Business Obligations under the California Consumer Privacy Act

Blog Post
May 15, 2020

The privacy landscape has seen some important changes in the past couple of years. Because people don’t want their private, personal information mishandled, legislation has been passed to ensure their privacy is protected—and businesses need to take heed of this matter. In a previous article we focused on the rights consumers get under the California Consumer Privacy Act (CCPA); this article focuses on what business owners need to do to make sure they follow said legislation.

To sum it up as quickly as possible, businesses must offer transparency, choice and consent, access and representation, erasure, equal treatment, security,and accountability. This applies to all the personally identifiable information (PII) belonging to California consumers—and it doesn’t matter if the PII relates to the consumer’s private or professional life.

Collect PII transparently


Under CCPA legislation, businesses have transparency obligations: they must provide consumers with notice describing the PII processed across the lifecycle of such information, the rights given to consumers, the mechanisms available to facilitate consumer rights, how to exercise their rights and who is available to help them exercise their rights and answer questions. These transparency obligations apply in the context of how businesses interact with consumers and require businesses to describe their online and offline PII processing within online privacy statements. CCPA also prohibits businesses from collecting PII if it does not give consumers notice and from processing PII in a manner that is not described within such notice.

Get consent to process PII


Businesses are subject to specific choice and consent obligations, such that they must seek explicit consent in a variety of circumstances related to selling children’s data or before using PII for substantive new purposes not previously addressed in their privacy statements. Businesses must also ensure their choice mechanisms remind consumers of their rights to change their minds about the use of their PII in the future. Businesses must also allow consumers to prevent the sale of their PII. Businesses must implement an affirmative authorization process, where the business separately confirms an authorization to sell PII upon receipt when such data relates to a child or when the authorization is given by a consumer who previously opted out of having their PII sold. In the event they receive a Do Not Sell request and have not processed the request before sharing the consumer’s PII in pursuit of a sale with a third party, the business is obliged to instruct the third party data recipient to not further sell the consumer’s PII.

Give consumers access to their PII


If consumers want to access the PII your business processes, you must allow them to view it and even get portable copies of it. Businesses must facilitate these access rights via documented procedures designed to authenticate consumers identity; based on specific requirements prescribed by the legislation.

Businesses must also support representation rights, allowing consumers to engage authorized agents to facilitate certain requests on their behalf. While a business may deny requests from agents who fail to demonstrate the consumer’s written permission, the business should not generally deny a Do Not Sell request unless they have a good-faith, reasonable and documented suspicion that the request is fraudulent.

Delete PII if consumers request it


Businesses can’t hold on to PII if the consumer doesn’t want them to do so. Businesses are subject to erasure obligations under CCPA, and they must delete PII associated with a consumer who exercises their right of deletion—unless another law requires such data to be retained. Businesses are required to facilitate such requests based on documented authentication procedures and must implement a two-step confirmation process for any deletion request received by consumers online; whereby the business must request the consumer separately to confirm their deletion request after submitting it online and before deleting such information. In the event they are unable to comply with a deletion request, businesses are required to explain to the consumer why—and are further not permitted to use the PII subject to the deletion request for any other purpose.

Treat consumer requests equally


CCPA covers the possibility that discrimination might occur. As such, businesses are subject to equal treatment and anti-discrimination requirements and must not discriminate against consumers who exercise their CCPA rights, but treat them with equal terms. While financial incentives such as tiered pricing, products or services may be offered to consumers in exchange for the right to sell their PII, businesses must ensure incentives are relative to permissive and demonstrable calculations used to establish the value of the PII to be sold. Additionally, businesses offering financial incentives must provide separate notice of financial incentives and demonstrate a consumer’s agreement via a two-step confirmation process.

Keep PII secure


Businesses must implement reasonable security controls to protect consumers, especially when facilitating their requests. In general, businesses should not leverage sensitive personal information solely for authentication purposes, unless it is critical to verifying a consumer’s identity under the business’ defined authentication procedures. Additionally, the authentication procedures must account for the sensitivity of processed PII and the unauthorized dissemination and deletion risks posed to consumers. Businesses must securely deliver PII to consumers and ensure the security of self-service portals and other mechanisms implemented to facilitate their CCPA rights.

CCPA holds businesses accountable


If you’re going to collect, store, process and manage the personal information of a California consumer, then your business must consider CCPA accountability requirements and be prepared to demonstrate their reasonable compliance efforts.

Including but not limited to:

  • Businesses are prohibited from using PII for any purpose materially different than the purposes described in the notice provided at the time of collection without explicit consent. Business may not collect new categories of PII not described in notice without explicit consent, nor sell any PII collected without first providing notice. Businesses who do not collect PII from California consumers directly must confirm with data provider that they are registered with the Attorney General’s office as a data broker.
  • Businesses must develop a training policy for CCPA rights and requests and provide training to individuals facilitating them.
  • Businesses must confirm receipt of requests to know within 10 days, respond within 45 days and comply with requests no later than 90 days. Businesses must act upon opt out of sale requests as soon as possible, but no later than 15 days upon receipt.
  • Businesses should be prepared to demonstrate their CCPA compliance efforts via appropriate technical, organizational, and administrative controls and records designed to demonstrate compliance efforts. Businesses must be able to demonstrate the CCPA requests received, and their response efforts taken, for a period of 24 months. This may include the use of logging and ticketing systems provided they describe the compliance information required under the law and any PII described within such systems is not used for any other purpose. If a business buys, sells or shares for commercial purpose the PII of at least four million consumers, they must additionally establish and publish on their website compliance metrics describing the average consumer requests, those fully or partially complied or denied and medium days for resolution in the last 12 months.


If you have any questions about CCPA, privacy or the regulations that impact the way personal information is processed, contact us at