Signed into law on June 28, 2018, the California Consumer Privacy Act (CCPA) became effective on January 1, 2020. The next milestone will be on July 1, 2020, when the California Attorney General will begin enforcement for the CCPA.

Non-compliance can result in the maximum fine of $7,500 per violation. When you consider how many consumer records you hold, the potential fines could stack up quickly if you don’t take CCPA seriously. We still don’t know exactly what enforcement will look like since we haven’t yet approached July 1st, but the Attorney General has established a firm stance on compliance by stating,

“If they are not (operating properly) …I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.” – Attorney General Xavier Becerra

Since nothing like the CCPA has surfaced in the US before, no one knows for sure what enforcement will look like. However there are several indicators of the AG’s intent on enforcing the CCPA. 

The AG has a complaint link posted for consumers:

Consumer Complaint Against A Business/Company

By setting up a mechanism (prior to July 1st) to empower consumers, this indicates the AG is serious about consumer rights and enforcement. This provides consumers with an easy way to post a complaint against a business.

If we look at what has happened with GDPR, what often drives enforcement is volume of complaints against a company and breaches which invites a complete review of that company. Large companies like Facebook and Google are obvious targets for the CCPA and are likely top of mind for the California AG, however that doesn’t mean he will ignore all others in scope. 

“We will look kindly, given that we are an agency with limited resources, and we will look kindly on those that … demonstrate an effort to comply,”
-Attorney General Xavier Becerra

So, what does this mean for you? The best thing you can do to prepare for enforcement is to do SOMETHING. A complete lack of effort for compliance will be obvious. We believe that some of the easiest elements to enforce will be:


  1. The “Do Not Sell My Personal Information” link

A clear and conspicuous link titled “Do Not Sell My Personal Information” on the home page and privacy policy.

Do Not Sell My Personal Information LinkThe Washington Post published a list of enterprise companies that have the links available on their sites, they also reference several other resources that provide the links as well. This indicates consumers are already looking for this link, and if they don’t find it, it could lead to enforcement issues. 

2. Intake Method

If you are in scope of the CCPA, you should provide a way for consumers to exercise their data rights. Having some kind of intake method and a process for responding to those requests will be key for enforcement compliance.

Macy's Truyo Platform

3. Notices

You have an obligation to inform your consumers about the collection and use of any personal information under the CCPA. Ensuring you have the proper notices up is key to stave off compliance uncertainty. These notices must be conspicuous, understandable, and ADA compliant.
Once July 1st approaches, and we begin to see enforcement data, we’ll have a better understanding of what enforcement looks like, but until then, the best thing you can do is to make a genuine effort toward compliance and be prepared to make adjustments as needed.
Need help with your CCPA enforcement readiness? We’d love to simplify the process. 

Request a demo of our privacy rights platform to learn how we can help you automate, organize and update your procedures to help meet compliance requirements under the CCPA, and future laws, one step at a time.