The list below is far from a legal exhaustive document, it's merely meant as a guideline to help you go through the process.
Feel free to contribute directly on GitHub!
My company is for-profit, conducts business in California, collects personal data of California residents and determines the purposes and means of processing consumers' personal information.
My company has annual gross revenues in excess of $25 million OR possesses the personal information of 50,000 or more consumers, households & devices OR earns more than half of its annual revenue from selling consumers' personal information.
My company processes medical information collected by a covered entity governed by the Health Insurance Portability and Accountability Act (HIPAA) or California Confidentiality of Medical Information Act (CMIA), entities subject to HIPAA or CMIA or information collected as part of a clinical trial.
My company processes personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act or California Financial Privacy Information Act.
My company processes information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994.
My company takes part in a sale of personal information to or from a consumer reporting agency to be reported in or used to generate a consumer report.
My company takes part in efforts to comply with federal, state, or local law; a civil, criminal, or regulatory investigation; or a subpoena or summons that are contrary to the CCPA regulation.
My company cooperates with law enforcement agencies or exercises/defends legal claims that are contrary to the CCPA regulation.
My company processes data such as name, address, personal identifier, IP address, email address, account name, Social Security number, driver’s license number, and passport number.
My company processes personal information under California’s Records Destruction Law (Cal. Civ. Code § 1798.80(e)), which additionally includes the signature, physical characteristics or description, telephone number, insurance policy number, education, employment, employment history, or financial account information.
My company processes characteristics of protected classifications under California or federal law.
My company processes commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
My company processes biometric information.
My company processes internet or other electronic network activity, such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
My company processes geolocation data.
My company processes audio, electronic, visual, thermal, olfactory, or similar information.
My company processes professional or employment-related information.
My company processes education information that is not publicly available personally identifiable information, as defined in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99).
My company inferences drawn from any of the information listed above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
When requested, your company has to inform the consumer what categories and which specific pieces of personal information you have collected about them.
Your company has to verify the identity of consumers who request to access or delete their personal information.
Your company has to inform the consumer before the point of collection about the categories of personal information you collect and the purposes for which the categories of personal information shall be used.
Your company has to deliver information to consumers free of charge within 45 days, by mail or electronically.
The information your company has to deliver is portable, to the extent technically feasible, in a readily useable format that allows consumers to transmit this information to another entity “without hindrance”.
your company has to delete personal information when consumers request it.
Your company has to create a process and to identify individuals responsible for consumers to opt-out and therefore not selling their data to third parties in response to such a request.
By default, your company should not sell consumers' personal information when they are between 13 & 16 years of age. Nevertheless, your company has to create a process to allow them to opt-in.
Your company has to provide consumers the right to equal services and prices.
Your company has to make available two or more designated methods for the consumer to request their information, including, at a minimum, a toll-free telephone number and website address (if the business maintains a website).
Your company has to train and inform dedicated personnel to properly process new requests to exercise privacy rights.
Your company has to disclose the consumer’s rights to request the deletion of their personal information.
In case your company sells consumers' personal information you have to inform your customers that their information may be sold and that they have the “right to opt-out” of the sale of their personal information.
In case your company offers financial incentives for the collection, the sale, or the deletion of personal information, you need to disclose those financial incentives to your consumers.
Your homepage website has to include a link to inform consumers that they have the right to opt-out of their personal information sale.
Your company has to ensure that agreements with service providers are CCPA compliant.
Your company has to create and maintain a robust incident response plan.
Your company has to maintain records of requests and how you responded for 24 months in order to demonstrate your compliance.
In case you are a Data Broker company, you need to register annually with the Attorney General and provide information about how consumers may opt out of the sale of their personal information
Right to access: When you request it, the company has to inform you what categories and which specific pieces of personal information they have collected about you.
Right to notice: The company has to inform you before the point of collection about the categories of personal information they collect and the purposes for which the categories of personal information shall be used.
Right to be forgotten: The company has to delete your data when you request it.
Right to opt-out: The company has to make sure you can opt-out from them selling your personal data to third parties when you request it.
Right to opt-in: By default, the company should not sell your personal information when you are between 13 & 16 years of age. Nevertheless, the company needs to create a process to allow you to opt-in if you would like to.
Right to equal services and prices: The company has to provide you the right to equal services and prices.
The information above is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.