How to ensure compliance with the California Consumer Privacy Act

January 20, 2020

1 January 2020 not only marked the start of a new year but a new decade. The previous decade was notable for many things, but prominent amongst them was a major focus on compliance and data privacy and security in the digital age.

The regulatory compliance that had been in place before then had been developed at the start of the internet era and had soon become unfit for purpose. Consumer data was not protected effectively, a situation that needed to be addressed. This protection arrived in the shape of regulation such as the European Union’s (EU) General Data Protection Regulation (GDPR), which came into force in May 2018.

That has given way to a rise in GDPR compliance software, that helps organisations ensure compliance with GDPR. But GDPR was just the start of a new wave of regulation designed to protect consumer data. The latest of these is the California Consumer Privacy Act (CCPA), which came into effect on 1 January 2020. What do organisations need to do to ensure compliance with this new regulation?


Not only has GDPR created and grown GDPR compliance tool market but it has also been the forerunner of other similar regulation. In December 2019 the Indian government introduced a bill that makes firms handle data only with consumer consent, while the Australian prime minister has stated a complete review of privacy laws in the country.

But CCPA is the most high-profile and important regulation in the early part of 2020. If GDPR shook up the internet giants and online advertising companies that hadn’t always behaved in the best way with consumer data, then CCPA can go even further.

Both pieces of regulation force organisations to look at the processes around data in the business – how it is captured, stored, accessed and managed. CCPA adopts some GDPR provisions, in that it gives consumers the right to know what online information is collected on them and organisations use it. It also allows them to request that their data be erased to start legal proceedings against companies for data breaches.

The CCPA doesn’t insist that firms have a ‘legal basis’ for collecting and using personal data and does not demand the appointment of corporate data-protection officers. But in other ways, it goes much further than GDPR. The CCPA extends what constitutes personal information to include internet cookies and organisations must enable Californian residents to opt-out of the sale of personal data with a prominent ‘do not sell’ link on the home page.

Where to start with CCPA compliance

The CCPA applies to firms with revenues of $25m or more that hold the data of California residents, even if that organisation is not based in the state. Any firm found guilty of non-compliance with the CCPA, will face a fine of up to $7,500 for each breach.

Given that California has seen 1,493 data breaches in the last decade exposing over 5.59 billion records, it’s understandable the state has unveiled such a strict privacy act. The good news for any firm that holds data on both EU and California residents is that they are already underway with CCPA compliance, but there is still much to do. This is how to get started:

Conduct an inventory of customer info.

Start with an inventory of all customer information collected and stored. Not knowing what data is held makes it even harder to ensure compliance with CCPA, and organisations should be especially mindful if they have made an acquisition recently – they could also have acquired bad data and poor cybersecurity practices as part of the deal.

Map all CCPA data.

How all CCPA-protected information is collected, stored, destroyed, and how it flows through the business must be mapped and logged effectively. Data is accessed and stored on many devices across an organisation, so the right security solutions are essential. This is best managed as part of an integrated GRC software package, such as Oxial’s sGRC solution.

Be agile and ready for change.

Since CCPA was passed, there have already been many amendments. Organisations need to stay on top of these changes and requirements and the smartest way of ensuring this is by working with a GRC software provider such as Oxial, which partners with some of the world’s leading compliance experts and consultants. This knowledge helps ensure firms keep pace with CCPA evolutions and can act quickly to ensure continuous compliance.

While CCPA came into effect on 1 January 2020, California will not begin enforcement until 1 July 2020, so there is a little time for organisations to get their house in order. If your organisation needs help from Oxial regarding CCPA compliance, then please get in touch with one of our experts and we will talk you through requirements and first steps.