CCPA: Last-Minute Checks and What to Expect in 2020

2020 will bring in a new decade of unprecedented data privacy laws worldwide. The United States is working on a federal proposal, Brazil’s LGPD will go into effect this summer, continued talk of the use of cookies, a proposal in Europe to not only fine companies, but to have the option to sentence jail time, the U.K. vote earlier this month, and more all set the stage for an exciting year. But the data privacy law that will take over the start of 2020 is the CCPA.

With 2019 coming to a close and the CCPA deadline for compliance a couple of days away, we wanted to revisit the law and some last-minute details to make sure that you are prepared for 2020.

Assess Whether CCPA Applies to the Organization

Does your organization need to comply with CCPA? Not all companies will find that they fall under the definition provided. The law specifies that businesses that do business in California, regardless of their headquartered location, and meet any of the following criteria must comply:

  • Business that have annual gross revenues in excess of $25 million​
  • ​Businesses that annually buy, receive for the business’ commercial purposes, sell or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices​
  • Businesses that derive 50 percent or more of their annual revenues from selling consumers’ personal information​

Review your Vendor Relationships

For a recap of how to prepare, revisit our blog where we discuss how to make sure your relationships with third party data complies with CCPA. Some steps that organizations can take to understand how to handle vendor relationships and prepare for CCPA are summarized below:

  • Create a list of all vendors and third parties that are receiving data from the organization.
  • Review any existing data maps, which should include all the organizations that your business is sharing data with, as well as the purpose of sharing the data.
  • Review contracts with all outside organizations to assess the rights the partner/vendor has to the data and determine if additional Privacy Impact Assessments will be required.
  • Outline how third-party organizations are permitted to use the data; are they able to act as a data controller?
  • Identify controllers and processors in contracts so you know who is the decision-maker when it comes to the data being shared among organizations.

Additional Checkpoints:

  • Review and Update your Privacy Policy.
  • Enable consumer requests, engagement and opt-out of data sales.
  • Make sure all employees are trained and know what to expect with CCPA.

Expect the CCPA to be Enforced

If you were hoping to wait until 2020 to see how CCPA unfolds in the new year, you may want to reevaluate and take steps to prepare quickly.

December has made it clear that California will not be taking the CCPA lightly. In response to requests to postpone the CCPA deadline, Attorney General Xavier Becerra said in an interview with Reuters, “We will look kindly, given that we are an agency with limited resources, and we will look kindly on those that … demonstrate an effort to comply. If they are not (operating properly) … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”

With that bold statement and the announcement for the proposed California Privacy Rights Act, California is making a prominent display of just how seriously data privacy rights will be taken by the state, leading the way in this space.

One of the interesting pieces of the CCPA, and one that businesses need to be keenly aware of, is consumer’s Private Right to Action. In the new year we will be looking to see how California residents may exercise this right, what if any lawsuits may unfold, how companies will be responding, and the fines that will be paid. These lawsuits may originate from instances where their “non-encrypted or non-redacted personal information” is breached, or if they feel that their data has not been handled according to accepted agreements. Under the CCPA, consumers can collect between $100 and $750 for each event. If the damages are greater than $750, then the consumer may receive even more.

This all means that California is taking this law very seriously. If you would like more insight into CCPA, take a look at our previous series on the topic here. We at Validity will continue to keep you updated on the ever-evolving data privacy space and wish you a Happy New Year!

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time