Why the CCPA Should Be on Every Business Owner's Radar
I get asked a lot about encryption, forensics, counter-surveillance. But lately the conversations I have with clients, particularly those running small to mid-size businesses in California, keep circling back to one topic: the California Consumer Privacy Act.
And honestly, the confusion around CCPA is warranted. The statute reads like it was written by committee (because it was), and most of the guidance online either oversimplifies or buries the practical stuff under legal boilerplate nobody reads.
So let me break it down the way I explain it to clients.
Who Actually Has to Comply?
CCPA applies to for-profit businesses doing business in California that hit at least one of these thresholds:
- Annual gross revenue north of $25 million
- Buying, selling, or sharing personal information of 100,000 or more California residents, households, or devices
- Earning 50% or more of annual revenue from selling California residents' personal information
Here is the part that trips people up: you do not need to be headquartered in California. If you collect data from California residents and meet any of these thresholds, CCPA reaches you.
I have also seen situations where smaller businesses get pulled into compliance because a larger partner or vendor contractually requires it. That is happening more often than people realize.
The Four Rights That Drive Most Compliance Work
Consumers under CCPA have specific rights. These are the ones that generate the most operational headaches:
| Right | What It Requires |
|---|---|
| Right to Know | Disclose what personal information you collect, use, share, or sell |
| Right to Delete | Delete personal information upon verified request (with exceptions) |
| Right to Opt-Out | Allow consumers to opt out of the sale or sharing of their data |
| Right to Non-Discrimination | Cannot penalize consumers who exercise their privacy rights |
The deletion right has teeth. I have worked with companies that had no real process for handling deletion requests. They were storing data across six or seven different systems with no central inventory. When requests came in, they could not even confirm what they had, let alone delete it.
Practical Steps That Actually Work
After walking multiple businesses through CCPA readiness, here is what I have found matters most:
Map your data flows first. Not a theoretical exercise. Sit down with every department that touches customer data and trace where it goes. CRM, email marketing platform, analytics tools, third-party processors. You cannot protect what you cannot find.
Set up a dedicated intake channel for privacy requests. A simple privacy@yourcompany.com works. Train whoever monitors it to recognize a CCPA request even when the consumer does not call it that. People write things like "delete my account" or "stop selling my info" without citing the statute.
Build a verification process. You need to confirm the identity of the person making the request before you hand over or delete their data. Get this wrong and you create a bigger problem than the one you are trying to solve.
Update your privacy notice annually. This is not a set-it-and-forget-it document. When your data practices change, the notice has to reflect that. I have audited businesses that had not touched their privacy policy in three years.
Do not forget employee data. CCPA covers employees and job applicants. A lot of businesses lock down customer-facing compliance and completely overlook HR data.
Common Pitfalls I Keep Seeing
- Treating CCPA like a one-time IT project instead of an ongoing operational requirement
- Ignoring service provider agreements that need CCPA-specific language
- Missing mobile app data collection disclosures
- No real data retention schedule. Businesses collecting everything and deleting nothing
- Assuming that because they are small, enforcement will not reach them
The California Attorney General and now the California Privacy Protection Agency have made it clear: they are pursuing enforcement actions across business sizes. Penalties run $2,500 per violation, $7,500 for intentional violations or those involving minors.
The Bottom Line
CCPA compliance is not about checking boxes. It is about building systems that respect consumer data as a matter of routine operations. The businesses that treat privacy as a core function rather than a legal annoyance will come out ahead.
Darren Chaker is a cybersecurity consultant and privacy advocate based in Beverly Hills, California. Learn more at about.me/darrenchakerprivacy.
Top comments (0)