California Consumer Privacy Act

The goal of the CCPA is to enhance privacy rights and consumer protection for residents of California.

It was inspired by the European General Data Protection Regulation passed in 2018. The CCPA law takes effect on January 01, 2020. However, it is retroactive for one year.

Data inventory and mapping of in-scope personal data and instances of “selling” data.

CCPA defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Individual rights to data access and erasure

Key is to Document how consumers notify any business entity, how that entity verifies the request has been met, documents the process.
An organization can demonstrate that internal procedures are being followed.
Implement templates for customer service communications using approved language.

Conducts period audits and processes to ensure policies are followed

Other helpful items are logs and tracking of requests from consumers and retained copies of responses

Individual rights to opt-out of data selling

Optimally, an organization would provide consumers with notice that their personal information is being sold
Implement processes to respond to and honor requests to opt-out to such sale

Provide an audit to demonstrate legal compliance


Updating service-level agreements with third-party data processors/fulfillment centers/marketing companies

One of the most difficult parts of compliance is the identification of vendors or third parties that receive personal information
The obligation to make vendors or third parties aware of ongoing requests, along with verification that these requests are completed in a timely manner.

Remediation of information security gaps and system vulnerabilities including strict notification requirements

CCPA does not directly impose data security requirements. However, it does establish rights for certain data breaches that result from violations.
A business’s duty is to implement and maintain reasonable security procedures.

Are there penalties involved with CCPA Compliance?

 For businesses:

  • $7,500 per intentional violation
  • $2,500 per unintentional violation
For theft, unauthorized access or disclosure:
  • Fines range from $100 to $750 per resident or per incident
  • Penalties are incurred regardless of damages

Dark Rhino Advisory Services can help!


  • 2, 3, 4, 6 or 8 week evaluations are available! (based on size, geographic reach & organization)
  • Rapid ramp up of a CCPA plan
  • Evaluation of an organization’s existing efforts
  • Right team, right time, right tools