The CCPA will bring many changes to California’s privacy world. We discussed some of them in Part I of this article and we now continue with other key changes.

Transparency, privacy policies and terms of use

Transparency will be a key requirement within the CCPA, something similar to what we see already exist in the GDPR. Companies will have to disclose within their policies what categories of data they collect, where they collect it from, the purposes, the categories of third parties with whom they share the information, the individual rights and how users can exercise them, as well as information on any data collected, sold or disclosed within the past 12 months.

Creating compliant privacy policies and terms of use will require similar steps to the GDPR. For example, a gap analysis against individual rights is recommended in order to determine which individual rights apply to each business activity. From here, the next step should be developing or updating policies to include the required disclosures. Furthermore, any contracts with vendors or third parties should be updated is personal information is shared with them. Finally, it will be imperative to develop a mechanism to answer to any individual rights requests.

Training of personnel is also expected to be a requirement in the CCPA, at least the personnel directly involved in collecting and processing personal information.

Fines for non-compliance

Under the CCPA business can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation, if not cured within 30 days of being given notice of such violation.

Additionally, California residents are also provided with private right of action where their personal information is subject to unauthorized access, theft, or disclosure. If the California Attorney General’s Office declined to bring an action, residents could bring a private action, where businesses would have to pay between $100 to $750 per resident or incident, regardless of whether actual damages are shown.


There are many similarities between the CCPA and the GDPR, which makes it so that businesses that have already implemented the required steps for GDPR compliance will have a head start. Within the next year it is expected that California Attorney General will issue implementing regulations, that should further help businesses comply with the CCPA.