Back to Blog

CCPA: Are you ready for the changing data privacy landscape?

January 28, 2020
California Consumer Privacy Act (CCPA)

Another year, another new wide-reaching regulation designed to protect consumer data privacy.

Signed into law just one month after the EU’s implementation of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) is now also in effect, with a great impact on how businesses handle and manage the personal data of California residents.

Specifically, CCPA applies to businesses that meet any of the following criteria:

  • Have gross annual revenue of more than $25 million
  • Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices
  • Derive 50% or more of their annual revenue from the sale of consumers’ personally identifiable information

To comply with the new regulation, such businesses must provide notice to consumers before or at the point of data collection. Businesses subject to CCPA are also required to create procedures and conform to specific timeframes for responding to consumer requests to access, delete, and opt-out of the sale of personal information. CCPA’s requirements not only compel organizations to address the privacy rights of consumers but also increase the importance of data security.

As for penalties, businesses face potential fines of up to $2,500 per unintentional violation and up to $7,500 per intentional violation. Furthermore, companies that become victims of data theft or other data security breaches face civil class action lawsuits including statutory damages of $100 to $750 per California resident and incident, or actual damages, whichever is greater.

Seven essential steps to achieving regulatory compliance

Whether your organization is headquartered in California or simply does business with residents of the state, you will need to implement new practices and procedures to ensure compliance with CCPA. Many of these considerations also apply to GDPR compliance, while new regulations pending in Canada, Washington, New York, Florida, Massachusetts, New Jersey, Hawaii, Illinois, North Dakota, and elsewhere will require similar attention and preparation.

  • Review compliance strategy

    Schedule meetings, discussions, and awareness sessions throughout your organization to monitor and review your regulatory and compliance strategy and implementation plan. Assess existing plans for managing information and regulatory compliance, and update strategy as necessary.

  • Assign a cross-functional team

    Designate key players from multiple organizational departments (e.g., sales, marketing, product development, IT, HR, finance, customer success, records management, knowledge management, security, privacy, and legal) to support the plan and ensure adherence. Establish specific goals for each team using metrics that can track performance and results.

  • Identify the resources required

    Determine the resources necessary to carry out your strategy, including software, training materials, consultations, and suppliers. Engage key stakeholders in the discussion, including those tasked with establishing a budget for resources.

  • Initiate data mapping

    Identify the type of data you collect, where it is located and stored, how it is used, and how it is shared with third parties.

  • Manage individual rights requests

    Consult with legal staff, regulatory experts, and IT professionals to best understand your requirements in handling different types of requests in a timely manner and protecting your organization against any potential risks.

  • Draft a privacy notice

    Your organization’s privacy notice should address fair business practices, use of data, and intellectual property rights, providing consumers with a clear understanding of consent before they start using your services.

  • Enhance security measures

    Smart businesses stay in step with the latest encryption methodologies and advanced security measures to ensure continued regulatory compliance and the optimal safety of their data. Data encryption must also be implemented in such a manner that it doesn’t cause undue burden to the ordinary course of business. Perform regular security audits and review the results of those assessments to limit risk.

Knovos’ advanced information governance, risk, and compliance technology is critical to monitoring and searching an organization’s entire enterprise landscape, helping ensure compliance, improve safety, and consolidate dispersed data.

To learn more about CCPA, regulatory compliance, and Knovos’ automated, adaptable solutions, stop by Booth #2304 at Legaltech New York on February 4–6 and speak with one of our solution experts.


Joe Bartolo
As an Information Governance and Risk Solutions subject matter expert, Joe has over 13 years of experience providing consultative litigation support services to AM Law 200 Firms, and Fortune 500 corporations throughout North America and the EU. In addition, He was formerly a litigator, with over 7 years of experience as a practicing attorney in New York State.