Editorial January 20th, 2020

CCPA Compliance

CCPA Compliance

When the European Union ratified its General Data Protection Regulation (GDPR) standards in 2016, it sent a shockwave through much of the world. Any business that handled the data of an EU resident would have to comply by the time the law went into effect two years later. But it also created an expectation that GDPR would inspire similar privacy legislation in other parts of the world.

The EU laid the groundwork for general privacy laws designed to protect an entire population group. And now California has followed suit, using many of the ideas and concepts in the GDPR to create the California Consumer Privacy Act (CCPA).

The legislation was ratified in 2019, and it went into effect on January 1, 2020. Enforcement won’t begin until later in the year, though.

California is the first state to put this kind of privacy legislation in place, and it may set a precedent for state or even federal laws in future years.

More details on this process will follow later in the guide, but the rapid move to put the CCPA in place highlights a key issue to keep in mind: This legislation was developed with a sense of urgency.

What does the CCPA do?

Fundamentally, the CCPA is designed to ensure that consumers have visibility into and control over the ways businesses share and use their data.

Think about what typically happens when you go online. You use a search engine to find something you’re interested in. The search engine company then shares that data with advertising software.

You’re also tracked as you shop online, visit media sites, and otherwise interact with brands and content. Companies share this data with each other using apps and services that aggregate this information.

From there, businesses use the information for targeted advertising. This is why, if you browse cars online one day, you’ll likely see ads for cars the next day.

This is just one example of how businesses leverage data about user behavior to create value for themselves. There’s an entire economy made up of businesses collecting and monetizing user data. Most organizations argue that they’re trying to offer better, more personalized experiences to users.

The problem with all of this is that many consumers don’t know when their data is being collected, who is gathering it, or how it will be used. This lack of transparency makes consumers vulnerable to potential manipulation or even exploitation if unscrupulous organizations gather their data.

The CCPA legislation is designed to prevent this by mandating that organizations collecting a certain amount of consumer data tell their users about their data-collection practices. This includes informing them about how the information is used and giving them the chance to opt out of sharing their data.

That transparency and the opportunity to make a choice are essential parts of CCPA compliance. Check out the rest of the guide for more details about how the law works so you can ensure your business is compliant.

What exactly is the CCPA?

If you want all of the specifics, you can check out the CCPA text. But if you’d rather avoid poring over detailed legislation, unpacking legal terminology, and making sense of the regulations for yourself, here’s a look at what the act covers.

What is the CCPA?

At its core, the CCPA is a privacy regulation. This is a key point to keep in mind, as regulatory issues often require technology changes. While this is the case for the CCPA — businesses will need to update their data handling practices and solve a variety of infrastructure issues to comply — the act primarily addresses consumer privacy and choice.

Because of this focus on privacy, you aren’t going to find much in the way of guidance on how to comply within the law itself. There aren’t rules about the type of infrastructure needed or similar guidelines that set a technical baseline. Instead, the law focuses on four rights for consumers in California. A CCPA Fact Sheet from the state’s government highlights these rights:

Right to know

The CCPA declares that consumers have the “right to know what personal information is collected, used, shared or sold.” The act mandates that businesses provide visibility into both the broad categories of information they gather (i.e., collecting web browsing data to recommend products) and the specific personal information they collect.

Right to delete

Under the new act, consumers have the right to delete their personal information held by businesses and service providers. This doesn’t mean consumers can access business systems; instead, they can request that a business delete their data, and the business must comply.

Right to opt out

If consumers don’t want their data to be sold, the CCPA gives them the right to opt out of that practice by asking a business to stop selling their personal information. What’s more, businesses must get opt-in consent for children 16 and under. A parent or guardian must give consent for those who are 13 or younger.

Right to nondiscrimination

The CCPA explicitly prohibits businesses from any form of discrimination relative to a consumer exercising their privacy rights.

These are the fundamental elements of the new CCPA act that you’ll need to think about. The implications are far reaching.

What does the CCPA mean for businesses?

Some context is necessary before we go into more detail about why the CCPA exists and what it’s trying to achieve. Here’s what the CCPA means in a nutshell:

Qualifying businesses (we get into qualification details in this chapter) must inform consumers that they collect users’ personal information, educate those individuals about what the data is used for, give consumers the ability to opt out, and, upon request, delete information that the organization holds.

In theory, it’s simple. In practice, things are going to get complicated. In fact, the state’s CCPA Fact Sheet estimates that compliance costs will add up to between $467 million and $16.454 million from 2020 through 2030.

Because of the impending cost and complexity of CCPA compliance programs, it’s worth looking into why this kind of legislation is increasingly necessary in today’s digital economy.

The CCPA’s emergence

The CCPA’s origins in the GDPR

The CCPA’s origins, in many ways, go back to the GDPR standards in Europe. The GDPR is a set of privacy laws dictating how businesses handle the data of European Union residents. It covers everything from transparency in sharing information with third parties to putting adequate protections in place to keep the information secure.

But the content of the GDPR — regardless of how important it may be — isn’t the revolutionary part.

The law sets a precedent for consumer privacy, but the most transformative precedent may be that the GDPR doesn’t just apply to businesses operating in the EU. Instead, the law mandates that any business gathering any personal information about an EU resident must comply. This means that a major government entity is legally demanding groups outside its primary jurisdiction comply or face consequences.

This set off an immediate chain reaction in the privacy space. If businesses outside of the EU have to comply with GDPR, then why shouldn’t other privacy-concerned governments put similar laws into place?

The CCPA is, on some level, a reaction to this development. Of course, California isn’t establishing the new privacy law simply because GDPR shows that it’s possible. The state government has a reputation for being progressive on digital issues, perhaps in response to the state’s role as a leader in digital innovation.

The CCPA is emerging in part because there’s now precedent for this sort of act, but also because the scale of the digital data-sharing economy has become so large that some sort of reaction is widely deemed necessary to protect consumers.

Why the CCPA is necessary and what it aims to achieve

Sharing data has become a critical source of income for many businesses. From marketing teams that purchase data to target potential customers in more personalized ways to lenders gathering consumer data to better understand the risk of lending to an individual, the applications are nearly limitless.

This data-sharing economy is growing quickly, and it can leave consumers uncertain as to where their data goes when a business collects it.

For example, data-driven marketing is a common practice. It involves analyzing large quantities of consumer data to inform marketing decision-making. This can mean anything from identifying big-picture trends across demographic groups to providing highly personalized content to specific users when they visit a website.

A landmark 2015 study from Data Marketing & Analytics, an organization that studies the data-driven marketing sector and advocates for best practices, found that this segment was responsible for $202 billion in revenue in the U.S. economy. It’s also behind 996,000 jobs — with more than 128,478 of those positions located in California in 2014.

The data-sharing economy has only grown since then, and those figures point to just one segment where data sharing occurs. The practice is common in a wide array of sectors. With so much revenue on the table, it’s no wonder that businesses want access to this data. Consider what can happen to a single piece of consumer data:

  • You buy a new winter jacket online.
  • Your credit card provider gets details about that transaction, and so does the online store where you purchased it.
  • That store begins to advertise related items — gloves, hats, scarves, and the like — when you visit their site. It may even send you an email with promotional deals or recommendations based on your previous purchase.
  • Meanwhile, a data aggregator purchases that transaction data from your credit card provider and gathers key metadata — your age, gender, etc.
  • By purchasing data from other stores you interact with and analyzing other transactions, that aggregator creates a profile specific to you. They also use your data to analyze trends for people who are considered similar to you — perhaps they are the same gender, are approximately the same age, have a similar income, etc. — and they use that information to create demographic profiles.
  • The data aggregator performing this analysis creates databases that are personal and demographic specific, and sells access to marketers, financial institutions, and even political parties.
  • Those groups use that information to influence your behaviors. For example, a political party may identify you as somebody who is likely to have flexible views on an issue and therefore point specific messaging in your direction to influence your vote.

Throughout this process, many parties are buying and selling your data. The practices themselves are not inherently predatory. They certainly can be, but many of these parties are simply vying for your attention, not necessarily trying to manipulate you.

Regulations like the CCPA are not meant as an indictment of data sharing between businesses. Instead, what the CCPA addresses is the fundamental problem that most of this activity happens without consumers’ knowledge.

The CCPA and similar regulations are considered necessary not so much to curb the data-sharing economy but to give consumers insight into the specifics of how their data is used and allow them to choose how they’ll participate in the practice. That choice is at the center of the CCPA.

How the CCPA came to be

The CCPA was initially signed in June 2018, marking the beginning of what is typically a long and complex process.

Major regulatory laws like this usually go through a few years of back and forth between legislative bodies and industry stakeholders. During this period of discussion, individuals in the affected sectors highlight potential problems presented by the legislation, while both the government and private sector analyze the implications of the law and make amendments based on what they learned.

Regulatory laws will usually go through a few versions as changes are made before the law actually goes into effect. Once the law is active, organizations impacted by the guidelines are typically given a period of time — often a year or multiple years, depending on the scale of change — to adjust to the new standards.

For example, HIPAA and HITECH — prominent healthcare industry regulations that protect patient information — went into effect gradually over many years, and the deadlines for meeting specific regulatory benchmarks occurred at different times.

The CCPA has been an exception to this relatively slow and measured process. There was a comparatively short period for discussion in late 2018 and much of 2019, but the state resisted efforts to ease the laws contained within the CCPA.

While many businesses were concerned about the costs and challenges of implementing the CCPA — and potentially worried about losing value from sharing data freely — the state held firm to the scope of the legislation. And it set January 1, 2020 as the go-live date for the law. Enforcement is expected to begin in July 2020.

This represents a rapid, highly accelerated move to not only get the law in place but to begin enforcing it. The rush is expected to lead to a great deal of disruption for companies scrambling to comply.

To further complicate matters, there’s plenty of uncertainty around how different parts of the law will be interpreted and applied. Some of these issues will be ironed out in the months leading up to the enforcement date, while others will be addressed in court cases involving compliance breaches.

The entire process surrounding the CCPA regulations has been unconventional, with a clear sense of urgency to get the rules into place to protect consumers. This means that businesses need to not only move quickly to start preparing for compliance but also continue paying attention to the headlines about the CCPA to stay up to date on changes.

The coming months won’t be easy as businesses and lawmakers work to adapt, but California believes that protecting consumers’ personal information is worth it. After completing a Standardized Regulatory Impact Assessment, the state estimated that the CCPA guidelines will end up safeguarding approximately $12 billion worth of personal data used for advertising.

The scale of the CCPA is huge, and its rapid adoption can put your business in a difficult place. If you’re not based in California, that doesn’t mean you can tune out. The regulations apply to qualifying businesses handling the data of consumers located in California.

They also set a precedent for U.S.-based privacy law that could end up being a model for other states and possibly the federal government. It’s important to watch the CCPA closely to determine if it applies to your business. With that context top of mind, let’s dive into some CCPA specifics.

What does the CCPA protect?

The four fundamental rights of the CCPA — the right to know, the right to delete, the right to opt out, and the right to nondiscrimination — are the core of the legislation. The act is designed to protect consumer choice.

Beyond choice: Detailed CCPA protections

While choice is the fundamental element of the CCPA’s provisions, the decision to protect the consumer’s right to opt in or out of data sharing results in a variety of more subtle protections. The specifics may vary because how the protections are applied will depend on how the act is interpreted.

Here’s a closer look at some of the specific protections offered by the CCPA.

Protection from data surveillance by business

Tracking a consumer’s activities and collecting that data is a form of surveillance. Regardless of intent, it gives a business a way of tracking what a consumer does and using that information.

The CCPA provides protection against this form of data surveillance by mandating that businesses offer notice of data collection before it’s performed. This notice must be “visible or accessible where consumers will see it before any personal information is collected,” according to the privacy law.

Protection from data misuse

The legislation dictates that businesses must clearly communicate how they use data and disclose that at the point of collection.

For example, many digital personal assistants — think Amazon’s Alexa — capture your voice requests. Human workers (not AI machines) then analyze those requests and how the digital assistant interpreted it to troubleshoot problems and improve the AI software. That kind of data collection will need to be communicated.

Likewise, if the person reviewing that data identifies an alternative use for that information and wants to use it differently, they would have to alert you to that change. The CCPA will protect consumers from having that information misused in any way by giving them a degree of control.

Protection from unknown data sale

Imagine you opt into data collection knowing that your information will be sold to a marketer. You don’t mind personalized ads and sometimes even find them helpful. But then a marketer who didn’t collect your data sells it to somebody else. You’ve now lost control of your personal information and, theoretically, could be vulnerable to its misuse.

CCPA regulations include provisions against such practices, requiring businesses that sell, but don’t directly collect consumer data, to alert individuals before their information is sold and allow them to opt out.

Protection from manipulation

We’ve all seen it happen. A business gets into the data-sharing economy and finds that the data it sells to a third party is used in a negative way. This can be destructive to consumers and businesses alike.

The forced transparency created by the CCPA — companies must organize and document their data flows, and communicate with consumers when data is shared — provides a safeguard against manipulation by ensuring all parties have a clear idea of how consumer information is being used.

Visibility leads to privacy in the CCPA

There are other nuanced protections we could get into, but the major areas of security and data privacy we’ve discussed highlight how the legislation functions. It’s designed to provide visibility to consumers, promoting privacy and protecting all parties from the adverse elements of the data-sharing economy.

Which companies are affected by the CCPA?

The CCPA standards don’t apply to every business. By design, the legislation is meant for larger companies because any sort of issues these organizations have with consumer privacy would be far-reaching.

An organization will be expected to comply with CCPA regulations if it meets one of the following conditions:

  • Has gross annual revenues of more than $25 million
  • Is involved in the purchase, receipt, or selling of personal information of 50,000 or more consumers, households, or devices
  • Gets half of its revenue, or more, from selling consumers’ personal data.

If any one of these is true, the organization has to comply with the CCPA. On top of this, any business that handles the data of 4 million or more consumers will face stricter reporting regulations to ensure compliance with the regulations.

Research performed by the California state government found that businesses in a wide range of sectors will be impacted by these new standards, as they are both far-reaching and broad enough to apply to companies in disparate industries. In total, current estimates predict that between 15,000 and 400,000 businesses will be affected by the CCPA.

CCPA enforcement

The American Bar Association provides a thorough rundown of some of the practical legal implications of the emerging CCPA standards, and it highlights how enforcement will work. There are two primary ways that businesses may face punishment for noncompliance:

  1. The state Attorney General could pursue legal action against a business found in noncompliance. In cases of this sort, civil penalties of up to $7,500 per violation could be collected. That means that if your business is found to have violated the CCPA for 100 consumer opt-out requests, your costs could be $750,000. Those expenses can escalate quickly if your internal reporting, data management, and compliance systems lead to a large number of violations.
  2. If an individual’s data isn’t handled or secured properly, under specific circumstances they can take limited legal action against businesses subject to the CCPA laws. In this case, damages collected can be for between $100 and $750 per incident. However, consumers pursuing such penalties must provide opportunities for the business to remedy the situation.

These methods of enforcement come into action in the event that a breach occurs. California will monitor businesses to make sure they comply with the law. Here’s what that will look like.

CCPA reporting

When your organization receives a CCPA-related request, you’ll have a certain amount of time to respond and take action. The specifics can vary depending on whether the matter is an opt-out, deletion, or opt-in request. (We’ll get into those details in the next chapter.) But part of the process is documenting that you’ve informed consumers you’re collecting their data and that you respond to all requests in a timely fashion.

This data must be maintained for 24 months. Every CCPA-related request from each consumer must be on record. Organizations handling information for more than 4 million consumers must also document the total number of requests they receive, of any type, and detail key metrics about how they comply with those requests.

This self-auditing process creates a framework for enforcement by requiring businesses to maintain compliance data in the event that a breach is recognized.

How noncompliance could play out

Legal enforcement for regulations like the CCPA is complicated and highly variable until precedent has been set in court. It can be difficult to get a clear idea of what it will look like, making it challenging for businesses to adjust. Here’s a quick look at some hypothetical examples of how CCPA breaches could play out based on the way the legislation is designed:

Failure to notify

Imagine that your business built a mobile app a few years ago. It didn’t get great usage and, while some customers like it and you keep it running, you don’t support it much because your website is now optimized for mobile and most users go there.

To prepare for CCPA compliance, you put the necessary notification on your website, telling consumers how you collect their data and what you use it for. You also give them a chance to opt out. You put a similar link in your mobile app.

There’s just one problem: A small feature in your mobile app passively collects user location data for a specific app capability that isn’t replicated on your website. You forgot to include this notification in the app because you used the same link you used for the web.

At this point, your business would be in noncompliance for failure to notify consumers that you’re collecting that location data. You also haven’t explicitly told them how you use that information or set up systems so they can opt out of the program.

This is a tiny detail, but it shows just how complex CCPA compliance is. You need to understand every use of consumer data in your business and make sure you cover communication as appropriate to ensure compliance.

Failure to delete

Deleting data is complicated in today’s cloud-driven world. How many apps do your teams use to interact with customers? Chances are, you have a blend of solutions in place that each handle different types of information, often integrating with one another to share data.

This means you have consumer data that is technically yours and under your control, but spread between multiple internal and third-party environments. In many cases, that data will exist in multiple formats — such as if a user downloaded a report and has data available offline for a key app.

If a consumer makes a deletion request, and you handle just about everything perfectly, you can still easily end up with a CCPA breach. If you work with service providers and delete that consumer’s data but don’t know about offline copies of the information, forget about an app that contains affected data, or neglect to delete a file stored in a niche environment, that’s a CCPA breach.

The complexity of today’s data ecosystems makes this type of compliance difficult on a technical level. Businesses need to work with service providers that build compliance into their solutions to make life easier.

Failure to report

This type of noncompliance can be particularly frustrating. Imagine you worked incredibly hard to get all of your systems up to the new standards before the go-live date. You get the visibility you need into your data workflows, you have all the consumer-facing content in place, and you’re keeping up with the requests from customers. Then the holidays come around, and you bring on a seasonal administrator to provide support.

At this point, your CCPA practices are strong, and you provide some basic training on compliance. However, that worker misses a key detail and doesn’t properly log request completions. You get to the end of the year, and you have a blind spot in your reports relating to the regulatory standard: During the month or so the temp worker was on staff, you can’t prove that you complied.

If you’re lucky, you can go back and track down each customer request and create the proper log. But if any kind of mistake was made and you can’t self-audit effectively, you could be left unable to properly report on your compliance and find yourself with a CCPA breach.

This kind of issue is often best dealt with through automation so you don’t rely on manual documentation. But regardless of how you solve the issue, training employees who handle consumer data on your internal practices surrounding CCPA compliance is critical to avoiding breaches.

Preparing for the impact of the CCPA

These examples of breaches aren’t meant as a scare tactic. However, if CCPA laws apply to your business, you need to be ready. This is a uniquely strict data privacy standard that’s being put into place on a much faster time line than the already established GDPR standards. The American Bar Association report we mentioned earlier went so far as to call the regulations “aggressive” in tone.

The CCPA isn’t isolated. It covers all California residents, and the state government is aware that it presents economic challenges. Consumer protection is the priority, and as the need for data privacy legislation exists across the country, many experts anticipate the CCPA to be a pilot for other initiatives as state and federal entities watch what happens in California to see if they want to take similar action.

What are the basic CCPA requirements?

We’ve highlighted what the CCPA is all about, but we haven’t gone very deeply into what it actually asks businesses to do. CCPA requirements are fairly demanding, and you may want to bring in an expert to help cover all of the details you’ll need to deal with. To get you started, here’s a look at the major requirements for businesses.

Primary CCPA requirements 

The major demands within the CCPA legislation fall into a few categories. Think of this as an entry-level CCPA compliance checklist:

Meeting “right to know”

Complying with the right to know standard is all about providing transparency for consumers. You’ll need to let consumers know

  • When you collect their data
  • What data (both types and specific information) you collect
  • How you use that data, including if you sell it

To properly notify consumers according the rules of the CCPA standard, you’ll need to

  • Provide relevant notifications on your website, mobile apps, and paper documents that are used to gather consumer data. You can create a central repository for that information and link to it (providing an easy-to-read and type link on printed documents) so consumers can get the details they need
  • Ensure the notifications are accessible to individuals with disabilities
  • Make all notifications readily visible before the data is collected
  • Include a “Do Not Sell My Info” or “Do Not Sell My Information” link when you notify consumers that their data may be sold

Meeting “right to opt out”

Supporting the CCPA’s regulations for consumers’ right to opt out of the data-sharing economy is a bit simpler. To comply, you must

  • Provide appropriate opt-out language — like the links we just mentioned — in instances when you collect or sell data. The state is creating an opt-out button and logo that can be used online to link to official consumer privacy rules.
  • Include the opt-out opportunity in both online and offline communications
  • Document requests to opt out and maintain those records

Meeting “right to know” (again) and “right to delete”

Things can get complicated on the technical side with these elements of the CCPA. Collecting large amounts of consumer data across systems is challenging, and that’s what you’ll need to do whether you’re trying to inform consumers about what information you have or working to delete everything appropriately.

If a consumer submits a request to delete, there’s a clear workflow. First, you have to verify the person’s identity. If this will take significant time and impact your ability to grant or deny the request, then you must notify the consumer that you received their submission and are going through the verification process. From there, you’ll need to tell them what that process entails.

If you can grant or deny the request quickly because verification is easy, you must respond to the request within 45 days from when it was received. This applies to “requests to know” as well and can be extended with proper notice and explanation.

When responding to a request to delete, once the individual’s identity is verified, businesses must comply by

  • Permanently erasing the individual’s data on existing systems (backup and archived data can be retained for a short time), de-identifying the information, or aggregating it
  • Notifying consumers that data has been backed up or archived and will be deleted the next time those systems are accessed
  • Maintaining records of the request and the action taken in response to it

There’s a similar workflow for right to know requests but in reverse. Basically, if a person requests their information, a business must verify the individual’s identity and, unless disclosing the information creates a clear security risk, disclose that data. There are a few exceptions, including any government-issued identification number, financial account number, account password, or similar sensitive information.

Meeting verification requirements

The importance of verifying a user’s identity lurks beneath the surface in all of these regulatory demands. The CCPA sets forth strict guidelines and steps businesses must take to ensure that the person who is requesting to opt out, obtain data, or have information deleted is who they claim to be.

The implications of identity fraud are clear. It’s the kind of issue that highlights just how complicated these types of data privacy standards can be, and is often best handled by services certified for compliance or through internal processes configured with the help of legal and technical experts. The high costs of compliance estimated by the state aren’t an exaggeration.

Regulatory complexity in a nutshell

While many aspects of the new CCPA standards are somewhat unique, they retain one common thread that’s similar to most data privacy standards: They tell you the results you need to get, not what you need to do to get there. There may be some clerical guidance on how to communicate with customers and the like, but figuring out how to map your data workflows to know exactly how you use and sell every piece of data you collect is entirely up to you.

This results in a situation that is highly unpredictable — one solution can be vastly different from another, while both are valid — and difficult for businesses to navigate on their own. As such, it’s often best to get some help with compliance. Some things to consider include

  • Looking for vendors that have completed some form of CCPA certification to ensure you don’t have to manage compliance for all of the apps and services you use. While the state doesn’t have a formal certification, vendors will often complete some sort of self-certification to demonstrate the work they’ve done. This can give you visibility into how solution providers can help you handle compliance.
  • Training opportunities that cover the CCPA and how it applies to businesses. Online courses are already emerging to help individuals unpack the nuances of the regulations. As they continue to evolve, more resources will likely become available to help business leaders adapt.
  • Adding staff or bringing on consultants who can help you navigate the situation. Getting started with compliance is often a huge hurdle. Once everything is in place, it can be much easier to maintain best practices. Getting help at the start can make life easier down the line.

Complying with data privacy regulations is expensive, complex, and often overwhelming. But it’s easier with help. Whether you get that from prebuilt solutions that do much of the work for you or by adding to your staff, there are options to help you meet CCPA requirements.

How to be CCPA compliant

This section isn’t about the rules you need to follow. It’s about real steps you can take to better position your business to keep up with the demands of a complex regulatory system like the CCPA. You’ll likely need to work with a lawyer or similar expert to really dive into how those laws impact your specific organization.

Instead of getting bogged down in the law, we’re going to focus on best practices you can enact that will make it easier to adjust to the regulations as they stand now, and as they change over time.

Automate when possible

Today’s software can automate everything from process documentation to data collection — such as JotForm’s custom forms and survey tools that gather data and automatically send it to the proper destination based on your settings. When you’re dealing with complex regulatory requirements, it’s often easiest to find solutions that align with your needs, create compliant workflows, and automate the clerical tasks that the regulation covers.

Of course, automation is great for eliminating human error, but that’s not all it does well. As you probably discovered when we talked about reporting and enforcement, CCPA laws are going to require you to deal with all kinds of documentation. If you automatically collect that data and use tools that create reports for you, you’ll save hours and even days of labor, and improve your ability to maintain compliance.

Work to exceed minimums

Regulations like the CCPA are, at their core, guidelines for the bare minimum you need to do to live up to the standards and the expectations they set forth. If your target is always the least you have to do, then you’ll have a breach the moment you fall short. If you set up your processes to exceed the base requirements, then you’ll have some margin for error.

For example, when the CCPA says you should respond to requests to delete personal information within 45 days, you can design your processes and technical capabilities to handle the process in 30 days. It may be a bit more expensive or time-consuming to put the work in at first, but over time, it’ll give you the freedom to handle compliance with greater ease.

Focus on best practices from the start

It’s quite common that a regulatory law may not apply to your business at the moment but will apply in the future. As these types of privacy rules expand, they could start affecting smaller businesses. What’s more, as your company grows, it may reach a point where it needs to comply. Tacking new capabilities onto what you’re already doing is almost always more difficult than starting out with those capabilities.

Even if you don’t need to comply with the CCPA right now, consider getting started. You can do this by choosing apps that are in line with the standards; tracking how you collect, manage, and sell data; and taking similar steps to begin your compliance journey so you’re ready if the regulations apply to you at any point.

Take responsibility for your tech

Through a blend of marketing hype and techno-misinformation, many businesses believe that using cloud solutions means they don’t have to worry about data privacy and protection.

It’s true that a good third-party provider makes things like complying with the CCPA much easier. However, most regulatory laws stipulate that businesses are responsible for the data they handle, even if they only pass that information on to a third party. That means you should

  • Evaluate vendors for compliance with regulatory standards. Don’t take marketing language at face value. Ask questions about how they comply and, when possible, get the solution provider to demonstrate how their systems work
  • Use your service-level agreement to build in some degree of protections for vendor error so you don’t have to pay a fine if a service provider makes a mistake
  • Understand how data moves between your systems so you know when you’re solely responsible for data and when it’s controlled by your vendors

In the end, your solution providers can do a lot of the work for you, but they can’t be responsible for your customers’ data. Most regulatory laws consider the business as the entity with ultimate responsibility, not the service provider. Understand what you can do to safeguard data, what your vendors’ limitations are, and how you can ensure compliance.

Get ahead of compliance

There typically isn’t a great reason to be surprised by regulatory requirements. Most develop over the course of years, giving businesses lots of time to comply. The CCPA laws are a bit different in how quickly they’re coming into play, but there’s still time to get moving instead of trying to rush in at the last minute.

The old adage “haste equals waste” comes into play here. Getting started on compliance now can buy you time to find the best solution, not just a workable option.

If you’re unsure where to start with the CCPA, one option is to look at what businesses have done to comply with the GDPR, as the laws are fairly similar. As you consider that, here’s a look at how the CCPA and GDPR differ.

How does the CCPA differ from the GDPR?

The CCPA has been compared to the GDPR ever since the new regulation was announced. California’s privacy law is a clear response to GDPR and includes a wide range of measures that are similar in intent and business requirements to the GDPR. However, there are a few key distinctions that you should keep in mind.

Data mapping

Both regulatory standards expect businesses to fully understand how they manage and store consumer data. This means not only knowing where data ends up but how it gets there. Tracking information throughout its life cycle is only possible if businesses map their data flows and develop a complete understanding of the ways information moves throughout their organization.

In GDPR, this means that businesses need to complete a full inventory of their data and map data flows throughout the organization. This must be done both to support compliant operations and to handle reporting. However, the CCPA actually demands deeper data mapping.

If your business is already mapping your data workflows to support compliance with the GDPR, you may need to take a fresh look at those processes and ensure they meet all of the demands of the CCPA.

For example, if you stop tracking data when it’s sold to a third party because privacy isn’t your responsibility anymore, you may be compliant with the GDPR but not the CCPA. The CCPA isn’t purely about protecting consumer information, and the need to communicate the sale of data means you have to map your workflows across every facet of the data-sharing economy.

Request responses

The formalized processes for responding to individual requests for personal information or to requests to have such data deleted are so similar between the two standards that you can use many, if not all, of the systems for GDPR to handle the CCPA.

The only distinction is that there might be a slight difference in what’s considered personal information. Otherwise, the response processes are the same.

Privacy policies

Both the GDPR and the CCPA require brands to create formal, comprehensive privacy policies that describe how users’ information is used. You may need to update existing privacy policies if they’re built to comply with other California privacy laws, but the demands of the GDPR and the CCPA aren’t too different in this case.

Service provider contracts

Like the GDPR, the CCPA requires businesses to establish contracts with service providers to handle compliance issues. However, the demands of the CCPA are different enough in this case that the state recommends organizations carefully review the contracts and revise them to reflect the CCPA’s guidelines.

The GDPR as a starting point

At the end of the day, if your business has already worked comply with the GDPR, then you’ve already done some of the work to comply with the CCPA. You can focus on the legal distinctions — we cannot overstate the importance of bringing in a compliance specialist — and adjust from there.In addition

For further information on how those two differ, check out our CCPA vs GDPR comparison article.

How major companies prepared for the CCPA

Industry leaders in the tech sector can provide great models for adapting to regulatory standards. In many cases, these businesses are large enough that they must comply with the regulations while also providing their customers with solutions to compliance problems.

That’s the case with the four companies we’re about to put under a spotlight. Each has moved quickly to become CCPA compliant while creating tools designed to help other businesses adapt to the regulatory framework.


As one of the biggest tech giants out there, Microsoft was sure to be hit hard by the CCPA standards. It handles so much consumer data that the privacy demands were staggering. However, Microsoft responded positively to the regulations.

CPO Magazine reported that the tech leader has embraced the privacy ideals behind standards like the CCPA and GDPR. The result has been that Microsoft is among the leaders in compliance.

Microsoft has gone so far as to become an advocate for privacy laws similar to the CCPA and is already calling for similar regulations to emerge in other states and even from the federal government.

To further support the CCPA, Microsoft is working to make its services fully compliant. The brand is well aware that the many businesses that use their services, such as Office 360, will depend on their ability to comply with the regulations. As a result, Microsoft has updated the terms of their service policies and established capabilities that support full compliance.

In many ways, Microsoft’s rapid journey to enact compliance with the CCPA is a reflection of its embrace of the GDPR. Because the tech giant has worked to differentiate itself as a privacy-focused solution provider, it has emphasized compliance across its solutions. With the GDPR serving as the inspiration for the CCPA, Microsoft’s efforts to respond to the European regulations have made it easier to deal with the legislative changes happening in California.


The IAB (Interactive Advertising Bureau), is an influential leader in the media and marketing industries. The organization is made up of member organizations from those sectors, including more than 650 businesses. The IAB works to provide guidance, advocacy, and professional development for the digital media and marketing sectors, including developing formal technical standards and best practices.

CCPA compliance is a big deal for the IAB. As an influencer and, in many ways, educator for the sector, the IAB can establish models for how media and marketing companies can adapt to regulatory standards while maintaining their business goals.

And that’s exactly what the IAB has done. The organization has created a formal CCPA Compliance Framework for Publishers and Technology Companies, to provide a model that businesses can use to achieve compliance with greater ease.


While the IAB is an industry association meant to provide a measure of leadership and oversight within the digital media and marketing sectors, Sourcepoint entered those industries with a laser focus on sustainability within the media sector.

Sourcepoint works to create transparency in the content compensation models that underpin advertising and digital content. The company creates products that help brands track this kind of data more effectively and gain a stronger understanding of issues like privacy, monetization, and customer data management.

These overarching brand goals put Sourcepoint in the center of the data-sharing economy and the privacy issues it creates, making CCPA compliance a critical matter for the business.

Sourcepoint has built a far-reaching CCPA compliance solution into its platform. The solution supports the requirements of the CCPA alongside the GDPR, allowing businesses to provide region-specific solutions to users through a consumer-first consent management platform that empowers organizations to handle compliance in more natural, intuitive ways.

This kind of technology can help businesses automate key elements of CCPA compliance. The platform creates software-based workflows that are compliant, reducing user error and automating documentation to log tasks as they’re completed. These types of capabilities make it much easier to support consumer privacy rights while driving stronger engagement with customers as they interact with your brand.


In some ways, OneTrust is similar to Sourcepoint. Both companies are heavily focused on user privacy. But Sourcepoint devotes its efforts specifically to the marketing and media sectors, as well as the data-sharing economy that surrounds them.

OneTrust, on the other hand, is an industry leader in the broader privacy, consent, and risk management sectors. Their tools are devoted to helping brands stay on top of risk and promote privacy best practices by not only managing data effectively but also maintaining compliance with such industry standards as the GDPR, ISO27001, and, now, the CCPA.

OneTrust moved quickly to get ready for the CCPA, releasing a new compliance-focused platform for businesses in February 2019, when the act was in the early stages of development. OneTrust’s CCPA platform incorporates modules to help businesses

  • Access research about the law and assess their readiness to comply with its requirements
  • Manage privacy through software that includes specific features to handle tasks related to the CCPA
  • Use professional services to support CCPA compliance efforts
  • Connect with community-driven resources to help you learn more about how you can respond to the law

OneTrust is a prime example of how holistic CCPA solutions are emerging, blending technology with services and informational resources so businesses can keep pace with new demands.

Getting help with the CCPA

These solutions illustrate that businesses aren’t alone in working toward CCPA compliance. You may face plenty of challenges adapting, but there’s help. Here at JotForm, we’re hard at work applying our longstanding compliance culture to the emerging requirements of the legislation.

Good news: JotForm is CCPA compliant

At JotForm, because we help businesses collect data from their customers, we put a huge emphasis on consumer privacy. If you want to get feedback on a service, we can help you. If you need to create a custom survey, we’ve got your back. If you’re looking for an invoice form that’s just right for your business, we can help you create it.

We’re all about empowering businesses to engage employees and customers through custom digital forms that let them collect and organize data in the most straightforward ways possible.

As you can imagine, this means that the CCPA is a big deal for us. We’ve built CCPA capabilities into our services so businesses using our tools can get the information they need without having to worry about compliance-related workflows.

JotForm’s compliance culture

As HIPAA compliance became a growing need for businesses in a wide range of sectors, JotForm stepped up to create HIPAA-compliant forms. These aren’t stripped-down, basic forms but forms and form-creation tools that empower businesses to get the information they need without having to sacrifice data privacy and security.

For example, our HIPAA-compliant forms let users

  • Collect payments, signatures, and files
  • Integrate data with relevant systems without creating compliance risk
  • Store patient data in a way that’s automatically encrypted and aligned with HIPAA
  • Quickly and easily create new forms without needing any technical expertise 
  • Gather data through our mobile app

Many businesses need to collect sensitive customer data. You can’t accept electronic payments without some sort of financial data capture and payment gateway system. That’s why JotForm has worked to become fully compliant with the EU’s Payment Services Directive (PSD2) that went into effect in September 2019.

Our form templates and custom form-creation tools comply with PSD2 by connecting to PSD2-compliant services. Instead of gathering and storing the data on our forms, we link to the payment service providers and banks that the PSD2 regulations apply to, ensuring compliance.

JotForm and the CCPA

We have a long history of making compliance easier for our customers through intuitive tools that streamline form creation without sacrificing data privacy and security. We give you the capabilities you need to design your data-collection tools in a way that aligns with regulatory standards.

To find out more about our CCPA compliance solutions, go to our CCPA compliance page. We can help your business improve your digital forms so you comply with the CCPA without having to completely rework your assets.

The CCPA is a big deal, but it’s manageable

You don’t need to panic because the CCPA is on the horizon. If your business is big enough to fall under CCPA regulations, chances are you’re also affected by the GDPR. At the very least, you’re already aware of the privacy standard and its potential impact on future legislation, even if you haven’t had to comply.

If you’ve been on top of GDPR and are complying with it, then the move to adjust to the CCPA should be fairly easy. If these kinds of data privacy standards are new to your business, then you have some work to do.

Here are some things you’ll need to think about in terms of CCPA compliance:

  • Updating your privacy policies to reflect unique elements of the CCPA
  • Tweaking your existing data-collection notifications to cover the full breadth of the guidelines
  • Analyzing potential business disruptions that could be created if users opt out of data collection and sharing

In many cases, the more technical problems associated with the CCPA can be resolved through the strategic use of prebuilt solutions, like the ones we highlighted from Microsoft, IAB, Sourcepoint, and OneTrust as well as JotForm’s Form Builder.

There’s actually a lot of help out there for businesses trying to comply with the CCPA. The challenge isn’t so much what needs to happen in response to the CCPA, though the standard is demanding and can be difficult to deal with. Instead, the bigger issue is what happens when other states or federal entities put similar legislation into effect.

Will you have to come up with slightly different compliance and reporting practices for each state where you serve customers? Will you need to deal with large-scale, complex federal regulations? These kinds of questions represent the overarching challenge of CCPA compliance.

No matter what regulations may be enacted in the future, JotForm will be here to help. At their core, our digital form solutions take what could be a complex and technically demanding process and make it accessible even for small businesses without an IT staff. We apply this same focus on ease of use to our compliance measures, making it easy for organizations to leverage solutions in a way that aligns with regulatory standards.

As the regulatory environment surrounding the data-sharing economy continues to change, vendors that support compliance can make your life easier. JotForm is one such solution provider. Reach out today if you’d like to learn more about our offerings and how they fit with CCPA compliance demands.




  1. I think the content you share is interesting, but for me there is still something missing, because the things discussed above are not important to talk about today.

Leave a Reply

Your email address will not be published. Required fields are marked *