The California Consumer Privacy Act (CCPA) is a complex law that requires businesses to make significant changes to the way they treat California residents’ personal data. Becoming CCPA compliant is not a quick, one-day project, but for those who want a quick summary of the CCPA’s requirements, they can be divided into three major categories: Posting privacy notices, responding to consumer requests, and implementing data security measures.

This is just a starting point to understand how the CCPA works and what your business must do to be compliant. To learn more, read our Complete CCPA Guide or browse our CCPA Resources Center for other in-depth CCPA articles.

Determine whether the CCPA applies to your business ›

1. Posting CCPA Privacy Notices

The most immediate of the CCPA’s requirements is for businesses to make extensive disclosures about their data privacy practices. Whether it’s online or at a brick-and-mortar store, before collecting consumers’ personal information, businesses must inform them of the following:

• What personal information the business collects, from what sources, for what purposes
• The length of time it intends to keep each category of personal information
• The categories of sensitive personal information the business collects, the purposes for which it collects that information, and whether it sells or shares sensitive personal information
• The consumer’s privacy rights under the CCPA
• How to make a verifiable consumer request
• What personal information is disclosed to third parties, contractors, and service providers, along with the categories of parties it was disclosed to
• Whether it sells or shares personal information
• What personal information is sold to or shared with third parties, along with the categories of such third parties
• Instructions for opting out of the sale or sharing of personal information, accessible via a “Do Not Sell or Share My Personal Information” link
• How to make privacy requests through an authorized agent
• At least two methods for contacting the business and submitting requests
• What personal information is collected from employees and job applicants, and for what purpose
• Consent requirements for consumers under the age of 16
• Financial incentives offered when consumers opt in to the sale of personal information

There are also additional notices that businesses must provide if they buy, sell, share, or receive the personal information of 10 million or more consumers annually.

Read more about the CCPA’s privacy notice requirements ›

2. Responding to CCPA Consumer Requests

The CCPA gives consumers the right to make several types of privacy requests to businesses that collect their personal information. Here are the five types of CCPA requests:

1. Request to know what personal information has been collected
2. Request to delete any personal information collected
3. Request to opt out of the sale of their personal information
4. Request to correct inaccurate personal information
5. Request to limit use and disclosure of sensitive personal information

Each of these requests has its own set of rules, deadlines and verification requirements that must be met, as well as numerous exemptions.

Read more about how to handle CCPA consumer requests ›

3. Implementing Data Security Measures

The CCPA is enforced by the California Attorney General, and soon by the California Privacy Protection Agency as well. Consumers cannot directly sue businesses for violations of their privacy rights, but the CCPA does create a private right of action related to cybersecurity and data breaches. Consumers can sue businesses when their nonencrypted and nonredacted personal information is subject to unauthorized access due to a business’s failure to implement and maintain reasonable security procedures.

Consumers can recover up to $750 in statutory damages per incident without showing actual damages. This will certainly lead to class-action lawsuits in the future.

The effect of creating this private right of action is that businesses are on notice to (1) encrypt and redact personal information wherever possible and (2) implement and maintain reasonable security procedures.

Read more about the CCCPA’s private right of action ›

A Quick Summary Is Just the Beginning

Though this list does summarize the CCPA’s requirements, there is much, much more information needed to become CCPA compliant. Start with our Complete CCPA Guide to learn the basics of the data privacy law and find answers to foundational questions like what is personal information and what is a sale of personal information.

There is also a lot of work that must be done before even beginning to make all the required privacy notices. In order to fully understand exactly what personal information your business collects and how it uses that information, you must first create a data map. This is where most of the work of becoming CCPA compliant takes place. The good news is that once the data map is completed, the rest of the process is considerably easier.

Read more about the process of becoming CCPA compliant ›

‍