Fri, Dec 13, 2019

CCPA Compliance Checklist

If you’re a company for which one of the following three statements are true: do you buy, receive or sell the personal information of 50,000 or more consumers, households, or devices; or do you have gross revenues in excess of $25 million; or do you derive 50% or more of your revenue from selling consumers’ personal information; then the California Consumer Protection Act (CCPA) applies to your company. The CCPA went into effect on January 1, 2020 and needs to be on your radar. The California Attorney General, which generally enforces the CCPA, shall adopt regulations on or before July 1, 2020, and shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020. Businesses charged with a CCPA violation face fines starting at $2,500 per individual affected. Once a consumer notifies a company of intended legal action for a CCPA violation, the company has only 30 days to remedy the situation. The CCPA does not specify what a remedial action would be.

Use this CCPA compliance checklist to help:

Determine what information you need to collect and why.

Put someone directly in charge of privacy and data protection. Know whether the information is being “sold” by any of the service providers or third parties with whom you work. Know what data must be shared with other entities, what must be encrypted, and what must remain private.

You may need to defend the collection of any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” such as:

  • Name
  • Physical address
  • Phone number
  • IP address
  • Email address
  • Social security number
  • Driver’s license number
  • Passport number
  • Signature
  • Physical description
  • Insurance policy number
  • Education/employment status
  • Financial account information
  • Records of personal property, products, services purchased, consumption history
  • Biometric information
  • Browsing history, search history, website interactions, advertisement clicks, and internet usage
  • Geolocation data
  • Consumer preferences, characteristics, trends, predispositions, behavior, or attitudes

Aggregate consumer information that is not linked to a particular individual, household, or device is not included. Information that is publicly available from federal, state, or local government records is also fair game.

Consider how to organize the data you collect.
  • Provide CCPA notices and establish procedures for consumers to opt-in or opt-out.
  • To comply with the “right to be forgotten,” create measures to quickly delete data, as requested.
  • Upon request, be prepared to provide consumers with their data “in a readily usable format.”
  • Look over your service provider agreements to ensure they are also CCPA compliant.
  • Train your staff to process new requests with a heightened focus on greater consumer privacy.


Revise your privacy policy and clarify compliance on your website homepage.
  • Include language at the point of collection explaining what information may be sold to whom and why.
  • Explain what information may have been collected and/or sold within the past 12 months.
  • Inform California residents of the “right to be forgotten” within your privacy policy.
  • Describe consumer rights to erasure, to access, to request info, and to not be subjected to discrimination.
  • Include a “Do Not Sell My Personal Information” link to allow consumers to opt-out.


Be prepared for consumers to call you out on data collection.
  • Develop a toll-free number and web address to handle “verifiable consumer privacy requests.”
  • Create a process for preserving copies of specific pieces of personal information you’ve collected.
  • If someone requests to know what information you have, you must be able to deliver within 45 days.
  • Delivery can be made via mail or electronically.
  • Develop procedures to verify the identity of information requesters.
  • Create policies that conform to the CCPA’s requirement to delete data but preserve litigation evidence.
  • Businesses cannot sell the personal information of minors (13-16) without an express opt-in from a parent or guardian.
  • Provide equal, nondiscriminatory price and service, whether consumers opt-in or not.


Work with third parties and service providers to limit their use of personal information.
  • Information may be shared for audit, security, account maintenance, or payment processing purposes.
  • Review existing agreements and policies to determine how much information third parties need shared.
  • Write up a contract that expressly prohibits third parties from sharing or selling information provided.
  • Find out what steps your service providers take to comply with the new CCPA regulations.
  • Develop a process for ongoing monitoring and review of CCPA compliance.


Prepare for CCPA Litigation

For more than 50 years, we’ve helped businesses and their counsel with all their class action administration needs from court approval and notification through claims validation and settlement distribution. We’ve been following the California Consumer Protections Act from the very beginning and are prepared to administrate these cases in the most cost-effective and efficient manner. Contact us today for more information.

Stay Ahead with Kroll

Settlement Administration

Settlement Administration

Kroll is the leader in complex settlement administration providing end-to-end expertise for class actions, mass torts, and regulatory and government administrations.

Data Breach and Privacy Class Action Administration

Data Breach and Privacy Class Action Administration

End-to-end notice and administration solutions for data breach and privacy matters.

Return to top