CCPA Compliance for Startups

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 01 July 2022.

CCPA Compliance for Startups

If you're starting a business located in California or serving its residents, you may fall under the scope of the state's privacy laws. This includes the existing California Consumer Privacy Act (CCPA). Even if you don't fall under the law yet, you might eventually as your business expands, so it pays to plan ahead.

Here's what you need to know for making sure your startup complies with the CCPA.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

Who the CCPA Applies to

The CCPA applies if you meet any of the following three thresholds:

  • Your annual worldwide revenue exceeds $25 million
  • You buy, sell or disclose data about more than 50,000 consumers, households or devices in California in the same year
  • At least 50% of your annual revenue comes from selling data about Californian consumers

Note that starting in 2023, the law will change so that the 50% threshold applies to revenue from sharing rather than simply selling personal information.

If the CCPA doesn't apply to you, you could still have to comply with some other data protection laws. We've covered these at the end of this article.

CCPA Consumer Rights

The purpose of the CCPA is to establish and uphold five consumer privacy rights. That means regulators and judges will refer back to these rights when settling any ambiguity about specific measures in the law. The rights are as follows:

  • To know what personal information you collect about them
  • To be able to access and review the information you collect
  • To know if you sell or share their information and, if so, with whom
  • To stop you selling their personal information
  • To get equal access to your services (with no price increase) even if they exercise these rights

Walt Disney details some of these rights in its Privacy Policy:

Walt Disney Privacy Policy: Your California Privacy Rights section

Make sure you let consumers know about their rights, and also make sure you're able to facilitate them when consumers wish to exert any of the rights.

Complying with the CCPA

Complying with the CCPA

The CCPA covers a wide range of measures that businesses need to take, though it really comes down to:

  • Keeping track of the data you handle
  • Letting customers know what you do with data (both specifically theirs and data in general)
  • Respecting their request not to sell their data

Let's break down what you need to do.

Organize Your Data

Most of your responsibilities under the CCPA involve detailing whether you take certain actions with data from a particular category. The law sets out the following 11 categories:

  1. Identifiers (names, addresses and ID numbers)
  2. Personal information as defined by section 1798.80 (e) of the California code. (This partly duplicates section A but also adds things like education, employment history and financial information)
  3. Information about characteristics protected by federal or California law (such as race, religion or gender)
  4. Commercial information (such as purchase history)
  5. Biometric information
  6. Internet information such as search history
  7. Geolocation information
  8. Audio, electronic, olfactory, thermal or visual information
  9. Employment information
  10. Education information that isn't publicly available
  11. Inferred information for profiling (such as a customer having a preference for a particular type of product)

As a startup company that serves California, it's well worth setting up your databases and records to organize or tag your records using these categories. This will make future compliance far simpler.

Note that for now the law only covers consumer information. Information you handle about your employees for human resources purposes and business-to-business information won't be covered until 2023.

Give Information When Collecting Data

When you collect personal information from a consumer you must tell them:

  • Which category or categories the data falls into
  • The purpose (or purposes) for which you'll use the data

Remember that this applies to the specific information which you are gathering from the consumer.

Give General Information

Under the CCPA, you must list information about consumer rights and your overall use of data. You must list this information either in your Privacy Policy (if you have one) or in a dedicated section covering California privacy rights (if you have one). If you don't have either, you must list the information somewhere on your website.

For each of the 11 categories you must list:

  • Whether you've collected any consumer data in the previous 12 months
  • Whether you've sold any consumer data in the previous 12 months
  • Whether you've disclosed any consumer data in the previous 12 months

You must review and update these lists at least once every 12 months.

Gannett gives examples of the data it may have collected in each category. This errs on the side of caution, though a more company-specific thus accurate list might be more useful for consumers:

Gannett Privacy Policy for California Residents: CCPA - Personal Information We Collect clause and chart excerpt

As well as these lists, you should list the rights that the CCPA gives consumers, plus details of how they can contact you to exercise these rights.

Aquatalia offers two ways to do this:

Aquatalia How to Exercise Your CCPA Rights: Form and phone number highlighted

Handle Data Access Requests

While your website lists your overall use of data in the previous 12 months, consumers also have the right to ask how you've used their personal data during that time. You must set up your records and procedures so that you can respond accurately to such requests, normally within 45 days. (You can take up to 90 days if it's necessary to do so, as long as you warn the user about the delay within the original 45-day deadline.)

When you respond to a data access request you must tell the consumer:

  • The categories covering their information that you've collected, sold or disclosed
  • The specific information you have
  • Where you got the information from
  • Why you used the information
  • Who you've shared the information with (if anyone)

Comply With 'Do Not Sell' Rules

The CCPA says you must create a dedicated opt-out web page where consumers can tell you not to sell their data. It's an opt-out decision so technically you can sell consumer data until they tell you to stop.

At the least, this page must have a toll-free number for making the opt-out request. It's best to offer an alternative method as well such as contact details for sending a request or, ideally, an online form.

You must link to this page using the specific text "Do Not Sell My Personal Information." This link must appear:

  • On your website
  • In your Privacy Policy
  • In a dedicated section on California privacy rights (if you have one)

The Atlantic includes the link in its footer menu so it appears on every page:

The Atlantic website footer with Do Not Sell My Personal Information link highlighted

When users click these links, they should be taken to an informative page with options for opting out of the sale of their personal information.

CCPA Penalties and Procedures

CCPA Penalties and Procedures

You could face three different types of penalties for violating the CCPA:

  • The Attorney General can give you 30 days to fix a violation and then fine you up to $7,500 for each violation you don't fix.
  • Individuals can report a violation involving their personal data to the Attorney General. If the Attorney General doesn't take action, the individual can sue you in civil court.
  • If you suffer a data breach and hadn't adequately secured the data, individuals can sue you in civil court. If they win, the court can order you to pay damages of between $100 and $750 per consumer without the consumer having to prove actual financial damage. The court can order you to pay the actual financial damages for a consumer if they exceed $750.

The CCPA's Successor: The CPRA

In November 2020 Californians voted in favor of a ballot measure to introduce a new law, the California Privacy Rights Act (CPRA). This amends and builds on the measures of the CCPA. Most CPRA measures will take effect from the start of 2023 following a period of rulemaking, with enforcement starting in July 2023.

Eligibility will change as follows:

  • The "customer number" threshold will double from 50,000 to 100,000 Californian people or households, with devices no longer counting.
  • The "business type" threshold will expand from 50% of revenue coming from selling personal information about Californiana to 50% of revenue coming from passing on such information in any way (even without payment) or even simply making it available.
  • The $25 million annual revenue threshold remains the same.

Remember that the rules apply if you meet any of the three thresholds.

Other changes with the CPRA include the following:

  • Sensitive personal information will have added protections. You must get opt-in consent before using or disclosing such information and people must have the right to withdraw this consent and opt out. You must only use this information for the specified purpose. Sensitive personal information will count as a 12th category when you list how you use data.
  • The right to opt out of you sharing personal information now specifically covers "cross-context behavioral advertising" even if you aren't being paid for the information.
  • A new organization, the California Privacy Protection Agency, will take over enforcement from the state Attorney General. It will have the right to order businesses to audit or risk assess their data procedures.

Customers have new rights under the CPRA:

  • To correct their data
  • To know if you use automated decision making such as profiling and to opt out.
  • To restrict the way you disclose sensitive information, for example to only use it for providing requested goods or services. (Businesses that use such information in other ways must add a "Limit The Use Of My Sensitive Personal Information" page that links to a dedicated page where people can exercise this right.)
  • To not only ask you to delete their data but to pass on the request to any third party to which you disclosed the data.
  • To ask you to pass on their data to a third party in a machine-readable format. (For example, to transfer their data to use on a competing service.)

Other Data Privacy Laws

Other Data Privacy Laws

Even if you don't meet the CCPA thresholds, your start-up business may come under several other state, national and international privacy laws. Key ones to watch out for include the following.

Children's Online Privacy Protection Act (COPPA)

COPPA is a U.S. federal law that applies if you run a website or online service (such as an app) and either you know you collect personal information about children aged under 13, or you aim your content at children aged under 13.

If COPPA applies you must post a privacy notice and get verifiable consent from parents or guardians before collecting personal information about children aged under 13.

General Data Protection Regulation (GDPR)

The GDPR applies if you are either based in a European Union country, or you process data about somebody in the EU.

The GDPR requires that you only process personal data if a specific legal basis applies, most commonly that the data subject has actively consented or that you have "legitimate interests" in processing the data that don't outweigh the data subject's rights.

New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD)

NY SHIELD is a state law that applies if you handle private information about New York state residents, even if you don't physically operate in the state.

The law says you must have a data security program; use technical, physical and organizational safeguards, and inform data subjects and state officials about any data breach.


Let's recap what you need to know about privacy laws when starting a business:

  • The CCPA applies if you meet annual thresholds on revenue (more than $25 million), data records (50,000 Californians) or business type (at least half from selling data about Californians).
  • If CCPA applies you'll need to organize your records so you know how you use personal data in 11 specific categories.
  • When you collect personal data you must tell the consumer which categories cover the data and how you'll use it.
  • Your website must list whether you've collected, sold or disclosed data in each category in the past 12 months.
  • Customers have the right to ask what data you've collected about them, where you got it, why you used it and who you've shared it with.
  • Your website must have a page for consumers to opt out of you selling their data. You must link to this from your homepage with the link text "Do Not Sell My Personal Information.
  • Violating the CCPA and failing to fix the violation can lead to fines of $7,500 per violation.
  • If you don't secure data and suffer a breach you could have to pay damages up to $750 per consumer or more if they can prove financial harm.
  • A new law, the CPRA, takes effect from 2023. It builds on the CPPA.
  • The CPRA adds a 12th category, sensitive personal information. You cannot collect this without getting prior consent, which can be withdrawn later. Consumers can insist you only use this information for a specific narrow purpose.
  • Other data laws may apply to your start-up business. These include COPPA, the GDPR and the NY SHIELD Act.