California begins enforcing the CCPA

At a glance

On 1 July 2020, the California Attorney General began enforcing the California Consumer Privacy Act (CCPA), marking the start of active regulatory oversight for California's landmark privacy law. Following a six-month grace period since the law's January 1, 2020 effective date, businesses are now subject to enforcement actions for CCPA violations, with civil penalties reaching $7,500 per intentional violation.

Enforcement Authority and Penalties

The California Attorney General holds exclusive CCPA enforcement authority:

• Civil penalties: Up to $2,500 per unintentional violation and $7,500 per intentional violation.
• Cure period: Businesses receive 30-day opportunity to cure alleged violations before AG action, though this period was eliminated for certain violations under CPRA.
• Private right of action: Consumers may bring private lawsuits for data breach harms with statutory damages of $100-$750 per consumer per incident.
• Investigative powers: The AG may conduct investigations, issue subpoenas, and require compliance reporting.

Consumer Rights Framework

CCPA grants California residents specific privacy rights:

• Right to know: Consumers may request disclosure of personal information collected, sold, or disclosed, including categories, sources, purposes, and recipients.
• Right to delete: Consumers may request deletion of collected personal information, with specific exemptions for necessary business purposes.
• Right to opt-out: Consumers may direct businesses not to sell their personal information to third parties.
• Right to non-discrimination: Businesses cannot discriminate against consumers exercising CCPA rights through pricing or service differences.

Business Obligations

Covered businesses must implement full privacy programs:

Privacy notices:

• Categories of personal information collected in preceding 12 months.
• Purposes for collection and use.
• Categories of third parties with whom information is shared.
• Consumer rights and how to exercise them.

Request handling:

• At least two request submission methods (toll-free number and website form).
• 45-day response deadline with possible 45-day extension for complex requests.
• Identity verification procedures for request processing.
• Documentation of requests and responses for 24 months.

Opt-Out Implementation

Businesses selling personal information face specific requirements:

• Prominent "Do Not Sell My Personal Information" links on website homepages.
• Mechanisms to process opt-out requests without requiring account creation.
• Technical setup to honor Global Privacy Control (GPC) signals.
• Service provider contracts including CCPA-required restrictions.

Compliance Verification

If you are affected, verify compliance readiness:

• Test consumer request workflows against 45-day response requirements.
• Verify privacy notice accuracy and completeness.
• Confirm opt-out mechanisms function correctly across all entry points.
• Review service provider contracts for required CCPA provisions.
• Document compliance program for potential AG inquiries.

Industry Impact

CCPA enforcement affects businesses across sectors with California consumer relationships, establishing precedent for other state privacy laws and influencing federal privacy legislation discussions.

Wrapping up

CCPA enforcement startment represents a significant milestone in U.S. privacy regulation. If you are affected, stay compliant programs are operational and documented, with ongoing monitoring for AG guidance and enforcement actions that clarify compliance expectations.

Implementation detail

Successful implementation requires a structured approach that addresses technical, operational, and organizational considerations. Organizations should establish dedicated implementation teams with clear responsibilities and sufficient authority to drive necessary changes across the enterprise.

Project governance should include regular status reviews, risk assessments, and stakeholder communications. Executive sponsorship is essential for securing resources and removing organizational barriers that might impede progress.

Change management practices help ensure smooth transitions and stakeholder acceptance. Training programs, communication plans, and feedback mechanisms all contribute to effective change management outcomes.

Compliance checking

Compliance verification involves systematic evaluation of implemented controls against applicable requirements. Organizations should establish verification procedures that provide objective evidence of compliance status and identify areas requiring remediation.

Internal audit functions play an important role in providing independent assurance over compliance activities. Audit plans should incorporate risk-based prioritization and coordination with external audit requirements where applicable.

Continuous compliance monitoring capabilities enable early detection of control failures or compliance drift. Automated monitoring tools can provide real-time visibility into compliance status across multiple control domains.

Third-party factors

Third-party relationships require careful management to ensure compliance obligations are properly addressed throughout the vendor ecosystem. Due diligence procedures should evaluate vendor compliance capabilities before engagement.

Contractual provisions should clearly allocate compliance responsibilities and establish appropriate oversight mechanisms. Service level agreements should address compliance-relevant performance metrics and reporting requirements.

Ongoing vendor monitoring ensures continued compliance throughout the relationship lifecycle. Periodic assessments, audit rights, and incident response procedures all contribute to effective third-party risk management.

Strategic factors

Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.

Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.

Key metrics

Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.

Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.

What this means for business

This development carries significant strategic implications for organizations across multiple sectors. Business leaders should evaluate how these changes affect their competitive positioning, operational models, and stakeholder relationships. Early adopters who address emerging requirements often gain advantages over competitors who delay action until compliance becomes mandatory.

Strategic planning should incorporate scenario analysis that considers various implementation approaches and their associated costs, benefits, and risks. Organizations should also consider how their response to this development affects relationships with customers, partners, regulators, and other key stakeholders.

Operational approach

Achieving operational excellence in response to this development requires systematic attention to process design, technology enablement, and workforce capabilities. Organizations should establish clear operational metrics that track both compliance outcomes and process efficiency, enabling continuous improvement over time.

Operational processes should be designed with appropriate controls, checkpoints, and escalation procedures to ensure consistent execution and timely issue resolution. Automation opportunities should be evaluated and prioritized based on their potential to improve accuracy, reduce costs, and enhance scalability.

Oversight approach

Effective governance ensures appropriate oversight of compliance activities and timely escalation of significant issues. Organizations should establish clear roles, responsibilities, and accountability structures that align with their compliance objectives and risk appetite.

Regular reporting to senior leadership and board-level committees provides visibility into compliance status and supports informed decision-making about resource allocation and risk management priorities.

Adapting over time

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

You may also find useful

Hand-picked articles on adjacent topics.

Compliance · Credibility 71/100 · August 14, 2020

California CCPA regulations approved and effective immediately

California’s Office of Administrative Law approved the CCPA regulations on 14 August 2020, making the rules effective the same day and clarifying notices, opt-outs, and recordkeeping obligations.

Compliance · Credibility 71/100 · February 14, 2023

CPPA files final CPRA regulations with California OAL

California's CPPA filed final CPRA regulations in February 2023, adding implementation detail to the statute. Risk assessments, automated decision-making disclosures, and updated privacy notice requirements. The…

Compliance · Credibility 73/100 · April 29, 2020

Brazil issues MP 959 to delay LGPD effective date

Brazil’s Provisional Measure 959/2020 proposed pushing the LGPD effective date to May 3, 2021 because of COVID-19 disruptions, forcing privacy teams to revisit project timelines while tracking congressional review of the…

Compliance · Credibility 73/100 · March 11, 2020

California AG issues second CCPA modifications

California's Attorney General released a second set of modified CCPA regulations on March 11, 2020, clarifying consumer notice wording, offline opt-out obligations, and rules for user-enabled privacy controls. Businesses…

Compliance · Credibility 83/100 · February 7, 2020

California AG issues modified CCPA regulations

The California AG released modified CCPA regulations addressing industry feedback. Key clarifications include how to handle Do Not Sell requests, verification requirements for access requests, and what counts as…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

July 1, 2020

Coverage pillar

Compliance

Source credibility

71/100 — medium confidence

Topics

CCPA · consumer rights · privacy compliance · california

Sources cited

2 sources (iso.org, federalregister.gov)

Reading time

6 min

Documentation

1. Industry Standards and Best Practices — International Organization for Standardization
2. Federal Register Regulatory Notices