The CCPA went into effect in 2020. For businesses to achieve compliance, they must uphold a long list of “consumer” (California residents) rights guaranteed by the law to control the use of their personal data.

One central pillar of CCPA compliance is that businesses must honor consumers’ requests to review their personal information that is held by the business provided to the consumer. Since you must provide one year’s worth of data history, you should already have begun taking steps to comply.

What is CCPA Compliance?

If your for-profit business processes personal information of California residents and falls within the material jurisdictions, it will need to comply with the California Consumer Privacy Act (CCPA). In §1798.140 (d)(1), the CCPA defines material jurisdiction as involving a threshold analysis and only applies to organizations that:

  • Have annual gross revenues in excess of $25,000,000; or
  • Annually buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
  • Derive 50 percent or more of its annual revenues from selling consumers’ personal information.

Non-compliance with the CCPA can result in the business being subject to regulatory and civil enforcement actions, which can cause the business to incur substantial monetary penalties. If a consumer can prove the lack of “reasonable security procedures and practices appropriate to the nature of that information” caused the breach of their data, damages may include:

  • $100 to $750 per consumer per piece of data compromised, or actual damages, whichever is greater
  • Injunctive or declaratory relief
  • Any other relief the court deems proper

In other words, if a business had 1,000 records stolen during a data breach, it might pay as much as $750,000 plus other damages.

Additionally, the California Attorney General may bring a civil action against any entity violating the act. Specifically, the CCPA provides that “any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.”

CCPA Enforcement Alert: What To Do NOW To Avoid Penalties

CCPA Requirements at a Glance

Do you need a compliance program? If you’re doing business in California or with California residents, then the answer is most likely, yes.

CCPA requirements include:

The right to know

consumers have the right to know what personally identifiable information (PII) a business collects on them, how it's used, and with whom the PII is shared. Read more

The right to delete

consumers have the right to have their PII deleted (with some exceptions). Read more

The right to opt-out

consumers have the right to opt out of the sale of their PII. Read more

The right to non-discrimination

a business cannot penalize or otherwise discriminate against a consumer who exercises his rights under the CCPA. Read more

The right to access personal information

§1798.110(a)(5) states “a consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer...(5) the specific pieces of personal information it has collected about that consumer.

The right to correct

inaccurate personal information that a business has about them; and Read More

The right to limit

the use and disclosure of sensitive personal information collected about them. Read More

Additionally, businesses are required to give consumers a written notice that explains their data privacy practices.

CCPA Compliance Checklist

To help you prepare for your CCPA compliance audit and build the appropriate control framework, we’ve compiled the following checklist based on our complete CCPA compliance guide.


Take a data inventory and categorize all data associated with California residents.


Perform a risk assessment. Document all potential security risks facing the personal data you collect.


Ensure that your website follows CCPA guidelines. The CCPA requires a homepage privacy policy disclosure. That policy must be easy to understand. It also must clearly state how you use the data you collect, and include an opt-out button for consumers who don’t want their information shared. While the CCPA doesn’t require you to obtain cookie consent, it does require you to provide notice of the information the cookies collect. It must also contain a button that allows consumers to opt out of the sale of their personal information.


Create a process for personal data access and deletion when it’s requested.


Always have an audit trail, and document your data collection and consent management processes.

Amendments to CCPA

On March 15, 2021, the California attorney general’s office announced additional regulations added to CCPA that expanded the protections of Californians who seek to control the sale of their PII. These new rules strengthened the language used in CCPA that protects consumers from unethical business practices.

Meanwhile, a new proposition approved by voters in November 2020, the California Privacy Rights Act (CPRA), modified the regulations set forth in the CCPA by adding scenarios where consumers can opt out of certain processing activities. The CPRA amended the CCPA, but did not create a separate, new law.

CPRA went into effect on January 1, 2023 and it requires companies to go through regular cybersecurity and data privacy audits. It also requires companies to define record retention timeframes and to state those time frames within their online Privacy Policy.

Watch the Recording to Learn how to Prepare For a CCPA Audit

Register for webinar

RiskOptics Has Your CCPA Compliance Solution

If you’re wondering whether or not you need a compliance program, look no further.

Our RiskOptics Risk Insiders can walk you through the entire CCPA compliance process, helping you to examine your environment and policies and to shore them up before your formal audit.

We can also advise on documentation best practices and provide a template that will help you to assure that you are fully prepared and have done your due diligence before your audit.

Our flexible, integrated solutions allow you to ditch your Excel spreadsheet and streamlines your CCPA requirements through our intuitive dashboard. It automates many of the tedious manual processing activities and reduces the time and resources required to manage them.

ZenGRC CCPA Capabilities

  • A single source of truth to assign, capture and track fulfillment of regulatory requirements
  • Pre-built evidence request templates and automated evidence collection can help streamline your compliance audits
  • Universal control mapping to fulfill requirements across multiple frameworks, like GDPR, HIPAA and others
  • Identifies gaps in your compliance so you can focus on filling them and get audit-ready faster
  • Real-time, continuous monitoring of your compliance stance
Ready to see ZenGRC in action?

Frequently Asked Questions

A for-profit business must meet one the following requirements to be subject to the CCPA ”(A) has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185; (B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

For individuals who reside in California, the CCPA privacy law provides consumer rights to know what data is being collected and how it’s being used, the right to delete your personal information, and the right to non-discrimination when you exercise your CCPA privacy rights.

For those organizations that are subject to the CCPA, they are required to uphold those rights within their internal business practices. Furthermore, they are required to document their privacy practices within their online Privacy Policy which must state, among other items, how the organization collects personal information and how that personal information is used.

CCPA is a legal requirement for for-profit businesses that process California consumers personal information and that satisfy any of the following requirements: (A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000); (B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”

The CCPA provides consumers a higher level of transparency from companies and forces them to be accountable for the information they collect as well as what they do with it.

For companies, CCPA compliance provides a greater competitive advantage. It allows them to cast a wider net and attract consumers who are more likely to gravitate toward companies that give them more privacy.

Companies that implement CCPA privacy compliance measures also tend to have more robust security and risk management controls to protect them from privacy risk.

CCPA differs from GDPR in that its privacy regulations cover residents in the state of California within the United States. The GDPR covers citizens of the European Union (EU). Moreover, while both laws are similar in their fundamental approach — namely, that individuals have certain rights over their personal data — the exact rights that each law offers are somewhat different.

The maximum fine for CCPA non-compliance is $7,500 for each violation.