CCPA Compliance

Inspired by the GDPR, the California Consumer Privacy Act of 2018 (CCPA) is the toughest data privacy law in the United States to date, but Clym can help make your website compliant easily and stress free.

Effective January 2020, the law will significantly impact the way businesses collect and process personal data by expanding the California consumer rights in terms of data privacy.

The CCPA considers to be personal information any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Become CCPA Compliant
CCOA Compliance Tool

CCPA Current Stage

CCPA (California Consumer Privacy Act) Current State

Who does the CCPA apply to?

  • Does business in the State of California

  • Annual gross revenue in excess of $25 million

  • Collects personal information (or on behalf of which such information is collected)
  • Obtains at least 50% of its annual revenue from the sale of California consumers’ personal information.
  • Alone or with others determines the purposes or means of processing of that data; and Satisfies at least one of the following:

  • Alone or in combination, annually buys, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices; or
  • Derives at least 50 percent of its annual revenues from selling consumers’ personal information.

A business may not need to be located in California to be subject to the CCPA.  

What rights does CCPA give individuals?

CCPA provides consumers with the following rights:

  • The right to access specific personal information that has been collected within the last 12 months about the consumer

  • The right to be notified about the types of information and the purposes for which the information will be used, before or when the information is collected. There are specific requirements for where notices must be placed on websites and how notices are to be received by consumers (similar to GDPR).

  • The right to request a copy of the personal information that is collected in a portable and easily readable format. However, businesses are only required to provide personal information to a consumer no more than twice in a 12-month period.
  • The right to be forgotten (with broader exceptions than those provided under GDPR)
  • The right to restrict processing (“opt-out”) of personal information subject to some limitations. Consumers have the right to opt-out of the disclosure or sale of their personal information (subject to some limitations), and businesses must conspicuously display an opt-out link (and toll-free phone number) on their website.
  • Are in California for more than just a temporary period or transitory purpose.

  • Are domiciled in California, but are out of the state for a temporary period or transitory purpose.

Who and what does the CCPA protect?

CCPA has been described as the strictest user rights and data privacy law ever enacted in the US, and it applies to businesses located both in and outside of California. Beginning January 1, 2020, CCPA provides protections for only California residents, but other states are considering legislation similar to CCPA.

CCPA was enacted to accomplish three primary goals for California consumers and their data (including but not limited to name, birthday, address, phone number, geographic location, and others): 

a) Give consumers the right to know what information companies are collecting about them;
b) Empower consumers with the right to tell a business to not share or sell their personal information; and 
c) Impose fines and consequences for businesses who fail to follow CCPA

What personal information is covered?

  • Identifiers such as name, surname, initial, alias, postal address, IP address, unique personal identifier, social security number, driver's license number, account number, passport number, etc.
  • Biometric information such as health data, face, fingerprints, retina, DNA, etc.
  • Commercial information, including records of personal property, purchased, obtained or considered products or services, purchasing or consuming histories and tendencies.
  • Geolocation data such as device location history.
  • Internet activity such as browsing and search history, as well as information regarding consumers’ interaction with a website, application or advertisement.
  • Education information not otherwise available.
  • Employment or professional information not otherwise available.
  • Inferences drawn from any of the information identified in this section that contribute to the creation of a consumer profile regarding the consumer’s preferences, characteristics, behaviour, attitudes, etc.

What are the exceptions?

The following types of personal information are exceptions from the CCPA's requirements:

  • Medical data or protected health information governed by the California Confidentiality of Medical Information Act, the Insurance Portability and Accountability Act of 1996 (HIPAA) or the "Common Rule" applicable to clinical trials.
  • Personal information governed by the federal Gramm-Leach-Bliley Act and implementing regulations or the California Financial Information Privacy Act.
  • Personal information provided by credit reporting agencies governed by the Fair Credit Reporting Act.

The CCPA must not restrict a business' ability to:

  • Comply with federal, state or local laws.
  • Comply with a regulatory, civil or criminal inquiry or investigation.
  • Cooperate with law enforcement agencies in an investigation regarding the activities performed by the business, a service provider or a third party.
  • Collect or sell personal information if that commercial conduct takes place wholly outside of California.

What happens if I don’t comply with the CCPA?

Businesses found to be out of compliance with CCPA can face harsh penalties. For starters, if a business fails to remedy an alleged noncompliance within 30 days following notification from the state, your business could be charged a civil penalty of $7,500 per violation.

Additionally, any business found to be out-of-compliance with CCPA can face penalties of up to $750 per violation, per user. This multiplier could make the penalties HUGE. Additionally, the CCPA allows consumers to file lawsuits for privacy lawsuits, meaning that a company could face litigation and damages from individual consumers!

To learn more about CCPA Non-Compliance, read our in-depth knowledge base guide.

What are the CCPA Penalties?





Need a 2-pager to help convince a decision maker?

California Consumers' Rights

Right to know

By consumers’ request, businesses must disclose what personal information they collected, why they have collected it, how it is used and who else has access to it.

Right to delete

Under the CCPA, a consumer has the right to request the deletion of any personal data that an organisation has collected about that customer.

Right to opt-out of sale

Consumers have the right to request businesses that they stop the selling of their personal information to another business or third-party.

Right to non-discrimination

This right protects consumers against discrimination after having exercised their rights under the CCPA, ensuring they will not be treated differently.

Private right of action for security breaches

Consumers whose non-encrypted personal information was subject to unauthorised access, theft or disclosure are granted a private right of action.

What was the story before CCPA?

Prior to CCPA, there was minimal meaningful regulation regarding the sale and transfer of consumer data. Many companies collected and sold consumer data without consumers’ knowledge, and generated enormous revenues from doing so.

CCPA attempts to regulate these transfers and provide consumers more control of their data.

How can Clym help you prepare for the CCPA?

For more information about how Clym can help, visit our Features page. There are four primary components to CCPA compliance: Identify, Define, Protect and Manage. Clym can help with all four:

a) Identify: Identify, label, classify (or categorize), and index the personal information that you collect and store on all individuals (not just California consumers). 

b) Define: Establish appropriate data governance policies and processes to ensure compliance with CCPA requirements. Ensure you have adequate procedures in place (and automate as much as possible) with your website to respond to the various consumer rights that consumers can exercise under CCPA. In most cases, businesses only have 45 days to respond to verified requests from consumers.

c) Protect: Help you implement the “privacy by design” and “privacy by default” principles and the data minimization requirement, similar to what’s required under GDPR.

d) Manage: Compliance is not a one-time activity; it requires ongoing management to be successful. Everyone in your business needs to understand what CCPA specifically requires of them in their individual job roles; Clym makes this easy and affordable.

California Consumer Privacy Act (CCPA) FAQ

Is CCPA here?
CCPA is here; it was passed as a law in 2018 and became effective on January 1, 2020 (Happy New Year, California!).

Is CCPA a law?
Yes, CCPA is a law that was enacted by the state of California (officially, it's called Assembly Bill 375) and it was passed by the legislature  in 2018.

Is CCPA finalized?
CCPA is finalized and in effect, however the state of California is continuing to provide guidance regarding the regulation, and is not bringing enforcement action for CCPA violations until July 1, 2020

Is CCPA similar to GDPR?
Yes! Much of the CCPA was modeled after GDPR, though there are some significant differences between the regulations.

Is CCPA constitutional?
The courts have not yet addressed that matter, however legal experts have stated that courts will likely have to determine whether CCPA's cross-border implications violate the dormant commerce clause, and whether the vague definition of “personal information” is unconstitutionally void.  Stay tuned!

What rights does CCPA give to CA residents?
CCPA provides five primary rights for CA residents:
1) the right to access specific personal information that has been collected within the last 12 months about the consumer;
2) the right to be notified about the types of information and the purposes for which the information will be used
3) the right to request a copy of the personal information that is collected in a portable and easily readable format.
4) the right to be forgotten; and 5) the right to restrict processing (“opt-out”) of personal information subject to some limitations.

Make your website fully compliant for the
CCPA and GDPR regulation today!

Not sure about what you need to do to become compliant? Schedule a private consultation with one of our consultants.

CCPA Compliance Requirements

  • Make sure your Policies include information on your data collection and sharing practices with regard to personally identifiable information (PII) for the past 12 months. Specify how, why and what PII you collect and process.
  • Verify the identity of users submitting access or deletion requests.
  • Provide users with a way to opt out of the sale of their personal information.
  • Enable users to opt-in or out of cookies at any moment.
  • Document and maintain records of compliance.
  • Ensure the security of personal information through reasonable security and privacy practices.

To learn more, click to read CCPA - Do Not Sell My Personal Information Requirements.

Online Privacy Documents

CCPA Compliance Checklist

New article: CCPA Compliance Checklist in 2020.

CCPA-Compliant Policies And Procedures

Make sure your policies and procedures include information about California consumer rights, how they can submit requests related to these rights, what personal information you have collected in the past 12 months, how it was collected and for what purpose.

Additionally, you must also mention what personal information categories you disclosed or sold to any third parties in the last 12 months.

How Clym can help:

  • Jurisdiction-flexible policies, terms, agreements and procedures.
  • Real-time policy update and versioning, allowing you to create, modify and publish new versions of your policies instantly, in a transparent way.
  • Flexible set up per country, enabling you to stay connected with your users and adapt to new privacy requirements, regardless of their location.
  • Embeddable policies that can be included anywhere on your website. When you edit them, you only need to do it in one place, as they will be update on all pages.
  • Document sharing through unique URLs for easier agreement and procedure sharing with your partners.
Learn More about Document Management
CCPA-Compliant Policies And Procedures

Cookie Consent for CCPA

Inform your users before or at the point of collection about what categories of personal information you are collecting about them and for what purposes.

Don’t collect any other information or use it for other purposes than the ones presented to the consumer. Enable them to easily opt-in or out of cookies.

How Clym can help:

  • Automatic cookie website scanner that identifies all the cookies used on the website, what data they collect and automatically assigns them to a processor from our repository of 100+ third-party vendors.
  • Comprehensive cookie consent management through our advanced cookie tag manager, cookie indexation, supplier whitelisting and piggybacking prevention.

  • Brandable cookie notice layouts with your company’s logo and colors for a consistent user experience.
  • Customisable opt-out/opt-in configuration for non-essential cookies.
  • Consent collection for loading embedded content such as videos or forms.
Learn More about Cookie Consent
Website Cookie

Consumer Request Collection And Management

Inform your Californian consumers on how they can submit requests for access and erasure and enable them to opt-out of the sale of their personal information to a third party.

Create a request management system for handling consumers’ requests in a timely manner and to respect the applicable timeframe.

How Clym can help:

  • Transparent communication of California consumer rights within the Clym privacy widget and privacy center.
  • Consumer request collection, allowing them to easily submit requests straight from the widget.

  • Customisable “Forget me” button that automatically deletes the subject’s current session and cookie preferences.
  • Individual “Stop Processing” option for each profile we store in the platform.
  • Data subject request management within the platform, allowing you to set up request flows, assign them to a responsible and track their status.
  • Consumer request timeline.
  • Configurable request notifications.
Learn More about Data Subject Request Management

Identity Verification For Consumer Requests

Before disclosing any information, make sure you verify the identity of the consumer making the request. In doing so, you need to provide data subjects with a way of doing this.

How Clym can help:

  • Consumer identity verification using a unique confirmation link that is sent to the data subject's e-mail address.
  • Verification status for all received requests.

  • Platform linking between consumers' profiles and their submitted requests to facilitate request fulfilment.

Reasonable Data Security and Privacy

Under the CCPA, you have the obligation to ensure the security of consumers’ data and to prevent unauthorised access to their personal information through reasonable privacy and security practices.

How Clym can help:

  • Data encryption, anonymisation and strict platform access control policies to help you minimise the risk of losing customer data.
  • Anonymised consumer profiles where we group all their consent actions and requests.

Look Back Requirement

When receiving a disclosure request, you must provide the information for 12 months back, which means you need to properly map the personal information you collect.

How Clym can help:

  • Data mapping through data classification by data point and category, including sensitive information.
  • Management of processing purposes, data processors, legal bases and retention periods.

  • Data processing agreements management for each data processor.

Records Of Compliance

To really stay on the safe side, make sure you keep records of compliance to be able to prove you respected California consumer rights and the CCPA’s requirements overall.

How Clym can help:

  • Integrated audit system for user consent actions and cookie management where everything is digitally signed and cannot be altered.
  • Automatically generated consent receipts for all consent-related actions that the user performs. These include what type of data was collected (without disclosing PII), the collection purpose, retention period, legal base, and who else has access to it.

  • Public consent recipes ledger where we store all consent receipts, which allows you, your data subjects or other parties to verify consent receipts.
Learn More about Consent Receipts

Our Data Privacy Tools of Trade

Clym's Data Privacy Tools

Managing data privacy made easy. These are the complementary tools that help us cater your compliance needs.

Learn More about our Privacy Widget

See you on the safe side