What is CCPA and how will it impact my small business?

What is the CCPA?

On June 28, 2018, California passed the California Consumer Privacy Act (“CCPA”), which will go into effect on January 1, 2020. Essentially, the CCPA gives consumers the ability to know what data is being collected from them, the right to opt out of that information being collected, and the ability to ask for deletion of that data.  It also allows them to forbid companies from selling their information to a third party.

If they haven’t already, businesses will need to adjust operations and policies by January 2020 in order to comply with the new laws. There are penalties that range from $2,500 – $7,500 per violation, so compliance should be a top priority.

Does the CCPA affect me?

Any business entity that does business in California has requirements under the law if it meets any of the following criteria:

  • Your business’ annual revenue is over $25 million.
  • Your business receives information of over 50,000 consumers, households, or devices annually.
  • At least half of your business’ annual revenue comes from selling personal information.

The law excludes the collection or sale of “a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California[, i.e.,] if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold.”

Does it apply to nonprofits?


The CCPA applies to “businesses.” The Act defines that term to include any legal entity (e.g., corporations, associations, partnerships, etc.) that is “organized or operated for the profit or financial benefit of its shareholders or other owners.”

Does it apply to my small business?

Possibly.  Do you have customers in California and:

  • make over $25 million, or aspire to do so?
  • selling people’s personal information is more than 50% of your business?
  • receive information from over 50,000 people, households or devices?

If the answers to any of these questions are yes, then you should comply.

What do I do if my small business does need to comply?

  • Put someone in charge of spearheading the process to make your organization compliant. Make sure you get a legal expert to help with the process.
  • Review and map all of your internal data to confirm what information is being collected by your business.
    • Understand how the personal information is being collected, how it is being used, and confirm if it is being sold or shared to third parties.
    • Review contracts with any third parties that you provide consumer information to and compare it with CCPA regulations.
    • Review the privacy policies of all third parties that process consumer information and ensure their policies are in compliance with CCPA as well.
  • Update all privacy policies. If consumers weren’t informed from your privacy policy that your organization collects certain data, make it clear that data is being collected now. For example,  if data about eating habits or email address is being collected, it is to be listed in your privacy policy or you can’t collect it. You must also inform California consumers if you are selling this information, what specifically you are selling, and who you are selling it to.
  • Create an inventory for customer data. Your business will need to disclose upon request the categories of personal information being collected along with the purposes for those categories being collected, so make sure this information is readily available upon request at any point in time.
  • Create a process for data access and deletion.  Customers have the right to access information collected from them within 45 days of the request.  The same for requests for deletion of that data. You’ll want to create a system to document these requests. The system should also be able to automate verifying the requestor and the actual dissemination or deletion of data.
  • Train and update your customer service team on CCPA. Since these policies directly affect the experience of your customers, train all customer service employees on protocol responses related to the new CCPA compliance. Make sure they know what the new regulations are, what they mean, and how they should go about handling the customers request. Make sure the training includes appropriate responses that complies with CCPA.

If your business needs assistance creating a smooth process for technology systems and procedures to fully comply with data laws like GDPR, CCPA or HIPAA, please email us at info@anniecannons.com.

Leave a Reply

Your email address will not be published.