8 Steps to CCPA Compliance


CCPA is the most comprehensive general data privacy bill of its kind to pass in the United States at a state level. It stipulates significantly more transparency for companies and is the toughest privacy law in the U.S. If you’re already complying with GDPR, you still have work to do, but you have a head start!


Contact Us

Download the 8 Steps PDF by entering your details below!

8 Steps to CCPA Compliance

1. Start Now

Begin developing a CCPA compliance strategy now. The CCPA will take effect January 1, 2020. Don’t wait until the holidays; create a plan now that accounts for company meetings, holidays, and other initiatives.

2. Collaborate with your team, and come up with a plan of attack.

Identify a lead sponsor and cross-functional team. Complying with CCPA will require input initially and on an ongoing basis with departments such as marketing, product, IT, HR, finance, customer support, security, privacy, and legal.


Identify the resources needed (such as software tools, attorneys, and consultants)required to help with compliance.


Establish and/or review privacy training. As employees move between roles, it will be imperative to train employees and create a standard operating procedure for honoring individual rights.

3. Get to know your data.

Start the data mapping process. Understand the data you collect that qualifies as personal information under the CCPA. Where do you host your data (including with any third parties), and for what purpose is it used? This exercise is especially crucial to determine if you collect and sell data on children. If so, data collected on children under the age of 13 requires opt in with parental consent. Children 13-16 also requires consent directly from the child.

4. Understand (and create processes to handle) the individual rights of disclosure, access, and deletion.

An individual has the right to understand details regarding how their data is processed (disclosure) and the right to access the categories of personal information collected. An individual also has the right to deletion; if any consumer requests their personal data be deleted, a business must delete all records (with some exceptions) of a consumer and direct service providers to do the same. This step may be the most complex under CCPA to implement. Businesses will need to establish training, processes and procedures and identify third parties that need to be involved to ensure compliance.

5. Create a clear path and process for an individual to opt out of selling personal information.

Individual rights are a key aspect of CCPA.

An individual also has the right to opt out from the sale* of personal information. Businesses selling PI will need to put controls in place to manage the opt-out requests and also a process to capture subsequent authorization if the consumer changes their mind. One of the controls CCPA mandates is that businesses create a separate “Do Not Sell My Personal Information” webpage with an obvious path from their homepage that directs consumers to opt out of the sale of their personal information.

*Selling is broadly defined under the CCPA: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

6. Establish and/or strengthen security measures.

Understand the full lifecycle of a data record. CCPA requires ‘reasonable’ security measures, and performing a thorough privacy and security assessment for each service provider will help mitigate any mishandling of personal data.

7. Update Privacy Notices

Transparency is critical under CCPA.

Update your privacy notices to specifically state what data is collected, explain the purpose for the data’s use, identify third parties with which that data is shared, and communicate the rights available to an individual about their personal data.

8. Prepare for the future of privacy laws and regulations.

New privacy regulations will continue to roll out. Already, 10+ states are evaluating a law similar to CCPA, and Brazil’s General Personal Data Protection Act (Lei Geral de Proteção de Dados or LGPD) takes effect in August 2020. Create adaptive and agile processes to help your company remain both compliant and efficient in the wake of new privacy legislation.

We believe privacy is just good business.

At Red Clover Advisors, we help businesses establish confidence with their customers by developing a secure online data strategy they can count on. Our job is to simplify privacy practices so your business can gain a competitive advantage through trust. 
Schedule Your Consultation

© 2019 Red Clover Advisors, LLC

The materials available at this web site are for informational purposes only and not for the purpose of providing legal advice. Red Clover Advisors, LLC is not a law firm and if you need legal advice, please contact an attorney who is competent to provide appropriate legal advice with respect to your specific problem. The ideas or opinions expressed on this website are the opinions of the specified author and do not necessarily reflect the opinion of the company.