Compliance Briefing — July 1, 2020
Detailed playbook for the July 1, 2020 launch of California Attorney General enforcement of the CCPA, spotlighting notice obligations, request-handling mechanics, cross-border data controls, and continuous improvement tactics for privacy teams.
California Attorney General enforcement of the California Consumer Privacy Act (CCPA) began on July 1, 2020 after the six-month buffer following the law’s January 1 effective date. For privacy, legal, security, and data science teams, that milestone transformed the statute from a compliance planning exercise into a live operational obligation with real penalties, public exposure, and remediation requirements. This briefing consolidates the enforcement landscape, the operational mechanics for honoring consumer rights, and a pragmatic checklist for demonstrating readiness to investigators, business partners, and company leadership.
The California Department of Justice (DOJ) has signaled that enforcement will prioritize clear consumer harms, repeated violations, and businesses that ignore complaints or statutory notices. Because the DOJ can move without issuing regulations tailored to every scenario, organizations must be able to justify their interpretations with documented risk assessments, data maps, and governance records. The briefing below is designed to help teams build and defend those records with concrete actions tied to the statute and published DOJ guidance.
Enforcement triggers
Scope and applicability. The Attorney General enforces the law for businesses that meet the statutory thresholds—$25 million in annual gross revenue, buying or selling personal information of 50,000 California residents/households/devices, or deriving at least 50% of annual revenue from selling personal information. Hybrid entities that act as both businesses and service providers must consider both roles when evaluating obligations.
Notice and cure window. Before bringing an action, the Attorney General must provide written notice and allow 30 days to cure an alleged violation. Cure requires more than a quick patch; the DOJ expects documented fixes, removal of data that should not have been collected, and verification that downstream processors have also corrected issues.
Priorities and complaints. Early enforcement has focused on missing “Do Not Sell” links, inadequate privacy notices, and businesses failing to respond to consumer requests within statutory timelines. The DOJ also investigates consumer and competitor complaints, media reports, and referrals from other regulators. Organizations should treat every inbound privacy complaint as a potential trigger and maintain an auditable intake log that captures timestamps, requester identity verification decisions, and remediation actions.
Regulations and evolving standards. The DOJ’s regulations—finalized in June 2020 and supplemented by later amendments—clarify how notices must be presented, how opt-out requests should work on mobile devices, and how to honor user-enabled global privacy controls. Teams should track amendments and Attorney General enforcement examples because they illustrate how the office interprets ambiguous statutory language and what it considers a reasonable cure.
Data subject rights and request handling
Right to know. Businesses must provide two or more submission methods (commonly web form and toll-free number) and disclose categories and specific pieces of personal information collected, sources, business purposes, and categories of third parties shared with. Responses must span the previous 12 months, arrive within 45 days (extendable once for another 45 days with notice), and be delivered in a portable, readily usable format.
Right to delete. Organizations must delete personal information upon verified request unless an exemption applies (e.g., security incident detection, legal compliance, internal analytics reasonably aligned with consumer expectations). Deletion should include downstream service providers and contractors, with confirmations captured in an audit log. Where deletion is infeasible, businesses must disclose the reason and restrict processing.
Right to opt out of sale or sharing. The CCPA requires a conspicuous “Do Not Sell My Personal Information” link (and, after CPRA amendments, controls for sharing and targeted advertising). Businesses must honor user-enabled global privacy controls, such as supported browser signals, as a valid opt-out. Service provider contracts should prohibit retaining, using, or disclosing data for purposes outside the services to avoid unintended sales.
Right to non-discrimination. Pricing or service differences are only permissible when reasonably related to the value provided to the consumer by the data, and businesses must disclose the valuation method. Loyalty programs need clear notices explaining material terms, data uses, and opt-out effects.
Identity verification. Verification standards depend on the sensitivity of data requested. For account holders, businesses can leverage existing authentication. For non-accountholders, matching data points or using signed declarations may be appropriate. The DOJ cautions against over-collection: only request the minimum data necessary to verify the requester.
Children’s data. Selling personal information of children under 13 requires verifiable parental consent, and for teens 13–15 requires an opt-in. Maintain granular records of consent status, collection sources, and revocation dates to demonstrate diligence during investigations.
Data governance and records
Data inventory and classification. Enforcement readiness depends on a current data map that links collection points, systems, and vendors to statutory categories (identifiers, commercial information, biometrics, geolocation, inferences, etc.). Classification should flag sensitive data, retention periods, and lawful bases for collection to support proportional security controls.
Retention and deletion schedules. Publish retention statements consistent with actual system behavior. Automated deletion workflows or review cadences should be documented, with exceptions approved by legal and tracked in a ticketing system. When honoring deletion requests, teams should show how retention limits and legal holds were evaluated.
Vendor management. Contracts with service providers and contractors must incorporate CCPA-specific terms: limits on use outside the contract, obligations to assist with consumer requests, and requirements to notify of unauthorized use. Maintain copies of signed agreements, assessments of vendor security, and results of periodic reviews.
Security controls. While the CCPA does not prescribe specific safeguards, the private right of action for security incidents heightens the need for access controls, encryption, network monitoring, and incident response plans tied to California Civil Code § 1798.150. Documented tabletop exercises and breach simulations help demonstrate reasonable security practices.
Compliance checklist
Use the following checklist to prepare for potential Attorney General inquiries and to support board or executive briefings:
- Governance and oversight. Identify an accountable executive owner, establish a cross-functional privacy steering committee, and schedule quarterly reviews of CCPA metrics and regulatory updates.
- Privacy notices. Confirm that website and mobile notices cover collection purposes, categories, sharing/selling practices, retention periods, and consumer rights. Verify that the notice at collection appears at or before data intake.
- Opt-out mechanisms. Place a visible “Do Not Sell or Share My Personal Information” control, respect global privacy control signals, and test opt-out persistence across sessions and devices.
- Consumer request workflows. Publish at least two intake methods, verify identity appropriately, track statutory timelines, and maintain templates for right-to-know and deletion responses. Include procedures for forwarding requests to service providers.
- Children’s privacy. Implement age-gating where appropriate, maintain verifiable parental consent records for under-13 users, and configure opt-in flows for users aged 13–15.
- Training. Train customer support, marketing, engineering, and data teams on CCPA duties, escalation paths, and how to recognize opt-out signals. Keep attendance logs and training materials.
- Data minimization and retention. Limit collection to what is reasonably necessary, enforce retention schedules, and document exceptions. Align data schemas to ensure deletion cascades to replicas, backups (within reason), and analytics datasets.
- Vendor controls. Inventory service providers and contractors, map data flows, and store executed agreements with CCPA clauses. Confirm that vendors can process deletion and access requests and that they prohibit secondary use.
- Security program. Maintain access controls, encryption standards, incident response runbooks, vulnerability management cycles, and evidence of recent tests or audits.
- Evidence management. Centralize documentation of requests, notices, DPIAs, and remediation tickets. During a 30-day cure period, the ability to produce clear, date-stamped evidence is often decisive.
Penalties, audits, and remediation
Monetary exposure. The Attorney General can seek civil penalties of up to $2,500 per violation or $7,500 per intentional violation after the cure period. For security incidents involving unauthorized access or exfiltration, consumers may pursue statutory damages of $100–$750 per incident under the private right of action.
Audit posture. Expect investigators to request privacy notices, training records, data maps, vendor lists, samples of consumer request logs, and evidence of honoring opt-out signals. Responses should demonstrate consistency between published policies and system behavior. Misalignment between marketing scripts and privacy notices is a common weakness.
Remediation strategy. During the 30-day cure window, prioritize actions that halt ongoing violations (e.g., disabling trackers pending opt-out support), notify affected consumers where appropriate, and implement technical fixes with QA evidence. Follow-up communications to the DOJ should describe the root cause, corrective actions taken, and controls preventing recurrence.
Continuous improvement. Track metrics such as request volume by right type, average time to fulfillment, opt-out signal success rate, vendor response times, and incident closeout durations. Use these metrics to brief leadership and to prove proportionality of controls if questioned by regulators.
By grounding operations in statutory language, DOJ regulations, and published enforcement examples, privacy teams can move beyond checklist compliance to a verifiable, evidence-driven program. Authentic documentation—data maps, request logs, notices, and vendor agreements—provides the defensibility needed once enforcement begins.
Authoritative references: California Office of the Attorney General, “California Consumer Privacy Act (CCPA),” https://oag.ca.gov/privacy/ccpa; California Civil Code § 1798.155 (enforcement), § 1798.150 (private right of action), leginfo.legislature.ca.gov.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.