CCPA compliance requirements for 2025: A practical guide

The California Consumer Privacy Act (CCPA) is a state law that gives California consumers greater control over their personal information. Enacted in 2018 and amended in 2023 by the California Privacy Rights Act (CPRA), the CCPA is designed to enhance data privacy and transparency.

Many articles speak to what the CCPA means for consumers, or explore the legal implications of non-compliance. In this practical guide to CCPA compliance, we’ll explore key requirements, examine where CCPA applies, address potential challenges, and offer actionable advice to reduce your regulatory risk.

What is the CCPA, and who must comply?

The CCPA gives consumers more control over personal information collected and used by businesses. It applies to for-profit companies if they do business in California and meet any one of three conditions:

• They report an annual gross revenues of $25 million or more.
• They buy, sell, or share the information of more than 100,000 California residents or households.
• They obtain 50% (or more) of their annual revenue from selling or sharing this personal information.

There are exceptions to CCPA compliance. For example, public and non-profit organizations are covered under different regulations. In addition, businesses based in California that conduct all commercial operations outside the state are exempt from CCPA. Compliance with CCPA is regulated by the California Privacy Protection Agency (CPPA).

Consumer rights

At its inception in 2020, the Act gave consumers four new privacy rights:

1. The right to know. California residents have the right to know what information is collected by businesses. They also have the right to know how this data is used and shared.
2. The right to delete. This right allows consumers to have personal information collected from them deleted by the companies using this data. There are several exceptions to this right. For example, companies may retain data if it is necessary to complete transactions, comply with legal obligations, or maintain security.
3. The right to opt-out. The right to opt-out allows consumers to refuse the sharing or sale of their information. This right may be exercised by contacting companies directly or using what is known as a global privacy control (GPC), which is now available on some internet browsers.
4. The right to non-discrimination. This right protects consumers from unfair treatment if they use any of the above (or below) rights. In practice, it means that businesses cannot deny goods or services, provide a different quality of these goods or services, or increase the price of goods because consumers exercised their rights under CCPA.

In November 2020, California residents voted on and passed Proposition 24, which amended the CCPA with two new privacy rights:

• The right to correct. Consumers may ask businesses to correct inaccurate information. This can include personal, financial, or any other data requested and collected by a company.
• The right to limit. Finally, consumers can ask businesses to limit the use of collected data to specific purposes. For example, if consumers provide data such as their Social Security number or geolocation data for a financial transaction, they can request that this data be used only for that transaction. They can also mark their data as “do not sell” or “do not share.”

Key CCPA compliance requirements

Under the CCPA, businesses must fulfill two main responsibilities: providing customers with clear privacy notices and properly handling consumer requests regarding their personal data.

Notice obligations

Companies must provide notice that they are collecting consumer data. This notice must be provided at or before the point of collection, such as with cookie banners and privacy notices. Providing notice after collection puts businesses at risk of non-compliance.

Notices must contain six elements:

1. The categories of personal information you collect
2. The business or commercial reason for collecting the categories of information
3. Details about any sharing or sale of the information
4. How long data will be stored
5. If data will be shared or sold, a link to information about the right to opt-out of the sale of their personal information
6. A link to your company’s data privacy policy

Depending on how you collect information, different notice obligations apply. If data is collected online, you can provide an on-site notice or a link to a notice that is displayed on the webpage collecting user data. If you collect data through physical means, such as cameras, it must be posted using prominent signage. And if data is collected verbally, such as over the phone, the notice must be communicated orally.

There are five basic requirements for notices under the CCPA. All notices must:

• Be easy to understand. Avoid legal or technical terminology.
• Be readable. This includes digital and in-person notices, and in practice, this may require work to ensure notices displayed on mobile devices are as easy to read as those displayed on larger screens.
• Be available in the languages used by your business. This means if your business conducts sales or writes contracts in both English and Spanish, you must provide notices in both of these languages.
• Be accessible. Your notices should be accessible to consumers with disabilities as much as possible.
• Be timely. Notices must be provided to the consumers at or before the point of data collection.

Request handling

Consumer rights also include the ability to know what information businesses have collected about them, and access this information.

These rights are asserted using what’s known as a verifiable consumer request. Companies must have processes in place to respond to and manage these requests, and they are required to respond within 45 calendar days once a verifiable request is received.

Ensuring the request is verifiable means confirming that requesting consumers are who they say they are. Failure to do so could inadvertently put companies at risk of CCPA non-compliance.

Once consumer identity is verified per CCPA guidelines, organizations must disclose both direct and inferred personal information, including profiling logic, retention periods, and third-party sharing details in a format that is portable and machine-readable.

In addition, businesses must provide information about the categories of data collected, the sources of this data collection, the purposes of your data collection, the types of information sold or disclosed, and the types of companies this data was shared with or sold to. If requested by the consumer, businesses must also provide the specific pieces of personal information which were collected about consumers.

A crucial detail here is that the CCPA considered inferences to be a form of personal information. This means that predictions and conclusions a business draws from your data are just as protected as your name or email.

Common challenges businesses face with CCPA

The nature of CCPA data requirements also creates two common challenges for companies: incomplete data mapping and limited automation.

Incomplete data mapping

To provide transparency and respond to verified consumer requests from Californians, businesses need complete visibility into collected data, no matter how it was collected or where it resides.

Consider a financial organization that offers a variety of personal banking services, such as loans, investments, and day-to-day transactions. To support these services, this organization uses a combination of on-premises and cloud-based storage and data processing. Less sensitive consumer data may be stored or handled in the cloud, while more personal data is stored on site.

The disparate nature of the data makes it difficult for a company to get a complete picture of its data and processes. In other words, the organization isn’t sure where sensitive data is stored, who can access it, or when it was collected.

Limited automation

Manual processes also create compliance problems.

For example, manual entry of sensitive personal information can lead to errors, which in turn require correction under the CCPA’s Right to Correct. While this is a minor infraction, it requires time and effort to correct.

Manual processes can also lead to larger issues, such as failure to create auditable trails of action. If companies cannot provide a consistent chain of data custody from initial collection to use, storage, and deletion, they may be subject to fines or penalties.

Consider automaker Honda, which was recently fined under CCPA for violations of privacy rights related to requests for more consumer information than was strictly necessary to perform specified functions.

Businesses must also recognize that CCPA mandates don’t differentiate between intentional violations and non-intentional issues. If companies accidentally collect the personal information of California residents, they are held liable in the same way they would be held accountable for failing to honor opt-out requests or denying consumers the right to access their own data.

Turning information into action: How to operationalize CCPA requirements

To improve CCPA compliance, organizations first need to understand their data. The next step is to put that knowledge into practice by implementing critical procedures and controls. Here are three ways to operationalize CCPA requirements as part of your data collection and privacy processes.

1. Build a complete privacy workflow

First, consider your current data security privacy workflows, and identify areas that need improvement. These may include CCPA rights notifications that are hard to find, hard to read, or incomplete. They may also include manual processes that stem from legacy tools or technologies, such as the manual reformatting and migration of data between multiple software solutions.

Once you have identified potential issues, you can begin to build a privacy workflow that ensures CCPA compliance from start to finish. This begins with centralized processes for intaking, responding to, and tracking verified consumer requests.

2. Train your teams

Next up is training your teams to handle specific CCPA requirements. Here, the key is recognizing that there is no one-size-fits-all approach. For example, marketing teams often use consumer information to create personalized ad campaigns — privacy notices must reflect this proposed action.

Teams must be educated on the appropriate use of consumer data. For example, if it is not clearly communicated that AI will be used for data processing, teams should not use these tools.

Security teams, meanwhile, may be tasked with monitoring systems and networks for potential data breaches or fraud activities, and they must use personal data under these specific guidelines. Clear policies should include detailed descriptions of appropriate data use, along with internal consequences for failing to follow these policies.

3. Regularly review compliance processes

Remaining CCPA compliant is never a “solved” problem. Both consumer and government expectations evolve. In addition, companies often add or remove hardware and software, which can impact data privacy and compliance processes.

Regular review of compliance and security measures can reduce total risk. By creating a review schedule along with a checklist of current compliance expectations, businesses can verify that written policies are aligned with functional processes, and more proactively manage and change their compliance programs before an exception occurs.

How AuditBoard helps companies navigate CCPA compliance

With AuditBoard infosec and risk solutions, data privacy teams are better equipped to navigate and manage CCPA compliance. Key functions include:

Comprehensive monitoring and request management

With AuditBoard controls monitoring software, your teams are better equipped to handle CCPA requests and ensure compliance. You gain complete visibility into your current controls along with any potential shortfalls and can easily monitor response service-level agreements (SLAs) to ensure you’re delivering complete consumer responses within CCPA timelines.

Integrated privacy and risk reporting

AuditBoard also provides integrated privacy and risk reporting. This provides evidence of CCPA alignment for both auditors and executives, and it helps free up time for your staff to take additional security practices.

We’ve got you covered there as well — for example, our SOX compliance guide can help ensure the processes you have in place align with current state and federal privacy regulations and align with evolving data privacy laws.

Staying ahead of CCPA in 2025

Staying ahead of CCPA in 2025 means ensuring your business has processes in place to track personal data across any system, any time, while deploying automated processes to improve data transparency.

Companies cannot afford to ignore the evolution of privacy regulations. As data collection and analysis methods evolve, so too does the CCPA. For example, in September 2024, the State of California passed Assembly Bill No. 1008, which in part expands the definition of personal information to include data stored or used by AI systems and any biometric data collected without consumers’ knowledge.

While the regulatory impact of these changes isn’t yet clear, the continuing evolution of CCPA speaks to the need for data handling and auditing processes capable of both meeting current compliance needs and adapting to future regulatory requirements.

Improve CCPA compliance with integrated workflows and audit-ready reporting. Discover how AuditBoard helps keep companies ahead of regulatory requirements. Request a demo today.

About the authors

Mackenzie Gauger is a CPA, Senior Manager of Production Solutions at AuditBoard with a passion for helping audit, risk, and compliance leaders improve their teams and processes.