California Consumer Privacy Act (CCPA) Compliance



In the 21st century, we share and store our most sensitive personal information on phones, computer workstations, and cloud-based services and computers. Today more than ever, a strong privacy and personal data security program is essential to the safety and welfare of the people of California and to our economy.

What is the CCPA?

The California legislature unanimously approved and enacted the California Consumer Privacy Act of 2018 (CCPA) on June 28, 2018. The CCPA is arguably the most far-reaching data protection law ever enacted in the United States. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.

Key Provisions of California Data Privacy Law 2018

  • Consumers’ right to know and access personal data
  • Right to Deletion
  • Right to Opt-Out / Opt-In
  • Right to Equal Service
  • Privacy Policy Requirements
  • Disclosure Requirements
  • GLBA/HIPAA/Research/Legal Exceptions

Schedule A

RSI Security is a full service CCPA Compliance Assessor and Advisory company that is uniquely positioned to assist you in meeting the CCPA requirements, protect personal data as well as honor consumers’ rights as per california privacy law.

RSI Security can evaluate your organization’s data privacy and security policies, procedures, and security controls to regulate the processing of personal data and prevent data breaches. We will identify any potential gaps between the practices and CCPA requirements, and advise corrective actions to be taken in order to be prepared for a CCPA audit.


Our CCPA Compliance Services


Personal Data Mapping and Inventory


Privacy by Design Program


Privacy Impact Assessment


Incident and Data Breach Response Planning


Network Penetration Testing


Vulnerability Scanning


Enterprise Privacy Risk Assessment


Personal Data Security Awareness and Training


CCPA Audit and Assessment Services (covering required and addressable technical, physical, and administrative safeguards for the personal data environment)

Value and Benefits of Being CCPA Compliant

  • Increased Customer Trust and Organizational Reputation
  • Increased Personal Data Protection
  • CCPA Audit-Ready and Secure Personal Data Environment
  • Personal Data Security Risk Management
  • Implementation of Information Security Program
  • Effective Incident Response Planning

Who is Required to Comply with the CCPA?

As per the California consumer privacy act text, CCPA Data Privacy Act applies to for-profit businesses that do business in California and fall into one or more of the following categories:

Have annual gross revenue of more than US$25 million derived from or attributable to the state of California (Cal. Rev. & Tax. Code [section] 17942(a)) 

Collect, buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more residents, households or devices annually.

Derive 50 percent or more of annual revenues from selling consumers’ personal information.

Service providers and entities that control or are controlled by such a business and share common branding with that business will also be held accountable.

CCPA is applicable regardless of the size of the organization i.e. sole proprietorships, partnerships, LLCs, corporations, and other organizations that transact in CA and either collect, sell, purchase, or receive consumers’ personal data.

Does your business meet CCPA compliance?

To meet CCPA Compliance requirements, a business must actively uphold the four primary rights guaranteed by the Act:

  • The right to know – Consumers in California have the right to know what data is collected from them. This includes the kinds of information, the amount thereof, and how the data is being collected; it also includes the reasons that data is being collected, such as the ways in which the data will be used or shared with third parties.

  • The right to delete – Consumers in California have the right to request the deletion of their personal data collected by a business. Unless the request meets one of a select few exceptions, such as failure to verify the request, the business must honor it.

  • The right to opt out – Consumers in California have the right to opt out from the sale of their personal data. Unless an exception like an overriding legal obligation applies, the business must cease such data sales until the consumer electively opts in again.

  • The right to non-discrimination – Consumers in California have the right to fair treatment from service providers whether or not they exercise their rights to know about, delete, or opt out from data collection. If an individual requests notice or deletion, or opts out, a business cannot refuse them services or change pricing on contracts.

    Upholding these rights requires implementing robust visibility and reporting infrastructure—along with third-party controls—to enable swift, accurate, and seamless reporting on data activities. They also empower timely deletion of information when California residents request it. Our CCPA consulting experts will help you streamline these efforts for compliance.

How to Become CCPA Compliant

To maintain CCPA compliance, your business needs to:

  • Develop, publish, and update a privacy policy detailing the controls in place to maintain compliance. Updates must occur at regular intervals no more than 12 months apart.

  • Monitor data privacy and integrity; keep up-to-date records of all uses, processes, or transactions impacting personal information collected from residents of California.

  • Provide notice to consumers before information is collected, or at the point of collection, including what kind of information, how much, and how it is to be used by the business.

  • Make information about personal data collection available to consumers from whom data has been collected—including all information provided in notices at or before collection.

  • Make information about exercising CCPA rights available to consumers from whom data has been collected, including information about how to opt-out or request data deletion.

  • Facilitate consumers’ ability to exercise their CCPA rights with an easily accessible opt-out page on your website—also known as a “Do Not Sell My Personal Information” page.

Installing robust monitoring and reporting infrastructure makes it easier to track what data is collected and how it is being used, which facilitates seamless notification and data access.


Your CCPA Compliance Partner

We are knowledgeable and experienced in providing compliance audit, assessment, and implementation services to organizations in meeting their regulatory compliance requirements, such as PCI DSS, HIPAA, EI3PA, NERC-CIP, NFA, FINRA, and GDPR.

Our experienced consulting team consists of:


Qualified Information Security Assessors (QSA)


Project Management Professionals (PMP)


Certified Information Systems Auditors (CISA)


Certified Information Systems Security Professionals (CISSP)

What Does the CCPA Cover?

Personal information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Personal information includes traditional identifiers (e.g. name, postal address, email address, Social Security number, and driver’s license or passport numbers), as well as unique personal identifiers (e.g. biometric information, IP address, internet browsing or search history, and geolocation data).

Penalties for non-compliance with CCPA

Companies that commit intentional violations are subject to penalties of up to $7,500 per violation.

Companies that commit an unintentional violation and fail to remediate within 30 days of receiving notice are liable for up to $2,500 per violation

Companies that experience data theft / data security breaches can be ordered in a civil class action to pay statutory damages between $100 to $750 per CA employee per incident or actual damages, whichever is greater, and any other relief a court deems proper.


Why Choose RSI Security for CCPA Compliance Services?

RSI Security has helped businesses in every industry prepare for, achieve, and maintain CCPA compliance since the act was passed in 2018 and became effective in 2020.

Our CCPA consulting experts have experience in data privacy and integrity monitoring and will install robust visibility and reporting infrastructure that operates efficiently alongside other cyberdefense initiatives. We’ll work with your internal team to rethink regulatory and cybersecurity controls, maximizing security ROI.

Schedule an appointment today to speak with one of our CCPA consultants.

The CCPA was passed on June 28, 2018. It officially went into effect on January 1, 2020. In November of 2020, amendments to the CCPA, collectively called the California Privacy Rights Act, were passed. These are set to come into effect on January 1, 2023.

The CCPA is currently in effect. The full force of its amended form, with the CPRA, has yet to come into effect. However, the lookback period requires businesses to prepare information 12 months prior to the official effective date of the CPRA on January 1, 2023—which means that California residents have the right to request information about the collection of their personal data and its use dating back to January 1, 2022.

The CPRA extends the protections of the CCPA. It is intended to give consumers greater visibility and control over the ways in which their data is collected and used, including requests for partial limitations or other changes to those usages (in addition to full-scale opt-outs or requests for deletion). It also makes businesses accountable for security incidents impacting personal data and sets the groundwork for consumers to share the benefits of data sales.

The CCPA protects consumers living in California by providing them greater visibility and control over the collection and use of their personal data—both by the companies that collect it and by any other entities with whom they share it.

As an extension of the four rights detailed above, the seven rights CCPA guarantees are:

  • The right to be notified at or before the point of data collection
  • The right to access information about data collected from them
  • The right to opt out from data collection, before or during collection
  • The right to opt into data collection (for minors or their parents)
  • The right to request the deletion of data collected from them
  • The right to know about and be informed of their CCPA rights
  • The right to exercise rights without price or service adjustment

Businesses subject to the CCPA are required to disclose:

  • The categories of data collected from a consumer
  • The categories of sources used to collect data
  • The purposes for the collection (intended uses)
  • The categories of third parties that share the data
  • The categories of data that is sold, and to whom
  • The categories of data disclosed but not sold, and to whom
  • The specific pieces of data collected about a given consumer

The CCPA applies to for-profit businesses in California that meet one of the following criteria:

  • Businesses with a gross annual revenue of at least $25 million
  • Businesses that process data of at least 50 thousand Californians
  • Businesses that derive at least 50% of their revenue from processing Californians’ data

Any business that meets one of the criteria above, regardless of size (i.e., number of employees), may be subject to the CCPA.

Violations under the CCPA are wide-ranging. They include but are not limited to failure to provide required notices or access to information, failure or refusal to satisfy opt-outs or eligible requests for deletion, and failure to maintain a CCPA-compliant Privacy Policy.

The CCPA may apply to businesses located outside of California if they meet the criteria for collecting 50 thousand Californians’ data or deriving 50% of their revenue from said data. 

The CCPA is enforced by the Office of the Attorney General (OAG) of California. It sends notices of non-compliance to businesses, after which they have 30 days to remediate the violations or other issues impeding their compliance.

Data Privacy by Location

North America
north america














Click the
button to expand


North America










The General Data Protection Regulation (GDPR) has been in effect since May 25, 2018. It protects the privacy rights of data subjects in the European Union. It ensures transparency in communication and accessible modalities for data subjects to exercise their rights, which include: information about and access to personal data; rectification and erasure, including restrictions on select processes; and opting out of automated decision-making. Data processors and controllers must ensure privacy by design and default, and they may need to appoint a Data Protection Officer (DPO) or implement risk assessments and other measures, per the discretion of the EU Member State or other entity designated as their supervisory authority.

The GDPR applies to organizations based in the EU that process personal data, along with organizations outside of the EU that process the personal data of EU residents, offer goods or services to them, or monitor the behavior of EU residents. If a data breach occurs, the data controller is responsible for providing notification to their supervisory authority no more than 72 hours after becoming aware of the incident. The notice must include the nature of the breach, its likely consequences, and what measures are being taken to mitigate them, among other details.


Organizations that trust RSI Security

Screenshot 2023-10-13 142906

CCPA took effect on January 1, 2020. Businesses must take steps now to ensure compliance and avoid costly data-breach-related litigation and damage to business reputation.