April 1, 2023

Volume XIII, Number 91


March 31, 2023

Subscribe to Latest Legal News and Analysis

March 30, 2023

Subscribe to Latest Legal News and Analysis

March 29, 2023

Subscribe to Latest Legal News and Analysis

Top 10 Things to Do to Prove CCPA Compliance

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance. California’s new privacy law goes into effect January 1, 2020. Consumer lawsuits are expected to follow shortly after implementation. CCPA can apply to businesses without offices or employees in California. It can also reach activities conducted outside of California. Does CCPA apply to you? See our table below suggesting compliance tasks and possible next steps.

1 Delegate CCPA compliance oversight to a knowledgeable employee or team Identity key business stakeholders; assemble multidisciplinary team; engage legal counsel to assist as needed
2 Maintain and regularly update a business-wide privacy policy

Map data collected by your business (including how it is used and where it resides); implement processes to provide consumers with required information about collection and use of their personal information; document how and why the privacy policy is aligned with legal requirements; appropriately disclose the privacy policy to the public

Note: CCPA applies to all personal information of California consumers and not only data collected online

3 Implement and maintain reasonable security practices Identify internal or external resources for information technology and data security; determine any contractual information security requirements; consult with others in industry or sector to determine best practices for securing information collected, stored or used by the business; regularly review internal information security practices and document them; prepare a data breach notification plan; conduct table-top exercises to simulate data breach response
4 Maintain procedures to respond to requests for access to personal data and specific pieces of information Document consumer verification process and how it is aligned with legal requirements; document work flows showing internal procedures are followed; implement templates for customer service communications; audit files and processes to ensure internal policies are followed; log and track requests from consumers and retain copies of responses
5 Maintain procedures to respond to requests to delete personal information Establish protocols for responding to such requests in a timely and effective manner; identify data within any applicable exception to deletion on which your business relies and how long it can or should be retained; audit files and processes for legal compliance
6 Maintain procedures to respond to requests to opt-out of sale of personal information Provide consumers with appropriate notice that their personal information is being sold, if applicable, and implement processes to respond to and honor requests to opt-out to such sale; audit processes for legal compliance

Update vendor contracts to comply with CCPA and

avoid being characterized as “selling” personal information to vendors

Identify vendors or third parties that receive personal information from your business and include appropriate contract terms to address CCPA requirements; make vendor or third party aware of your business’s privacy policy and their obligation to comply with it, if any; diligence vendors and their privacy and data security practices, as appropriate
8 Maintain procedures for collection and use of personal information of minors (as applicable) Obtain appropriate opt-in consent with respect to persons 16 or younger whose personal information is sold
9 Conduct appropriate privacy training for personnel depending on their job function Offer appropriate training to personnel; require personnel to participate in privacy and security training; prepare templates and scripts for personnel responding directly to consumers’ requests under CCPA; document how compliance of personnel is evaluated or checked
10 Assess affiliates’ need to comply with the CCPA and implement family-wide compliance if necessary The affiliates of a business subject to the CCPA may all come under the CCPA where they all do business under a common brand; pro-actively determine whether compliance with the CCPA can be limited to one or more specific companies in a family of companies and take appropriate actions based on the outcome of the review

The CCPA is a complex law, and this overview does not substitute for considering CCPA requirements in their entirety. The CCPA, while a comprehensive privacy law, does not supplant other California or other state privacy laws. Don’t lose sight of other privacy obligations in the U.S. as you navigate CCPA compliance for your business.

Copyright © 2023 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume IX, Number 157

About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law
Of Counsel

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients...

Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude