link, which must be clearly labelled “Your Privacy Choices” or “Your California Privacy Choices” and directs consumers to a web page explaining both rights (opt-out of sale/sharing and limit use of personal information) and how to exercise them.

Business must display CCPA rights notices in prominent locations where consumers can’t miss them. The CCPA text includes rules on where these notices must appear on digital channels, including:

• Website/s – a link to the privacy policy must be clearly visible, readable and accessible on the homepage; and it must include links to other CCPA consumer rights notices.
• Mobile app/s – a link to the privacy policy must be easily accessible from the app platform’s homepage and download page. It must contain links to other CCPA consumer rights notices. It can also be made available via the settings menu.
• Any point of collection – the CCPA text states a notice must appear “at or before any point of collection” of personal information, clearly communicating:
  – categories of personal information the business collects
  – intended commercial purposes for collecting this information
  – timeframe for how long this data will be stored
  – description of processes for data retention limitation.
  – link to “Do not sell or share or share my personal information” or an alternative opt-out link.
  Such notices can appear on web forms and cookie banners on the business’ website or a pop-up in a mobile app.
• Notice of Financial Incentive or price or service difference offered online if a consumer decides to opt-in to share personal information in exchange for the incentive. This notice needs to include:
  – summary of the incentive offered
  – description of its material terms including categories of personal information collected after opt-in and value of the consumer’s data
  – good-faith estimate of the value of this data
  – instructions on how the consumer can opt-in
  – instructions on how the consumer can opt-out at any time.

How is CCPA Compliance Enforced?

Enforcement of CCPA (and CPRA amendments) is administered by the California Privacy Protection Agency, founded on 16 December 2020 following the CPRA amendments to the California Consumer Privacy Act.

The Agency has the power to:

• Conduct CCPA audits of businesses, service providers, contractors, and individuals to ensure CCPA compliance and/or to investigate possible violations of CCPA regulations. These audits can be unannounced. Any organization or individual failing to comply with an audit can be subpoenaed by the Agency to ensure cooperation.
• Investigate complaints against businesses for not being compliant with CCPA regulations, such as failing to respond to requests from Californians who want to exercise their privacy rights (e.g. “Do Not Sell”) and keep personal information safe from cyber breaches. Complaints may also include concerns about an organization not demonstrating they can be trusted to keep personal information safe.

Note: Complaints can be lodged by individuals, government agencies, or private organizations.

• Investigate notified breaches of an organization’s data protection systems resulting in exposure/exploitation of California citizens’ personal information. The CCPA text explicitly states in multiple sections a “business shall implement/employ reasonable security measures/procedures and practices” to protect consumers’ personal information, including while it is stored, processed, or shared.
• Begin probable cause proceedings against any organization the Agency reasonably believes has violated CCPA regulations.
• Make probable cause determinations for violations of CCPA regulations, including specifying whether the Agency decides violations were intentional or unintentional.
  Note: the Agency’s Final Regulation Text states: “The Agency’s probable cause determination is final and not subject to appeal”.
• Issue stipulated orders for remedies and penalties to organizations found to be non-compliant with CCPA regulations. These orders can include cease and desist and/or mandatory actions to address issues with an organization’s security and privacy practices. Some Agency orders will also mandate payments of fines.
• Levy fines for violations of CCPA regulations, ranging from:
  > $2500 for each unintentional violation; or up to
  > $7500 for each intentional violation, or
  > $7500 for any breach involving the personal information of Californians aged 16 or under.

California Consumers’ Private Right of Action California consumers can also sue a business if their non-encrypted and non-redacted personal information is stolen in a data breach found to be the fault of the business because it probably failed to protect the data. Consumers can sue for ‘monetary damages’ suffered or ‘statutory damages’ up to $750 incident.

California Privacy Protection Agency Updates

The Agency regularly publishes news and announcements of its activities on its website, which can include notices for changes to CCPA/CPRA regulations and enforcement activities, such as its final rulemaking documents for the CCPA, which became effective on March 29, 2023.

In its stated aim, “Beginning July 1, 2023, the Agency is tasked with enforcing the CCPA through administrative enforcement actions. It can investigate possible violations, provide businesses with an opportunity to cure, and take enforcement actions”.

However, in mid-2023 the Agency was forced to defend challenges to consumer privacy regulations in California, including petitioning on August 4, 2023, against a Superior Court decision to delay enforcement.

More CCPA Compliance Rules Proposed

The California Privacy Protection Agency announced its intent to strengthen CCPA compliance requirements on February 10, 2023, publicizing an Invitation for Preliminary Comments on Proposed Rulemaking which focuses on “businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security” and would require these businesses to submit:

• Annual cybersecurity audits demonstrating compliance with CCPA
• Regular risk assessments of how the business processes personal information, including whether the processing involves sensitive personal information.

The Agency is also reviewing the scope of regulations and best practices related to automated decision-making technology, to address how access rights and opt-out rights are managed, and to examine if algorithmic discrimination is rife.

Access More Information from TrustArc About CCPA Compliance

This CCPA compliance checklist is part of a series of briefs by TrustArc experts on the California Consumer Privacy Act, which includes a background brief, a summary of the main rules, a technical brief, and expert commentary on CCPA implications.

TrustArc also helps customers understand updates to privacy compliance requirements with its Privacy Insights services, which include:

• Nymity Research delivers personalized daily insights on the latest privacy developments that apply to your organization based on region, subject and recent trending privacy topics
• Operational Templates aligned to privacy topics and regulations
• Legal Summaries to help you quickly understand your obligations for internal policies, notices, audits, consent rules and the responsibilities of a privacy officer.