Security & Compliance

Complying with the California Consumer Privacy Act (CCPA)

What is the goal of CCPA?

CCPA gives California residents control over how their personal data is used by businesses that collect personal data about them.  It gives consumers the right to know what information businesses are collecting about them and the right to tell businesses they cannot disclose or sell their personal data.

A California resident is considered an individual who is in the state for other than a temporary or transitory purpose and every individual who is domiciled in the state is outside the state for a temporary or transitory purpose. In more general teams, it applies to anyone who pays taxes to the state of California, whether or not they currently live in California.

What are the businesses that must comply with CCPA?

CCPA applies to any for-profit business organization that collects, shares, or sells California residents’ personal data and meets any of the following criteria:

  • Has an annual gross revenue of $25 million or more (and/or):
  • Possesses the personal information of 50,000 or more consumers, households, or devices (and/or):
  • Earns more than half of its annual revenue by selling personal information.

What are CCPA Personal Data Identifiers?

Information that identifies or is capable of being associated with a particular California resident or family.  Note: CCPA does not consider publicly available information as personal.

Personal Information includes:

  • Personal identifiers, such as a real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a California resident’s interaction with an internet website, application, or advertisement;
  • Geo-location data;
  • Bio-metric information;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information; and
  • Education information that is not publicly available PII as defined under FERPA.

How companies can prepare for CCPA compliance.

  1. Companies should perform internal data discovery to identify information about the customer data that your company collects, stores, and shares or sells. For example:
    • What categories of personal information are collected? (eg. identifiers, internet usage, education info, employment info, etc).
    • What sources are used to obtain the data? (website, stores, marketing sources, rewards program, etc.)
    • The business reason why the data is collected and how the data is used.
    • Categories of personal information provided to third parties and why.
    • How the data is securely stored, transferred, processed, and disposed of.
    • Where the data is securely stored and/or transferred.
  1. Companies should consider maintaining a database or application to track the usage of consumers’ personal data, consumer request submissions, and the company’s response to consumer requests. For example:
    • What specific personal data is collected for each consumer?
    • The category of personal information collected (eg. identifiers, internet usage, education info, employment info, etc).
    • Business purpose of collecting and using the data.
    • Categories of sources from which the information was obtained (website, stores, marketing sources, rewards program, etc).
    • The categories of personal information that are transferred to third parties.
    • Business purpose for sharing consumer personal data with third parties.
    • If the data was sold and to whom it was sold.
    • Identify when the data was collected. (Note: if more than 12 months ago, this data
    • is exempt.)
    • The authorized agent on file to request changes on behalf of the consumer.
  1. Companies should ensure policies and procedures are updated and consumer notifications are available as required under CCPA. For example:
    • A Notice of Collection must be provided to consumers at or before the time of collection of the consumer’s personal information. The notice must inform the consumer of what personal information is collected and how the business will use it. This can be linked within the Privacy Policy, but it is different than the Privacy Policy.
    • Companies must provide at least two ways in which a consumer can submit a Request to Opt-Out of the sale of their personal information.
      • At least one method must be a link that is clear and conspicuous on the company website. This can be within the Privacy policy as long as it’s clear to the consumer.
      • Examples of other methods include: a toll-free phone number, email, physical form mailed to the business, etc.
    • Companies must provide methods for consumers to submit Requests to Know and Requests to Delete.
      • Online-only businesses need an email address for receiving customer requests to know and delete.
      • All other businesses must provide two methods to receive requests, with one of the methods reflecting the way in which it primarily interacts with consumers.
    • Companies should establish procedures for responding to consumer requests.
      • Businesses must confirm receipt of a consumer Request to Know or Delete within 10 business days;
      • Businesses must comply with a consumer’s Request to Opt-Out within 15 business days;
      • Businesses may deny a consumer’s Request to Know or Delete if the request cannot be verified within 45 days.
    • Privacy policies should be updated to include new CCPA privacy rights.
  1. Companies should assess their current security controls and review Security policies & procedures to ensure the CCPA data they store is protected against unauthorized access and potential data compromise. 

How do I make sure my business is CCPA compliant?

Companies should consider engaging a third-party assessor to review their policies and procedures and perform an assessment against the security controls in place. This will help to determine if the company has policies and procedures that comply with the CCPA and has implemented appropriate security measures to protect consumer personal information they store and/or transmit.

How can Megaplan IT help your organization?

  • MegaplanIT can help your organization understand the components of the CCPA Privacy Act and assist in determining the scope of your assessment.
  • We will perform a compliance readiness assessment against the CCPA requirements through a comprehensive collection of documentation and samples.
  • We provide an inclusive summary of the identified gaps found during the readiness assessment, in addition to providing guidance to help your company remediate the gaps under the CCPA Privacy Act.
  • We can assist your organization in developing an action plan to address any identified gaps. This plan will include recommendations on specific technical and process improvements that your organization can implement to comply with the CCPA Privacy Act.

Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Share this post

Industry Leading Certified Experts



Subscribe To Our Newsletter & Stay Up-To-Date

Explore Our Blogs

Whitepaper | 10 min Read

Developing And Maintaining An Effective Compliance Program.

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

MegaplanIT's Ransomware Assessment

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

We're Here To Help

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services. 

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

MegaplanIT's Ransomware Assessment

Ransomware Assessment Preparedness

Cybersecurity Roadmap For 2022

Cybersecurity Roadmap For 2022

Developing And Maintaining An Effective Compliance Program.

Developing And Maintaining An Effective Compliance Program

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? 

A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business