CCPA (California Consumer Protection Act): What Are the Requirements and Conditions for Compliance?

The California Consumer Protection Act (CCPA) and the California Consumer Rights Act (CPRA) are personal data protection laws of the state of California in the USA. The CPRA expanded and supplemented the CCPA, which is why these abbreviations are often used interchangeably.

CCPA / CPRA: What Is It?

CCPA/CPRA is similar to the European GDPR in many ways:

• applies to all companies that “do business in California,” regardless of where they are registered;
• applies to protect the data of all Californians — consumers, website visitors, employees, and others;
• has a broad definition of “personal information”;
• has a division into “businesses” (controllers) and “service providers” or “contractors” (analogues of data processors);
• has a number of mandatory requirements for organizations regarding the fulfillment of requests for certain actions with personal data, restricts the free sale and disclosure of data, and requires careful security.

But they are not identical. CCPA/CPRA does not have as wide a scope as the GDPR. In particular:

• applies only to commercial organizations;
• organizations must use the data for profit (monetize it in some way);
• the sale of data is not generally prohibited — a person simply has the right to prohibit such a sale;
• there are no legal bases as defined in the GDPR;
• only companies that exceed a certain threshold of revenue from data monetization fall within the scope of the law.

What that threshold is and how to understand whether CCPA/CPRA applies to your company — read on in this article.

Who Must Comply with the CCPA?

Yes, if your company does business in California and:

• has annual gross revenues of $25 million or more, or
• buys, receives, or sells personal information of 50,000 or more California residents, households, or devices (yes, we often base this not only on the individual, but also on a more collective entity — even if more than one person lives in a household or a person has several devices);
• derives 50% or more of its annual revenues from the sale of personal information of California residents.

“Doing business in California” is a broad concept interpreted in accordance with the state’s tax and civil law. In simple terms, it usually means that a company (from California, another state, or another country) has clients from California, the company is aware of their California origin (and current presence there), receives payments from there, and regularly provides services or goods to state residents. But be careful — even if you do not consciously ask where your clients come from, CCPA/CPRA may still apply to you.

Also be careful: very often advertising activities (for example, showing advertisements to California IPs on your website) may not formally fall under the second criterion, but may fall under the third. Even if the IPs themselves are not disclosed to advertisers (criterion No. 2), this data is still being monetized — and CCPA/CPRA may apply.

What Documents Are Required for CCPA / CPRA Compliance?

CCPA/CPRA requires less documentation and proof of compliance because it places fewer obligations on companies. But evidence must still be collected and compliance procedures must be approved.

As a rule, a company must prepare the following documents:

• privacy policy — describing data processing, data subject rights, categories of personal information collected;
• a “Do not sell or share my personal information” page with settings for withdrawing consent to the sale of data, and logs of this mechanism;
• alternatively, if this is a children’s service — a mechanism for providing consent to the sale of minors’ data;
• information security policy;
• agreements with service providers and contractors on data processing;
• for data brokers — information about registration in the relevant registry and payment of fees.

Often, in addition to these documents, the following are also prepared:

• a policy for processing requests for the exercise of consumer rights (i.e., data subjects who wish to do something with their data);
• a data security incident response procedure;
• other documents deriving from the requirements of certification schemes (e.g., kidSAFE) or industry organizations (DAA, NAI, IAB).

Documents play a very important role here — they indicate that the company has a mature compliance program and help make a supervisory body inspection faster and less costly.

But even the best documentation will not save a company if reality differs from declarations. Therefore, the correct architecture of the compliance program must be ensured.

CCPA / CPRA: Implementation Algorithm

The compliance program has several main steps:

Audit or discovery: the company reviews all incoming and outgoing data flows and establishes which personal data is being processed.

Gap assessment: identifying (non-)conformities with the law’s requirements at the current time.

Creation of internal documentation: visualization of data flows, drafting security policies, and so on.

Review of relationships with service providers and employee data compliance: verifying counterparties, concluding data processing and non-disclosure agreements, providing employees with tools for requests regarding their data, and so on.

Creation of external documentation: privacy policies, pages for withdrawing consent to the sale of data, and so on.

Registration as a data broker (optional).

How Does a CCPA / CPRA Audit and Gap Assessment Proceed?

A CCPA/CPRA audit is a fundamental stage that determines how well the company complies with the law’s norms on personal data processing. Its key result is the creation of a personal data flow map leading to the next gap assessment, which identifies the gap between the company’s current business processes and the requirements of CCPA/CPRA.

It is during the audit that the following can be understood:

• whether the company falls under CCPA/CPRA;
• what data it generally collects and processes;
• what roles it plays;
• what status partners, contractors, and other group companies have under CCPA/CPRA;
• what obligations are placed on the company.

Moreover — if the audit immediately transitions into a gap assessment, then all previously completed work can be evaluated (for example, if the company has already worked on its GDPR Compliance), and which processes need to be supplemented or improved to also cover CCPA.

What Does Internal CCPA / CPRA Compliance Include?

The audit and gap assessment then take material form: they become documentation, design features, and software or device architecture. For example, at this stage scripts are created for collecting cookie consents, forms for processing “do not sell/share my personal data” requests, information security policies, and so on.

At this same stage, the team learns to identify personal information from the entire data array, process it correctly (for example, not forgetting about encryption or de-identification), and plan their further work taking into account the requirements of CCPA/CPRA and the recommendations of the CPPA (regulatory body).

What to Write in Privacy Policies under CCPA / CPRA?

At this stage all changes made to processes and architecture (or infrastructure) should be summarized and presented in clear language for persons whose data will be processed by the company.

At minimum, a person must be informed of the following:

• what categories of data about them the company will process;
• what the purposes of such processing are;
• what rights this person has regarding their data, and how they can exercise them;
• to whom the data may be transferred;
• how the data is protected.

Each company will have its own specifics and its own requirements for disclosing its personal data processing policies — which is why it is important to clarify this at the initial stage and carefully implement it going forward.

Катерина Дубас

Head of Privacy and Cybersecurity Practices at Legal IT Group

It is important to remember that the policy must correspond to real processes — otherwise one can violate not only CCPA/CPRA, but also attract the attention of the FTC (Federal Trade Commission) or the California attorney general — false promises in a privacy policy may be interpreted as a violation of advertising or competition legislation.

How Does CCPA / CPRA Regulate Employees and Contractors?

CCPA/CPRA is unique among similar state laws in that it protects not only consumers themselves (consumers are any person whose data is collected — not necessarily a buyer; it can also be a representative of a partner company, for example), but also employees of the company that falls under CCPA/CPRA. Therefore, the company will need to take this factor into account for its compliance and create all possibilities for its personnel: notices of data processing and opportunities to exercise their rights.

But it is important not to confuse employees and contractors. If a company works with contractors — it must conclude correct agreements with them and specify there the data being transferred and the business purposes for which this data is provided to the contractor. These purposes are limited in number (they are listed in CCPA/CPRA), and they must take into account the prohibition on using data for retargeting or other types of cross-context behavioral advertising (CCBA). For example, this may be relevant for your business if you purchase advertising on Facebook on behalf of a client!

And most importantly: these agreements must be in writing. Therefore, it is necessary to consult CCPA/CPRA when drafting a contract and to review all previously concluded agreements with contractors.

How to Demonstrate CCPA / CPRA Compliance?

And finally there will be the communication part: how to prove that a company complies with CCPA/CPRA requirements?

We typically create illustrative materials — for example, using the personal data flow map compiled during the audit, explaining the legal aspects of each stage of such data movement within the company’s business processes.

Such material may take the form of a pre-filled questionnaire, a Microsoft Purview report, presentation slides for sales pitches, or even FAQ articles on the website.

Certifications also exist for some sectors — but they rarely cover the entire CCPA/CPRA or serve as a “shield” against liability if a violation is found nonetheless.

Afterword

California is a large, wealthy, and densely populated state. Accordingly, although it is just one law of one state within an entire federation, CCPA/CPRA has in practice triggered an avalanche of laws. California already has an active regulator with sanctioning powers, a technically and legally educated population, and many data-driven businesses that use data trading to generate profit and attract investment.

Therefore, CCPA/CPRA should not be neglected — like the GDPR, California’s laws have long reach and can cause problems — in the form of a fine or a lost commercial opportunity — at any moment.

Legal IT Group helps companies bring their internal processes into compliance with the California Consumer Privacy Act (CCPA). We prepare the necessary documents for working with personal data, review policies and contracts, and conduct audits of business processes. Our team forms a CCPA Compliance Program that takes into account the specifics of the US market and combines requirements with other regulations, including the GDPR.