CCPA Compliance
The Most In-Depth Guide

The new California privacy law presents a number of compliance challenges for organizations of all sizes.

Find out what steps you should take to avoid the fines and how our DLP solution can help you achieve CCPA compliance.



The California Consumer Privacy Act (CCPA) is a consumer privacy law regulating how businesses handle customer information. The government of the State of California enacted the CCPA – Assembly Bill 375 – with urgency in late June 2018, and amended it in September 2018.

Based on the General Data Protection Regulation (GDPR) and recent data breaches, CCPA aims to empower consumers with new rights in order to protect their privacy. Business transparency is encouraged and gives consumers a certain amount of control over how their personal information is used with the goal of reducing misuse.



Creates an extended definition of “personal information”
Creates new data privacy rights for California residents
Creates a new statutory damages framework in California
Introduces new regulations when children`s personal data is used


There has been some confusion regarding the CCPA with the popular assumption being that all businesses will have to comply. In reality, the privacy law applies only to for-profit entities that conduct business in California, and meet at least one of the following three conditions:

Generates over $25 million in annual gross revenue
Collects, shares, buys or sells the data of at least 50,000 consumers
Makes at least 50% of its revenue from the sale of personal information


The CCPA introduces some new consumer rights for California residents.

Right to know

  • Businesses must notify consumers what personal information is being collected about them, how it’s being collected and used, as well as whether and to whom it’s disclosed or sold. Disclosures generally should occur through a publicly posted privacy notice, and specifically upon request by a consumer.

Right to access

  • Businesses covered by the CCPA that collect California residents’ personal information must provide the following on request:
    • The collected categories of personal information (e.g. name, phone number, date of birth)
    • The specific pieces of the collected personal information
    • The categories of sources of personal data
    • The commercial purpose of collecting or selling personal information
    • The categories of third parties with whom the personal information is shared
  • The “look back” requirement: companies will need records of personal information collected dating back 12 months before January 1, 2020, which is January 1, 2019.

Right to opt-out

  • The right to opt-out is one of the most impactful elements of the CCPA, which doesn’t list any exceptions.
    Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, although it’s subject to certain defenses.
  • If a business sells personal information, it must provide a “clear and conspicuous link” titled “Do Not Sell My Personal Information” on its homepage that enables a consumer or a person authorized by the consumer to opt out of the sale of personal information.

Right to equal service and price

  • Businesses are prohibited from discriminating against California consumers for exercising their rights under the law. Discrimination includes, but it’s not limited to: denying, charging different prices for, or offering different qualities of goods or services.
  • However, the CCPA does allow businesses to offer different prices or levels of service if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.” Companies can also offer financial incentives to consumers in exchange for the collection or sale of their personal information.

Right to erasure

  • A consumer has the right to request an organization to delete their data, subject to certain exceptions. The business must also instruct its service providers to delete the data.

Special protection to minors

  • Businesses should assess whether they are likely to engage in any activity that could be considered as “selling” personal information about consumers younger than 16 years, and if so, consider establishing protocols and procedures to mitigate risks.
  • CCPA imposes an affirmative consent requirement for the sale of personal information of any minor if the business has “actual knowledge” the consumer is younger than 16 years.
  • The “affirmative consent” must be sought from:
    • parents or guardians of consumers under 13 or,
    • consumers themselves if they are aged 13 to 16.


The CCPA aims to encompass all of the sensitive and personal information consumers would like to manage, more specifically: personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.

Additions that will be categorized as personal information under CCPA:

    • IP addresses
    • Geolocation data
    • Biometric informatio
    • Device and cookie IDs
    • Internet activity information like browsing history, purchase history or tendencies
    • Characteristics concerning an individual’s race, color, sex, age, religion, genetic information, sexual orientation, political affiliation, national origin, disability or citizenship status
    • Inferences that are drawn from personal information “to create a profile about a consumer reflecting the consumer’s preferences, characters, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”


Implementation date: January 1, 2020
Enforcement date: July 1, 2020



Civil penalties:

Up to $2500 for negligent violations
Up to $7500 for intentional violations

Statutory damages:

$100-$750/consumer per incident


Update Privacy Policy with a description of a consumer’s privacy rights under the CCPA

Businesses should create a new procedure that briefs consumers of their rights and any proposed sale of their personal information, as well as provide them access to exercise their right to deny any sale of their personal data.

Businesses must make clear that consumers have the right to opt-out of the sale of their information.

Classify Data to identify and locate sensitive personal data across the organization

Companies will have to identify previously collected personal information about the consumer.

Businesses will also need to know why they collected the personal information; which categories of personal information were sold; and which categories were disclosed for a business purpose.

It’s important for businesses that fall under the scope of CCPA to keep up-to-date detailed records.

Implement internal processes to respond to Consumer Rights Requests

Businesses will have to implement protocols in order to handle all consumer requests in regards to their personal data. This includes situations when consumers say no to the sale of their data, as well as cases when they don’t allow the disclosure of their data to third parties.

Train Employees on how to direct consumers to exercise their rights

Businesses will have to train all of their employees who handle consumer inquiries regarding privacy practices about the CCPA as well as how consumers can exercise their rights.

Adopt Data Security Practices and Solutions like encryption and data loss prevention products

Endpoints, gateways, and cloud services must be sufficiently safeguarded to prevent unauthorized access, stop unauthorized changes, and protect personal data from malicious threats that attempt to compromise data integrity.

Security tools should continually assess endpoints, servers and other systems to avoid new threats due to out-of-date and unpatched operating systems and applications.



1. Apply data protection policies to sensitive data
2. Protect data wherever it goes
3. Report or block unauthorized data transfers
4. Get detailed reports and e-mail notifications

Protect Data at Rest

  • Protection against unauthorized storage
  • Protection against intentional data theft and accidental loss on Windows, macOS, Linux and removable media like USB devices
  • Scanning data at rest stored on employees’ endpoints for sensitive data based on predefined or custom content, file name, etc.
  • Encrypting the data to protect it from potential breaches

Protect Data in Motion

  • Protection against unauthorized transmission
  • Safeguarding personal data in motion across multiple channels and preventing it from leaving the network
  • Monitoring and controlling data in motion, deciding what confidential files can or cannot leave the company via various exit points

Build your data protection strategy with

Get started today!
We are always happy to answer your questions, advise on features and use-cases or direct you to our local representative.
Data privacy is very important to us.
Details provided, will only be used for the purpose they were intended for. Read more about our commitment and Privacy Policy.
Endpoint Protector Sales

Get your latest dose of
News and Insights about

Request Demo
* Your privacy is important to us. Check out our Privacy Policy for more information.