California Consumer Protection Act — CCPA
California passed legislation impacting how organizations handle and protect customer data. Even if you do not live in or have an office in California, you may be effected by this new law.
CCPA Compliance Overview
In June 2018, California passed a new data privacy law called the California Consumer Privacy Act
(CCPA). The law regulates how companies handle personal information from California residents. It
also grants Californians new rights to control their data. Companies are required to comply with the
CCPA by January 1, 2020.
The CCPA requires companies to train their employees on the new law annually. Any employee that
could potentially handle questions from consumers about the company’s CCPA practices or handle
consumer personal information should receive the training. CCPA training should, at minimum, cover
the definition of personal information, consumer rights, requests to access, requests to delete and
The CCPA grants California residents the right to request that companies: (1) delete their data; (2)
inform them what data has been collected and why; and (3) not sell their data. Companies are
required to respond to verified requests within 45 days. Companies must provide at least two ways for consumers to makes requests, either a link from the company’s homepage or a toll-free number.
To comply with CCPA, and to create a safe audit record, companies need to document how they
handle personal information from California residents. In some cases, the documentation needs to be displayed publicly or provided to third parties. In other instances, the documentation should stay
internally within the company.
Finally, though not an explicit requirement under the CCPA, data mapping is essential to much of what the CCPA requires. For companies to be able to find and delete a consumer’s data, for example, they need to know where the data resides, who the company sent the data to, and how the data is being used. A data mapping system generates a set of questions that inventory a company’s data usage. Data mapping can also be useful in addressing other privacy laws on the horizon.