Business

CCPA Compliance Guide: How to Get Your Business CCPA Compliant

Mia Naumoska

9 min read
CCPA Compliance

Over the past few years, businesses have been fighting against the threat of data breaches and cyberattacks, and customers are trying to find new ways to protect their privacy online and keep their data safe from being shared with third parties.

Since 2018, the California Consumer Privacy Act and others, such as the GDPR, have made it a legal obligation for companies to protect user data. As a result, other states are starting to follow suit.

This article will tell you everything you need to know about CCPA compliance, including consumer rights, types of data covered, training, and more, to keep your business compliant and your customer data secure.

If you’re looking for products that can help you achieve CCPA compliance and handle large amounts of private data, this will also be covered later in the article. Until then, let’s learn more about how to achieve CCPA compliance.

Table of contents

  1. Who must comply with CCPA?
  2. Consumer rights under CCPA
  3. Types of data covered by CCPA
  4. CCPA compliance vs GDPR compliance
  1. Create a clear and transparent privacy policy
  2. Ensure users can contact you
  3. Take part in CCPA compliance training
  4. Conduct data audits
  5. Meet security requirements
  6. Penalties for non-compliance

CCPA compliance: what you need to know

The California Consumer Privacy Act (CCPA) was established in 2018 to prevent data breaches due to poorly defined access controls and privacy management from Big Tech.

The CCPA was formed thanks to the General Data Protection Regulation (GDPR) in Europe. The GDPR set the way for a more private internet experience, giving anybody the right to know when, where, and how their personal information is being collected and lets them opt out of these if they want.

All organizations must follow the regulations established by the CCPA to protect residents in California. For CCPA compliance, all organizations must:

  • Be transparent about data collection and usage.
  • Respond to customer requests.
  • Implement security measures to protect user data.

Thanks to CCPA compliance, businesses have to take the necessary measures to protect user data rather than profit from it, so it is a great step to ensure businesses can protect their consumers.

Who must comply with CCPA?

Any organization that collects data on California residents should check compliance regulations regarding the CCPA. Experts in this area predict that thanks to CCPA regulations, other states will follow suit and implement laws and regulations that give users more control over their data.

These are the specific requirements that fall under CCPA regulations:

  • Have a gross revenue income greater than $25 million annually.
  • Buy, sell, or share data from 100,00 or more California residents, households, or devices.
  • Earn 50% or more of annual residents from selling California residents’ personal information.

Although the CCPA defines organizations as those that collect, sell, or disclose personal information, nonprofit organizations or government agencies are exempt from certain CCPA compliance regulations.

Internxt is a cloud storage service based on encryption and privacy.

Even if your business doesn’t work with data from California, it’s essential to stay updated with other regulations or laws that have been or are considered being passed in those states. Some states that followed suit after the CCPA became effective include:

  • Colorado: Colorado Privacy Act (CPA), effective July 1, 2023.
  • Connecticut: Connecticut Data Privacy Act (CTDPA), effective as of July 1, 2023.
  • Florida: most provisions went into effect July 1, 2024.

Some states that have privacy acts that will become effective in the future include:

  • Delaware: Delaware Personal Data Privacy Act Effective January 1, 2025.
  • Iowa: Iowa Consumer Data Protection Act (ICDPA) January 1, 2025.
  • Indiana: Indiana Consumer Data Protection Act January 1, 2026.

Therefore, the future is bright for protecting consumer data, and businesses must start taking measures to ensure they are ready for a future of greater consumer privacy by learning more about data protection regulations.

Source: Bloomberg law

Consumer rights under CCPA

Consumers have the following rights if they want to know how businesses handle their data. They have the right to:

  • Know what personal information is collected.
  • Ask a business to delete personal information.
  • Opt out of the sale of personal information.
  • Request control of their data to avoid discrimination.

The CCPA was amended in 2020, and additional privacy protection measures were implemented on January 1, 2023. Since then, consumers have had more rights in addition to the ones above. The newly amended policy includes these rights:

  • The right to correct inaccurate personal information that a business has about them; and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

CCPA compliance requires businesses to honor any of the following requests:

  • Data they collect and store.
  • Sources from where the data is collected (e.g., financial, contact, medical).
  • The organization’s purpose for collecting and selling user data.
  • A list of third parties that have access to a user’s data.

Organizations must take the following actions per a user’s request:

  • Ask the organization to delete their data.
  • Prohibit the sale of their data.

Types of data covered by CCPA

The CCPA talks about personal information and sensitive personal information in its guidelines.

Personal information refers to “information that identifies, relates to, or could reasonably be linked with you or your household.” This could include information such as:

  • Your name,
  • Social security number,
  • Email address,
  • Records of products purchased,
  • Browsing history,
  • Geolocation data,
  • Fingerprints.

It is also possible that inferences can be made from other personal information collected about a user to create a data profile based on their preferences and create personalized ads.

Sensitive personal information, defined as “a specific subset of personal information that includes certain government identifiers,” is also included in the type of data covered by the CCPA. This kind of data includes:

  • Account log-in
  • Financial details: (debit or credit card number with a security code)
  • Password or other account credentials
  • Precise geolocation
  • Contents of email or text messages
  • Biometric information
  • Health data
  • Racial, religious, or philosophical beliefs

Categories of personal data.
Source: Securiti

It is important to note that personal information does not cover certain kinds of information. Publicly available information, such as professional licenses, real estate, or property records, is lawfully made available to the general public.

CCPA compliance vs GDPR compliance

CCPA and GDPR are two essential laws that protect consumers' data, but there are some key differences, which are:

  1. Applicability: GDPR applies to any organization that processes data on EU residents. CCPA compliance only applies to organizations with over $25 million in annual revenue or more than 50,000 users from California.
  2. Scope: The CCPA’s scope extends to personal data relating to a household or device; the GDPR’s scope does not apply to this data.
  3. Sensitive data: The GDPR has a category for “sensitive personal data,” prohibiting its processing unless specific requirements are met. CCPA does not define sensitive personal data.
  4. Consent: The GDPR requires users to give clear, affirmative consent before any data is processed, while the CCPA allows users to opt out of data collection.
  5. Enforcement: Authorities from EU member states enforce the GDPR, and the California Attorney General’s office enforces the CCPA.
Internxt is a cloud storage service based on encryption and privacy.

Organizations hoping to achieve CCPA and GDPR compliance will need to fully understand the differences between both laws to ensure their customers' data protection.

How to achieve CCPA compliance

Achieving CCPA compliance for your business will first depend on if you meet the requirements previously stated in this article. From there, you can take the following steps to start your business on the path to CCPA compliance.

Create a clear and transparent privacy policy

CCPA requires you to clearly state the types of data your business collects from customers, so your privacy policy needs to make users aware of this by including:

  • Type of information being collected and processed.
  • Purpose(s) for collecting and processing this information.
  • How you’re collecting and processing this information, e.g., trackers in the browser.
  • How personal information is used, e.g., advertising, analytics.
  • How the information may be shared with third parties.
  • How individuals can request access to, change, move, or have their personal data deleted.
  • Identity verification procedure for submitting a data subject access request.

The new amendments from 2023 mentioned earlier should also include the following:

  • A clause listing which personal data collected is categorized as sensitive, if applicable.
  • A statement advising that your customers have the right to have the information they have shared with you corrected or updated.
  • How individuals can opt out of their data being sold or shared; your website is required to have a clear “Do Not Sell Or Share My Personal Information” link.

Ensure users can contact you

CCPA compliance requires clear and easy contact methods for customers to contact your business. Make these contact details easy to see and find on your website to help build trust and confidence for your customers.

Companies must respond to user requests from verified users within 45 days, although this may be extended by an extra 45 days in certain circumstances. To deal with these requests, your business must have the correct systems to respond to data access, deletion, or opting out of the service.

Internxt cloud storage for business plans

Take part in CCPA compliance training

CCPA compliance training is a requirement for all organizations handling information from California residents. Any individuals responsible for handling consumer data or processing requests must undergo this training.

Employees are recommended to take part in the training each year to stay updated with new policies or regulations.

Conduct data audits

CCPA compliance will be easier if your business maintains accurate, easily accessible records of customer data. Regular audits and training will help businesses prevent issues before they happen and avoid potential fines from a data breach.

Regular audits also help businesses legally by providing documentation outlining how data is stored and protected and demonstrating a commitment to CCPA compliance.

Meet security requirements

CCPA compliance requires “reasonable security measures” that protect consumer data and prevent breaches or unauthorized access.

Encryption allows businesses to meet CCPA security standards by converting data into an unreadable format, known as ciphertext, that can only be accessed by a decryption key, protecting it from cyberattacks or hackers.

Penalties for non-compliance

The California Attorney General can impose penalties for non-compliance with the CCPA. The maximum civil penalty for an unintentional CCPA violation is $2,500 per breach or $7,500 for intentional violations.

Violations may include:

  • Not having a CCPA-compliant privacy policy.
  • Not responding to a consumer request for data disclosure as required by CCPA.
  • Not providing the right notification of personal data being collected.
  • Not allowing users to opt out of the sale of their personal information.
  • Having discriminatory policies against users who exercise CCPA rights.

If a business fails to meet the requirements for CCPA, it has 30 days to rectify the problems. If the compliance standards are still not met, the attorney general can fine the business for  intentional violation of the CCPA requirements.

In the event of a data breach, consumers can claim up to $750 per consumer per incident or seek extra damages depending on the size and impact of the data breach.

Internxt S3-compatible cloud object storage

How Internxt can help your business secure private data

Internxt Drive is a GDPR-compliant cloud provider offering an encrypted suite of services to help your business meet CCPA compliance and ensure that any sensitive data your business needs to store is kept private and secure against data breaches.

Internxt Cloud Storage for Business Plans is an encrypted cloud storage platform on which you can manage up to 100 users and allocate up to 2TB of storage for each user. With Drive, you can share, upload, and store files, and the user holds the decryption key to this information, preventing unauthorized access to data.

For businesses with large data sets, Internxt S3 Object Storage is an affordable, secure method for handling sensitive information. Internxt S3 has the same commitment to privacy and security as all of Internxt’s products at a cost of up to 80% cheaper than its competitors, with zero cost for data transfer.

As more states and countries implement privacy laws to protect user data, choosing Internxt as your secure cloud storage provider can help you future-proof your business by meeting CCPA compliance and other regulations.

Protect your privacy with Internxt