Data Strategy Briefing — California Consumer Privacy Act takes effect

Executive briefing: The California Consumer Privacy Act (CCPA) became effective on 1 January 2020, activating notice, access, deletion, correction (post-CPRA), and opt-out rights for California residents. This briefing converts statutory text into a deployable operating model with visuals, controls, and metrics that align to our pillar hub, the U.S. privacy program blueprint, and related briefs on California Delete Act and China’s PIPL.

Scope, thresholds, and stakeholders

Rights handling—30/45-day clocks

• Notice at collection: Post purpose-specific notices at or before collection, identifying categories, uses, retention periods, sale/sharing, and sensitive PI purposes.
• Access and portability (45 days, +45 extension): Provide categories and specific pieces of PI, sources, purposes, third parties, and retention logic; deliver securely and in a portable format.
• Deletion and correction (45 days): Erase or correct PI unless an exemption applies (security, compliance, contracts); propagate to service providers/contractors.
• Opt-out of sale/sharing: “Do Not Sell or Share My Personal Information” link, honoring GPC/opt-out preference signals; minimize dark patterns.
• Limit use of sensitive PI (CPRA): Provide a “Limit the use of my sensitive personal information” control for processing beyond permitted purposes.

Controls and architecture

1. Data inventory and tagging: System-of-record for data elements with California residency tags, purposes, retention, sensitivity, and sharing flags; integrate with data catalogs and MDM.
2. Consent and preference orchestration: Centralize consent, GPC detection, and opt-out signals; propagate to web SDKs, mobile apps, CDPs, and ad platforms.
3. Identity verification: Risk-based verification using knowledge-based checks, one-time codes, or account login; minimize over-collection and retain verification logs briefly.
4. Vendor governance: Pre-execution screening, CCPA/CPRA contractual addenda, DPIAs, and quarterly evidence of deletion/opt-out propagation; maintain a vendor map for sale/sharing.
5. Logging and retention: Maintain DSAR audit trails, opt-out logs, notices, and training records for at least 24 months; align with incident-response records.

Metrics and KPIs

Readiness and sustainment playbook

• 30 days: Gap analysis against CCPA/CPRA text and regs; map data flows; freeze high-risk tracking changes.
• 60 days: Deploy notice and preference center updates; integrate GPC; refresh vendor contracts; pilot DSAR playbooks with real data.
• 90 days: Launch full DSAR factory with QA; run tabletop for access/deletion edge cases; verify deletion propagation; test breach-notification alignment.
• Quarterly: Control testing (notice coverage, signal honoring, vendor SLAs); refresh RoPAs/records; calibrate risk assessments with cybersecurity and product teams.
• Annual: Training for frontline, engineering, and marketing; review exemptions; validate deidentification safeguards and data-minimization baselines.

Risk mitigation and enforcement posture

Align with California Attorney General and CPPA enforcement patterns by maintaining documented risk assessments for high-risk processing, recording consumer complaints, and logging remediation steps. Keep breach-response coordination tight with incident teams to evaluate whether unauthorised disclosure implicates CCPA obligations or downstream notification requirements.

Audit-ready evidence

• Versioned notices, preference center screenshots, and change-control tickets with approver IDs.
• DSAR samples showing verification steps, decisions, redactions, and delivery methods.
• Vendor contract extracts with CCPA/CPRA terms plus deletion/opt-out confirmations.
• GPC and opt-out signal test logs across browsers and mobile apps.
• Training completion records, policy attestations, and quarterly control testing results.

Retention and minimisation

Set default retention aligned to documented purposes, delete or deidentify data when no longer necessary, and block secondary uses without renewed notice. Maintain a retention schedule aligned to CPRA regulations, and ensure backup deletion plans so restore processes do not recreate deleted data.

Document minimisation controls for collection, storage, and sharing. For analytics or training data, apply aggregation, differential privacy where feasible, and strict role-based access with quarterly access reviews.

Sector scenarios

• Adtech-rich retail: Validate whether loyalty IDs are used for cross-context ads; classify as sale/sharing and expose opt-out and sensitive PI limits before personalization.
• Financial services: Coordinate GLBA exemptions carefully; deliver requests for non-GLBA data while explaining scope limits.
• Health adjacent: For wellness apps outside HIPAA, treat precise geolocation, biometrics, and cross-app identifiers as sensitive; maintain explicit purpose limits.
• Employment data: Until exemptions lapse, maintain separate workflows for employee/applicant data; plan for CPRA-covered HR data handling.

Testing and governance cadence

Run monthly DSAR QA on real tickets, measuring accuracy and response speed. Perform quarterly cookie/tag scans for notice coverage and opt-out alignment. Establish a privacy steering group with legal, security, marketing, and product to approve new tracking technologies and data uses.