5 simple steps to CCPA compliance for small business owners.Running a small business can be stressful. Trust me, when I started Red Clover Advisors, I felt overwhelmed by day-to-day operational challenges, building our client base, and ensuring that we were providing top-notch advice and service. Regardless of your industry, being a small business owner means you wear a lot of hats and there are certain areas in which you just don’t have expertise.

Perhaps the CCPA regulations that take effect on January 1, 2020 are one of those items that have piled onto your stress list. Don’t worry! Here are five simple steps to CCPA compliance success for small business owners that I think will really help you navigate the process.

  1. Data is king. If you do not know what customer data you have or understand its implications, it is nearly impossible to comply with the CCPA regulations. The key here is that under the CCPA, data you collect qualifies as personal information. You should start the data mapping process now, if you have not already. Here are some questions to consider when you undergo data mapping:
    • Where do you host your data (including with any third parties)?
    • For what purpose is the data you collect used?
    • Do you collect and sell data on children?
  1. Notify, notify, notify. You can no longer tell a customer once that you are collecting their information. Under the CCPA, you must provide four different notices and update them appropriately. These include, notice of collection of personal information, customer opt-out rights, financial incentive notice, and your business’ privacy policy. While the CCPA regulations may sound like legal jargon to you, it is important that your notices are consumer friendly. Here are some questions to consider when creating or reviewing your notices:
    • Are your notices easy for anyone to understand?
    • Do the notices detail the data you collect such as the sources of information or categories of personal information collected?
    • Do they provide information regarding what your business plans to do with the information collected?
    • Are they designed to grab a customer’s attention? What about individuals with disabilities?
    • Do you do business in another country or with those who speak a language other than English? If so, is each notice available in that language?
  1. Consumer-Centric. You need to have a plan for individual’s rights, which includes being accessible for consumer requests, verification of data, and opt-out options. Under the CCPA, you must explain what you plan to do with the data you collect and provide two ways for customers to contact you regarding said data. Here are some questions to consider when developing your plan:
    • Do you have methods for contact in place? For nearly all businesses, one of these methods must be a toll-free phone number; is it set up? Many businesses also opt for an electronic method; is this right for your business?
    • Do you have a system to ensure timely responses to consumer requests? This can be hard when you are juggling so many things, but it is very important to be aware of these time constraints and abide by them. Did you know that the CCPA regulations state you have to acknowledge most consumer requests within 10 days? And, that the data verification process has to be complete within 45 days?
    • Does your team know how to verify consumer information or what to do in cases that you cannot verify a consumer?
    • Do you have an opt-out policy and process in place? And, is it in the CCPA-approved format?
  1. Train your team.all know that customer service is important and would hate for this to happen, this training goes beyond getting a positive or negative review on social media. Under the CCPA regulations there are new requirements about documentation that anyone who handles consumer requests and data need to be aware of and have proper training regarding the specifics. Here are some questions to consider when creating a training manual:
    • Do your employees know they must keep a record the customer requests that your business is receiving?
    • Do they know these records must be maintained in a log or ticket format?>
    • Do they know that the information maintained in these records cannot be used for any other business purpose?
  1. Rinse and repeat. Once you have a plan in place and have mapped your data, it is important to keep in mind that this is not a one-time thing. Being responsible for consumer data and staying up to date on state and national regulations is the new norm, not something you can set up once and forget about. Here are some questions to consider as you look ahead:
    • How will you integrate the plan for new consumers and their data?
    • How will you keep up with adjustments to the regulations?
    • How will compliance be maintained on an ongoing basis?

We hope this was a helpful resource. But, if you still have questions, please schedule a free call with us. Red Clover Advisors would love to help you navigate this process and make your life a little less stressful.

On October 10, 2019 the California Attorney General released a document of Proposed Regulations for the California Consumer Privacy Act

The California Consumer Privacy Act of 2018 is the most comprehensive general data privacy bill of its kind to pass in the United States at a state level. Its purpose is to increase transparency when it comes to the physical and digital data collected and sold.

Under CCPA, customers will now have more choices and control over what happens to their personal information and increased security in their online engagement.

Wondering if CCPA will affect your business? Let’s take a look.

CCPA covers for-profit companies doing business in California that collect consumers’ personal information and meet one of the following criteria:

1. exceed $25 million in gross revenue;
2. buy or receive the personal information of 50,000 or more consumers, devices or households (such as website traffic);
3. or derive 50% or more of their annual revenue from selling consumers personal information.

Under CPPA, personal information includes, but is not limited to:

  1. Geolocation Data and Inferences Extracted from Data – Using someone’s precise location data without permission expressly granted or using the IP address to track users
  2. Unique Personal Identifiers (e.g., cookie numbers or company devised number)
  3. Browser or Search History (e.g., recipes, local doctors)
  4. Biometric Data – (e.g., fingerprints or eye retina scan)
  5. Professional or Employment-related Information – (e.g., salary, title, certifications)
  6. Psychometric Data – (e.g., info gathered from aptitude tests or personality test)
  7. Audio + Visual Data – (e.g., data from audio or video files)
  8. IP addresses – If an IP can identify a household it may be considered personal data

CCPA will require businesses to notify consumers about the type of data they collect, both in privacy policies and in response to specific requests. Consumers will be given a clear choice to opt out of their data being sold—and if they do, companies cannot discriminate against them by charging a higher price or servicing them differently, unless they can prove the difference is reasonably related to the value provided by the data.

To understand this better, consider a company sells you a service for $10/month and it sells the data you provided to sign up for this service just because it fancies earning a little extra money. The value in the service to you, the customer, is still $10. If you decide to opt out of this, the company cannot turn around and charge you $50/month now to cover their loss from the data unless they provide $40 worth of extra value.

A company can, however, still offer financial incentives to consumers to make use of their personal data more enticing to them, such as $10 off the first month, or a complimentary add-on service for a limited time.

“So what does this mean and how will it affect my business?”

This means that your IT team will need to know where a customer’s data is being held at all times now so it can be removed if someone requests it. This may require you to reconfigure your existing systems and processes. For all new data collected, I recommend building this into the design of the system from the beginning.

Your Marketing department will also need to know exactly what data you collect, how it is used and where it is shared so this is accurately reflected in your privacy notice. As your business grows, you will need to revisit this periodically to make sure these changes are reflected here as well.

For more information on CCPA and how to make it your competitive advantage, check out 5 Reasons CCPA Should Already Be On Your To-Do List.

Wondering how solid your privacy program really is? Or could it be, if you’re honest, you’re not sure you have one at all? Schedule your complimentary evaluation today and wherever you’re at, we’ll get you where you need to be.

Making sure your brand is one your customers can trust is the most important investment you can make in your business. It will make the difference between customers that come and go and customers who have no reason to look elsewhere.

Which would you prefer?


Much like with GDPR, CCPA may not be among the aspects you’re most eager to dive into when it comes to your business. Getting ahead of the game, however, will not only save you the unnecessary stress, and higher price points, that come with scraping it together at the last minute, it can also easily become your competitive advantage if you start early.

If your business collects personal data on California residents, there are some adjustments you may need to make in how this is done. This article will walk you through a few reasons why it’s better to start planning for it now.

1. You’ll know now what data you collect, where you store it, how you use it, where you share it.

Under CCPA, you’ll need to create a privacy notice for your business and you won’t be able to do this if you don’t know what data you are collecting and where you’re storing it. This is also an important part of managing your obligations under individual rights.

Consumers will now have the ability to bring what’s called a right of action against a company if they allegedly fail to “implement and maintain reasonable security procedures and practices” and it results in a data breach. In some instances, a user might even be able to sue the company.

By performing a data inventory, it will help you decide what you no longer need and get rid of it. Repetitive operations that are costing you money that could be better used elsewhere? Gone. Likewise, you may discover data you didn’t even realize you had, and be inspired by it in ways you never could have imagined. Think privacy and innovation aren’t inextricably connected? Think again.

The value of data cannot be underestimated—and you cannot comply with the laws or use it to your advantage in your business without understanding yours.

2. You’ll know what changes you need to make if you sell data.

In order to keep selling data in California under CCPA, you’ll need to put a button or link on your site in an obvious place titled “Do Not Sell My Personal Information” so visitors are able to opt out of the sale of their data. Once this is in place and someone enters their information, you’ll also need to know exactly what happens to it next to make sure it is stays separate from those who don’t opt out. The sale of data will need to be built on an individual level now, or you’ll need to adjust your current process so it functions in under these new parameters.

The bottom line is you won’t know what you need to change until you have all the information in front of you to analyze. Even if you decide, in the end, the cost isn’t worth it to keep selling data, there is still work you’ll need to do in order to close the process down before the law goes into effect.

3. You’ll have plenty of time to educate your workforce which is essential to compliance.

Privacy needs to be an integral part of how you project and operate your entire business, if it wasn’t already.

Your product and marketing personnel, and anyone else who handles data, need to know what the privacy notice says, and know how this actually applies within your day to day operations. Everyone is a steward of data—and you won’t be able to manage any of the individual rights properly if your staff is conflicted on how that even works.

Without the same basic understanding of the privacy changes, regardless of position, you run the risk of someone making an uninformed decision that could lead to a costly breach.

4. You can announce compliance ahead of your competitors.

Privacy is a differentiator. Many well-known and highly respected brands have created pages on their websites announcing how they’re handling and managing privacy before anyone has to ask. Apple is a notable example. They went above and beyond what was required to be compliant and created a separate page dedicated to explaining how they thought through privacy and specifically worked it into their hardware and software in the design phase.

If you’re forward thinking and openly address potential concerns with your customers before they arise, you will stand out from all your competitors who can’t be bothered.

Customers will appreciate your transparency. A bolder approach that shows people you value them more than the data they give you. Wouldn’t you prefer to handle privacy in the same way as some of the world’s most trusted brands?

5. You can begin budgeting for it now.

Understanding exactly what you need to do now will give you time to gather the funds you need to make the necessary changes. The last thing you want to do is be figuring this out right before the deadline, which is next year’s holiday season.

A few questions you may want to consider to determine your budget:

1. Who do I need to help me figure this out?
2. How much time do I need internally?
3. Do I need to adjust internal resources?
4. Which software do I need? How much time will I need to consider my options so I pick the right one and don’t make any rash decisions?
5. How many people do I need to train on this?

Wondering how solid your privacy program really is? Or could it be, if you’re honest, you’re not sure you have one at all? Schedule your complimentary evaluation today and wherever you’re at, we’ll get you where you need to be.