Audit & Compliance Awareness

What is California Consumer Privacy Act (CCPA) Compliance?

by Lazarus Alliance 0 Comment
Tailored MSP privacy audit services by Lazarus Alliance

In a previous article, we discussed GDPR compliance for businesses in the European Union. Simply put, GDPR changed the way that businesses can use consumer data for marketing and business purposes while giving more control to consumers in terms of how that data is stored, deleted or transmitted. 

While GDPR is not a standard in the United States (and in many ways, GDPR contradicts U.S. laws), several states have introduced their own, more rigorous compliance standards to protect consumers. One of these is the California Consumer Privacy Act or CCPA. This law creates several standards that businesses must follow in the state of California to protect customer data. 

What Are the Standards of the CCPA?

First, it’s important to note that the CCPA is, in many ways, very similar to the EU’s GDPR framework. This is because the CCPA places the burden of protecting consumer data onto businesses in a way that outside regulations do not. This might seem like a burden for businesses, but in reality, it forces organizations who are using data to take the right steps to ensure its safeguarding. At the same time, it allows consumers to have a say in how their information is used and how it exists in a business context.

At the core of CCPA is the concept of a consumer. A consumer, under CCPA law, is in the state of California for other than transitory purposes or who lives in the State but is currently outside of the State temporarily. This means, essentially, that the CCPA only applies to those living in California, unlike GDPR which protects all data subjects under jurisdiction. 

CCPA protects the privacy of personal information, which, under the law, encompasses several categories, including:

  • Identifiable data (name, address, etc.)
  • Driver’s license or passport numbers
  • Credit card or social security numbers
  • Income information
  • Political, religious or educational information
  • Biometric data
  • IP addresses
  • Demographic information (age, race, gender)
  • Geolocation data

And others. 

Importantly, CCPA creates a set of consumer rights that include:

  • The right to know what information is collected and how, and what that information is used for (how it is sold, shared or processed). 
  • The right to have their information deleted upon request.
  • The right to opt-out of the sale of their personal information.
  • The right of minors under the age of 16 to require opt-in consent for any data gathering, and the right of minors under the age of 13 to require the consent of a parent or guardian.
  • The right to non-discrimination during the exercise of any of the above rights. 

Furthermore, businesses must follow strict guidelines as they gather data from customers, including the following practices:

  • Provide notice to any consumer from which the company collects data during every collection event.
  • Provide clear instructions for how consumers can opt-out of data collection, read the data collected by the company and have that information deleted by the company. 
  • Provide a “Do Not Sell My Personal Information” link to denote permission for the resale of consumer information. 
  • Respond to consumer requests for information within 45 days. 
  • Provide disclosures on why they are collecting data, including financial incentives for any retention or sale of that data.
  • Maintain a record of consumer requests for 24 months

These requirements aren’t limited to large businesses. At a minimum, the business must meet the minimum criteria to fall under the jurisdiction. Under these criteria, the company must do one or more of the following:

  1. Buy or sell the personal information of 50,000 consumers or more. 
  2. Derive 50% or more of its revenue from the sale of consumer information.
  3. Have a gross annual revenue of $25 million or higher.

Businesses trading in the personal information of more than 4 million consumers have additional requirements. 

 

What Are the Penalties for CCPA Non-Compliance?

ccpa

Like many frameworks, the severity of non-compliance penalties will depend on the context. Penalties are primarily civil, with unintentional lapses in compliance starting at $2,500 per incident and intentional non-compliance can reach $7,500 per incident. This might seem low until you consider that non-compliance issues will typically apply to a significant number of consumers, perhaps hundreds of thousands, each serving as an individual incident. 

Additionally, businesses have up to 30 days to resolve violations upon notification of non-compliance. If they do not do so they could face even more penalties. 

Finally, the law states that consumers may sue businesses for damages due to a data breach in which the businesses were not compliant with CCPA (notably, for un-redacted or unencrypted information where privacy was not upheld). Consumers can sue for anywhere between $100-$750 or for the actual cost of damages, whichever is greater. And, like with non-compliance issues, a company has 30 days upon notification from a consumer of a problem to fix that problem or face additional penalties. 

Ways to Stay CCPA Compliant

There are some very straightforward ways to maintain compliance with CCPA, all involving basic improvements to how you approach consumer privacy:

  1. Update your privacy policy to include requirements from the CCPA, including how consumers can opt-out of data collection, request data and have that data deleted. 
  2. Implement technical measures to protect privacy and security, including server-side and in-transit encryption using AES-256 and TLS 1.2+ algorithms. 
  3. Automate documentation and data recording to demonstrate compliance because CCPA requires that you show proof that you are complying not only with regulations but with customer requests. 
  4. Automate audits and remediation to ensure that your technical systems, privacy policies and processing practices align with CCPA regulations. This can also help you best respond to consumer requests within the 45-day window and avoid penalties. 
  5. Develop and maintain consumer notices that outline data-gathering practices that you must disclose per CCPA law.

 

Automate CCPA Compliance with Lazarus Alliance

Lazarus Alliance provides years of experience in CCPA compliance alongside decades of combined experience in cybersecurity and cloud automation to help enterprises and small businesses alike in their journey through California regulations. If you fall under the criteria for CCPA regulation, then consider us as your security partner to streamline complex compliance audits into simple, straightforward operations in your business and IT architecture. 

 

Want to Learn More About Lazarus Alliance?

Download our company brochure.

Glowing Neon malware sign on a digital projection background.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading

Stay ahead of federal and industry security alerts with Lazarus Alliance. Featured

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading

Make sure that your software is secure with or without AI. Trust Lazarus Alliance. featured

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading

mnage security against insider threats with Lazarus Alliance. featured

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading

Manage identity security and compliance with a trusted partner in Lazarus Alliance. featured

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading

Harden security against new AI attack surfaces. Work with Lazarus Alliance. featured

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading

Stay ahead of CMMC changes with Lazarus Alliance. Featured

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading

Lazarus Alliance helps enterprises manage identity security and data governance.

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading

FedRAMP Authorization assessments from Lazarus Alliance. featured

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading

Get expert monitoring and security support with Lazarus Alliance featured

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading

No image Blank

Lazarus Alliance

Website: