AuditXYZ

Lesson 3 of 5

CCPA Business Obligations: What You Must Do

11 min readIntermediate

CCPA Business Obligations

Beyond honoring consumer rights, CCPA imposes affirmative obligations on businesses regarding notice, data handling, and vendor management. Understanding and implementing these obligations is essential for compliance.

Privacy Notice Requirements

Your privacy policy must be updated at least annually and must disclose the categories of personal information collected in the past 12 months, the purposes for collection, the categories of sources, the categories of third parties with whom information is shared, whether information is sold or shared, and how consumers can exercise their rights.

For businesses that sell personal information, a clear "Do Not Sell or Share My Personal Information" link must be prominently displayed on the website. Businesses collecting personal information must provide a notice at or before the point of collection.

Data Processing Agreements

CCPA requires contracts with service providers and contractors that process personal information on your behalf. These contracts must specify the business purpose for processing, prohibit the service provider from selling or sharing the information, prohibit use for purposes other than those specified in the contract, and require the service provider to comply with CCPA obligations.

Data Minimization (CPRA)

CPRA added data minimization requirements — businesses should collect, use, retain, and share personal information only to the extent reasonably necessary and proportionate to the purposes for which it was collected. This is a significant shift from CCPA's original transparency-focused approach.

Non-Discrimination

Businesses cannot discriminate against consumers who exercise their CCPA rights. You cannot deny goods or services, charge different prices, provide different quality, or suggest the consumer will receive a different experience. Financial incentive programs are allowed but must be clearly disclosed and reasonably related to the value of the consumer's data.

Record Keeping

Businesses handling personal information of 10 million or more consumers must maintain records of consumer requests and responses for 24 months. These records support compliance verification and should include the request type, date received, response, and fulfillment timeline.

Common Pitfalls

Failing to update privacy policies annually, missing the "Do Not Sell or Share" link requirement, inadequate service provider contracts, not providing required notice at collection, and treating opt-out requests as applying only to future collection rather than existing data sharing.

In the next lesson, we will cover the CPRA amendments.