Will the California Consumer Privacy Act Affect My Business?

Five ways to prepare your business for the CCPA—even outside California

By Andrew Brandt | Reviewed by Canaan Suitt, J.D. | Last updated on November 9, 2023 Featuring practical insights from contributing attorney Victoria E. Beckman

Use these links to jump to different sections:

On Jan. 1, 2020, California’s Consumer Privacy Act (CCPA) went into effect. Originally signed into California law by former Gov. Jerry Brown in 2018, the act gives California residents—among other things—the right to know what personal data is being collected about them and the right to disallow the sale of that data.

The CCPA Reaches Beyond California

Victoria E. Beckman, an intellectual property and data security attorney in Columbus, Ohio, notes that, for businesses, the law’s effects reach far beyond the state’s borders. “As it is written now, the act applies even if you’re a company in New York or Ohio,” she says. “If you collect information from California residents—even if you’re located in any other state—you may have to comply with it.

“The act was modeled after Europe’s General Data Protection Regulation (GDPR),” Beckman continues. “It is groundbreaking in that it gives… the right to access information and erase some information. It also gives a private right of action in case there’s been a data breach, so you can basically sue a company if you can demonstrate that a data breach caused some harm or was their negligence.”

Under CCPA requirements, pieces of personal information include:

  • Medical information;
  • Geolocation data;
  • Biometric information;
  • IP address or email address;
  • Employment or education information;
  • Commercial information, such as purchasing history; and
  • Passport numbers, driver’s license numbers, and Social Security numbers.

[The CCPA] is groundbreaking in that it gives… the right to access information and erase some information. It also gives a private right of action in case there’s been a data breach, so you can basically sue a company if you can demonstrate that a data breach caused some harm or was their negligence.

Victoria E. Beckman

Which Businesses Need to Comply with the CCPA?

There are, of course, a couple of caveats. Your business will only need to prepare for the CCPA if:

  • It is a for-profit company;
  • Its annual gross revenue exceeds $25 million;
  • It buys, sells, receives, or shares for a commercial purpose the information of more than 50,000 California residents, households, or devices; or
  • It derives 50 percent or more of its annual revenue from selling the state of California residents’ personal information.

Five Steps To Prepare Your Business for the CCPA

If your business is going to be affected by the CCPA’s consumer rights protections, it will need to prepare.

“They’re going to have to invest money in reviewing the policies,” says Beckman. “And, later, in responding to requests from the data subjects. Internally, a company has to have a process in place to respond and comply with a deletion request. You’re going to have to have personnel to make sure they know where the data is.”

To prepare, she recommends:

  1. Mapping out, and taking inventory of, the consumers’ personal information of California residents for whom your business receives or sells;
  2. Reviewing and updating data privacy notices and disclosures, as well as service producer agreements;
  3. Creating a process to fulfill CCPA rights requests and respond to alleged violations;
  4. Reviewing and implementing security practices and procedures; and
  5. Conducting employee training.

“Before it’s enforced, businesses have to make sure they know, internally, how the process works. So, if they get a request for deletion, they can guarantee everything was deleted,” Beckman says. “The act requires a 1-800 number for people to call, so they have to make sure that’s set up.”

How Attorneys Help Companies Prepare and Comply with Regulation

When businesses come to Beckman, she first makes sure the new privacy law will apply to them. Then, she helps take inventory of their California residents, where their information is stored, and who has access to it. Then she’ll review privacy policies and help with employee training—so they know how to handle consumer requests and why it’s important.

“We also help with reviewing service provider agreements,” she says. “If you have third-party vendors doing the information requests for you, we make sure that they are in compliance.” Beckman further notes that it’s important that businesses don’t discriminate against California residents because “they’re exercising their rights.”

“It really applies to everybody, and we don’t know how flexible they’re going to be with enforcement,” says Beckman. “The last thing you want is some kind of fine or your business being shut down because you’re not being compliant.”

It’s crucial that affected businesses prepare for compliance—which an experienced attorney can help with. For additional information related to this area of law, see our overview of business and corporate law, as well as content on cybersecurity law.

What do I do next?

Enter your location below to get connected with a qualified attorney today.
Popular attorney searches: Business Litigation Business Organizations

Find top lawyers with confidence

The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.

Find a lawyer near you