CCPA Compliance

CCPA Compliance

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them. Consumers have the right — with some exceptions — to ask what information is being stored, and to inspect that information or have it deleted.

The CCPA applies to any business that collects and stores more than 50,000 data records. This number may be confusing, because information collected on different devices may be counted multiple times. So, for example, if you collect information about a person accessing your business from a desktop computer, a tablet, and a mobile phone, one person may be counted as three separate records.

Also, a couple other conditions subject an entity to the act’s regulations. Companies with gross annual revenues of $25 million or more, or companies that earn more than 50 percent of their revenue from selling consumers’ personal information also are covered by the act.

Personal information can include:  employee data, employee benefit records, postal mailing lists, email mailing lists, phone users’ information, customer lists, customer service records, prospect lists, inquiries from prospective customers, digital info on website visitors, and perhaps social media followers. Although companies are permitted to retain some of this information under the act, it is important to identify every source of consumer data to determine whether the act applies to a company, and which data is and is not covered by the act.

The CCPA also requires that specific facts about the company’s data collection and privacy policies, as well as the consumer’s rights, be disclosed to the consumer.

Our CCPA Compliance Service provides a multi-step compliance service. The key steps are described below:

Phase 1 – Assessment

Our compliance officers will interview key members of your organization who manage the various types of data described in the Introduction. Based on this assessment, we prepare a document outlining the information stored in your organization that may be covered by the CCPA, and the individuals responsible for each dataset.

This process typically requires 6-10 hours, depending on the size and complexity of your organization and the data you capture.

Phase 2 – Compliance Document

We will begin with your existing privacy policy, and integrate the text required for CCPA compliance. This is specific to your organization, because it must describe the information that you capture and store.

Here is an example of a CCPA compliant privacy statement:

Note that the final privacy statement should be reviewed by your legal staff.

We will then create a form that allows consumers to ask to see their information, or request that it be deleted, as required by the law. Like the privacy policy, the form will be specific to your company and the information you collect.

We can set up this form as a Google Documents form, or as a form on your website.  We can also provide an outline for a form, so it can be implemented by your own team.

Your organization must identify a compliance officer. In addition to the form, you will need to set up an 800 number for consumer requests.

Phase 3 – Compliance Training

We can provide online training with up to three members of your company. We will review the privacy policy, the compliance request form, and the processes required to comply with CCPA requests and track their resolution.

Compliance Training is strongly recommended if you choose not to use our Compliance Monitoring service.

Phase 4 – Compliance Monitoring

Optionally, our staff can manage your compliance requests and monitor compliance.

In this case, the form and 800 number will be directed to our compliance staff.

Our staff will be responsible for:

  • Receiving requests for disclosure or removal via a web-based form or toll-free phone number
  • Forwarding requests to appropriate staff within your company
  • Advising on compliance requirements, as needed
  • Recording and tracking responses to requests
  • Producing quarterly compliance reports to your company management

We also will escalate any requests that your staff does not respond to within an agreed-upon period (typically three working days).


Our compliance service does not constitute the practice of law. Prior to embarking on a CCPA Compliance program, you should consult a qualified attorney.

Metro.Agency is not responsible for compliance violations within your organization, and we do not insure or indemnify your organization.