Six Common CCPA Compliance Mistakes

January 17, 2022 - Jeff Edwards


Although it has been in effect since 2020, some businesses still fall foul of the California Consumer Privacy Act (CCPA). This can be a serious mistake as the state Attorney General can fine you $7,500 for each violation you fail to fix within 30 days. Even if the Attorney General doesn’t act, individuals can sue you for damages stemming from a violation. Here are some of the most common errors that businesses make.

Not Knowing That The CCPA Applies to You

Because the CCPA is a state law, it’s easy – but mistaken – to believe it doesn’t apply to businesses in other states. In fact, the business’s location does not matter. The CCPA instead applies if you serve residents of California (including online and distance selling) and meet any of three criteria:

  • You have annual worldwide revenue of more than $25 million.
  • You buy, sell or share personal data about more than 50,000 Californian residents in any 12-month period. (The 50,000 threshold also applies to households and devices in California.) This includes buying mailing lists.
  • You make at least half of your annual revenue from selling the personal data of California residents.

If any of these criteria apply, you must follow the CCPA whenever you handle personal data about a California resident.

No ‘Do Not Sell’ Notice

Although the CCPA says you must make available a wide range of information about your data handling, the precise location and format is often flexible. The key exception is the way you make it possible for customers to opt-out of you selling their personal data, which the CCPA says you must do in a specific format.

The first requirement is that you have a dedicated page for exercising this right.

The second requirement is that your homepage links to the dedicated page. This must be a text link using the wording “Do Not Sell My Personal Information.”

Inadequate Opt-Out Methods

The CCPA says your “Do Not Sell” page must normally offer at least two ways to exercise the opt-out right. One of these methods must be a toll-free phone number.

The only exception to this principle is if you only operate online, and you have a direct relationship with the consumer. In this situation only, an email address is sufficient as a way to exercise the opt-out, with a secondary method not required.

Whatever method or methods you make available, you cannot require a consumer to create a new account to exercise their opt-out right.

Not Getting Consent To Sell Children’s Data

The one situation where CCPA does require advance consent is when you want to sell personal information about a child. If the child is aged 13-16, you need their consent to do so. If the child is aged under 13, you need the consent of their parent or guardian.

Not Keeping Records

Other than the opt-out right, the CCPA isn’t based on restricting how you can use personal data or requiring that you get consent. Instead, it’s mainly about making customers aware of the ways you use personal data.

To achieve this, the CCPA organizes personal data into 11 categories. The categories are detailed in 1798.140 (o) (1) of the California Civil Code. Broadly they cover:

  1. Names and numbers that identify an individual.
  2. Other personal information that identifies an individual.
  3. Information about characteristics about which it’s illegal to discriminate.
  4. Commercial information such as purchase history.
  5. Biometric data.
  6. Internet data such as browsing and search history.
  7. Geolocation data.
  8. Information in audio, video or image form.
  9. Professional or employment data.
  10. Education data that identifies an individual and isn’t public knowledge.
  11. Profiling using data from other categories to infer the person’s preferences, beliefs or other characteristics.

You must keep clear records of all your data use, broken down by category. This is vital so that you can comply with two sets of requirements.

Firstly, when you gather data you must tell the consumer:

  • Which categories the data you are collecting falls into.
  • For each category of data you collect, the purpose for which you’ll use it.
Secondly, you must list your personal data use (across all consumers) over the past 12 months, updating this list at least once a year. The list should appear in your privacy policy or similar document. For each of the 11 categories, the list must say whether you have:
  • Collected data.
  • Sold data.
  • Disclosed data.

The only practical way to make sure you accurately provide this information is to keep comprehensive records of your data use, making sure you always know what category covers each piece of data.

Not Preparing For The CCPA’s Replacement

Following a successful ballot initiative, a new law (the California Privacy Rights Act) will take effect in 2023, with full enforcement scheduled from 1 July. In practice, the CPRA will replace the CCPA, keeping most of its requirements and adding new ones.

The CPRA will increase the threshold for consumers or households from 50,000 to 100,000, while no longer counting devices.

If you still meet this threshold or either of the other two ($25 million annual revenue; half of revenue comes from selling Californian consumer data), you will need to update your data practices to comply with the CPRA. The main changes to make are:

  • Adjust your records to include a new 12th category, covering sensitive data. (Examples include information about race, religion and health; financial information in a combination that allows account access; and government-issued numbers.) You’ll need to list this category alongside the existing 11 for all the mandatory information, both on collecting data and in your privacy policy.
  • Make sure your system can reliably handle consumers exercising a new right to tell you to only use sensitive data for providing goods or services they’ve requested. Make sure you don’t use it for marketing.
  • Create a new page for people to exercise this new opt-out. Link to it from your homepage with the wording “Limit the Use of My Sensitive Information.” (Alternatively, combine this with the page for opting out of data sales and link from the homepage using any appropriate wording.)
  • When collecting data, give a category-by-category breakdown of how long you will retain the data or how you will decide when to delete it.
  • Make sure your system can handle two other new consumer rights: to correct any inaccuracies in the data you hold, and to know if you use data for automated decision making (also called profiling).
Jeff Edwards

Jeff Edwards

Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now