May 25, 2022

5 Ways to Ensure that Your Business is Compliant with CCPA


Maintaining consumer data privacy is crucial for businesses today! 

Reason—consumers are becoming more aware and concerned about the data they provide to a business. They’re keen to know how that data is being used and if an unknown third party source is not misusing it. 

The credit for this wave of awareness goes to the CCPA compliance laws that took effect in 2020. Californian business owners started ironing out their compliance strategies to ensure their customers’ trust and the reputation of their business stayed intact. Particularly, that lawsuit against Zoom for sharing their users’ personal information with Facebook was an eye opening event for most companies.

Let us understand what this law is about and the measures you can take to make your business CCPA compliant. 

What is CCPA?

The California Consumer Privacy Act (CCPA) is a law that requires businesses operating in California to provide notice and choice to customers about their personal data. 

This means consumers can now demand access to Information like what personal data the business collects, how it’s used, who has access to it, and how long they have access. It also requires companies to get consent before selling this data or sharing it with third parties.

Moreover, it means no tracking cookies, no ad targeting, and no sharing of your data with third parties or affiliates without getting explicit permission first!

The CCPA was passed in 2012 after years of lobbying for stronger consumer privacy protections across the country. It came into full effect in 2020, giving California residents more control over their personal information. It offers consumers more options when companies like yours collect this data from them.

Some examples of privacy rights are:

  • You can opt-out of having your name added to any marketing database
  • You may choose to have your information deleted from their database
  • You have the right to non-discrimination to exercise your CCPA rights

How to know if CCPA applies to your business?

You must know that every for-profit business in the state of California must comply with CCPA if:

  • The business is operating in California or sells to the residents of California.
  • The business has an annual gross revenue of $25 million
  • The company has access to or buys and sells information of 50,000 or more Californians
  • At least 50 percent of the yearly revenue of a business comes from buying or selling the personal information of Californians

Penalties for not complying

If a business is not compliant with CCPA, the law regulators will send them a notification and a 30-day timeline to comply with the laws. However, if they still don’t comply, they’ll be issued a fine of up to $7,500 per record. 

Do you need CCPA compliance if you’re already GDPR compliant?

Yes, even if you’re GDPR compliant, it doesn’t make you CCPA compliant by default. They may look like the same thing on a surface level, but they both differ in their requirements and the audience they affect. 

CCPA vs. GDPR explained by Osano

You must know that while CCPA is an “opt out” regulation, GDPR is “opt in.” This means that under GDPR, users need to provide consent to sell their information to third parties, whereas CCPA requires users to access and modify their consent. 

Moreover, GDPR is more of a set of security policies that also urges organizations to implement technical measures to implement data security. On the other hand, CCPA is all about getting your customers’ consent. Learn more from Osano’s guide about the differences between CCPA and GDPR. 

The key is to know which data privacy and security laws apply to your business. This is purely based on where it’s located and how much revenue it makes. Let’s say your business operates from inside or outside of the EU and caters to residents of the EU. You’ll need to comply with GDPR in this case.

How to make a business CCPA compliant?

1. Become aware

Know if CCPA applies to your business, the first step is to learn about the laws that come under CCPA. But, if you’re still unsure if CCPA applies to you, you should comply anyway. It’s better to be safe than sorry!

In fact, discuss it with the top-level management and your organization’s board and present them with the importance of CCPA compliance and the implications of not complying with it.

If possible, hire a dedicated staff that only takes care of CCPA compliance related operations while continuously monitoring and measuring data security risks across your organization. 

2. Do a gap analysis within the organization

To begin with the compliance rituals, first have a clear check on the customer data you already have, where you have it stored, and who all can access it.

Here are the steps you can take to conduct a gap analysis effectively.

  • Go through your company's financial statements or in an annual report filed
  • Identify what group of consumers you collect data from—customers, prospects, job applicants, newsletter subscribers, employees, etc.
  • Understand what current practices of data privacy you follow, if applicable
  • In which areas is your organization currently maintaining compliance
  • Which areas are not covered yet and why
  • Understand if there’s a customer data platform that you use—if yes, is the data secure

Based on this analysis, map out a plan on how you’ll achieve CCPA compliance, with detailed instructions. 

Meanwhile, look for other loose ends with your employees and vendors.

Check with your employees whether they have a copy of customer data with them, and make sure to have them removed. Also, understand where receipts and documents are stored and what happens to the old records. 

If you share customer data with third party vendors, know what they do with that information—is it shared with anyone else—if so, who has access to it? 

3. Update policies

After mapping personal data throughout your firm, review current data protection policies, methods, or procedures. Once you’re aware of your existing data privacy policies, it’s time to update them or make new ones if you didn’t have privacy policies in the first place. 

Mainly, you must check if your data privacy policies align with the CCPA, including opt-out and opt-in notices. 

Apart from that, plan on how to respond to customers’ requests of deleting or accessing information. Once you’ve figured it out, circulate it among your employees to ensure they follow the new guidelines. As a good practice, have all the information about procedures and policies stored in one place for all your employees to refer to. 

Most importantly, publish a privacy policy page on your website that includes all the rules and policies your organization is following in compliance with CCPA.

Make sure to elaborate on the following policies.

  • The kind of information you collect from your visitors and customers
  • What mode do you use to collect their information—email, phone number, chat, etc
  • The type of information you don’t require, perhaps their date of birth or marital status
  • What do you do with the information you collect from them
  • Who else do you share the information with—any third party companies involved?
  • What kind of rights do your consumers or visitors have under the CCPA
  • For what purpose do you sell their data to the third parties, if applicable

4. Compliance training for employees

Next, you must ensure that the staff members involved in CCPA processes are well-trained. This mainly involves those responsible for answering questions from clients about their privacy rights. 


For those who have access to the private information you store on computers, servers, and the cloud, keep them informed of the CCPA's requirements and the privacy policies your business has in place. Provide training sessions for those who require them and communicate any necessary adjustments made to the CCPA over time.

5. Make it explicit to your customers

This is especially valid for your website visitors or online shoppers. To ensure your customers’ trust, keep them informed of the security measures you follow. 

Send cookie consent notifications 

Ask for the customer's consent before collecting any information, and let them know you will be doing so. Send them a cookie notification when they’re transacting on your site.

The cookie notification generally displays the following.

  • A notification to inform you that you use cookies for so and so purposes. Show them the list of all purposes. 
  • A button for the customer to acknowledge that they agree with using the cookie. Alternatively, you can allow your visitors to reject using the cookie. 
  • A link that takes them to your Privacy Policy page for more information.

Option to access/ delete personal information

Have a link or button in place clearly visible on your website that allows users to modify their preferences. You could also have these options as a checklist and add them to a form or payment page. This way, users can select or deselect their information sharing preference and fully control it. 

To sum it up

According to Phi Dang, being CCPA compliant not only helps you avoid penalties and hefty lawsuits but also builds your customers’ trust. Moreover, it makes you stand apart from your competition and scale your business to new heights!

No items found.

Samarth Gandhi

Share Post:

Comments System WIDGET PACK

Start engaging with your users and clients today