CCPA Is in Effect: How Do Small Businesses Comply?

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 and has wide-reaching implications for businesses in California. If you are a small business in California with up to 25 employees, you are most likely investigating “CCPA for small business” to find out how this law affects you and what you need to do about it. To help you understand how the CCPA impacts your business, here are answers to some common questions.

Is My Business Impacted?

First, it’s important to note that not every California business is subject to the CCPA. It applies to companies that meet the following criteria.
  • You have an annual gross revenue of over $25 million
  • You receive, buy, sell or share the personal information of at least 50,000 consumers in California
  • You derive at least half of your revenue from selling the information of state residents
Even if your business does not meet these criteria, all businesses have an opportunity to align with the CCPA requirements in order to be prepared, safe and ethical. At the least, small businesses should have a Privacy Policy in place and the ability to provide or delete the personal information of a particular user upon request.

Where Does My Small Business Start?

As a small business that meets the criteria above, if you are not yet compliant, don’t panic. There is a 6 month grace period from January 1, during which mistakes can go unpunished. So there is still time before you need to be truly compliant. These are the top three actions to take right now.


Understand the scope of the law

It’s vital to understand the vague definition of “personal information”, which is defined as any info which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information can include email addresses, social security numbers, driver’s license numbers, employment information, geolocation, biometric and commercial information, internet activity, audio/video information, or education information not available to the public.


Train your employees, even if you only have a few

The CCPA requires employees who field customer requests about data privacy practices (including deleting personal information and opting out of sharing personal information) and employees who are responsible for the company’s compliance to undergo instruction to understand the law. Generally, this will require employee training—for customer service reps and anybody who handles legal compliance.


Understand the penalties

The penalties for not being CCPA compliant can be as high as $7,500 per intentional violation and $2,500 for unintentional violations which are enforced by the California attorney general. Consumers also have the right to pursue their own individual action against non-compliant businesses, and can sue the company if a data breach occurs due to carelessness.

How Do We Stay in Compliance?

Here are the most pressing details that need to be squared away ASAP if you are a small business owner who meets the criteria of the CCPA.


Outline the following answers for your business

  • What personal information do you collect?
  • How do you acquire said data?
  • Where and how do you keep it?
  • Do you share it with other entities?
  • Is the shared data part of a provision of service, sales or another purpose?


Create a “do not sell my information” page

The CCPA also calls for businesses to to easily capture requests from consumers about their personal information. The link to this page must be accessible from your website’s homepage, and it must be “clear and conspicuous,” titled “Do Not Sell My Information.” The page must allow consumers to opt-out of having their personal info sold to third parties. Here is a great example from Pandora, an Oakland, CA based company.


Develop a process for fielding consumer requests

Businesses must also be ready to quickly and easily field consumer requests about their personal information that are allowed under the CCPA. These requests must be processed free of charge and within 45 days. Some examples of requests include:
  • a copy of their personal information
  • for their personal information be deleted
  • giving consent from a guardian to sell personal information for a consumer under the age of 13


Update your privacy policy

The CCPA gives consumers the right to know what personal information is being gathered about them. In order to comply with that, businesses must provide a disclosure “at or before the point of collection.” It must “inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”


Strengthen data security

Relevant entities need to review and update their data security and actively monitor their data security defenses to ensure that consumer data is not easily stolen, as they can seek damages for data breaches covered under the CCPA.