What is the CCPA?
The California Consumer Privacy Act (CCPA) is a law that came into effect on January 1, 2020, with enforcement beginning in July 2020. This distinction is important because enforcement is retroactive to 12 months prior—meaning that companies should have already been in compliance by the time enforcement began.
The law is designed to provide California residents with the right to:
- Know what personal data is collected about them,
- Know whether that data is sold or disclosed and to whom,
- Access their data, and
- Request that their data be deleted.
While similar to the General Data Protection Regulation (GDPR), the CCPA includes unique elements such as device identification and an expanded definition of personal information.
Who Does the CCPA Apply To?
The CCPA applies to all businesses and any for-profit entities that do business in California and meet at least one of the following criteria:
- Have annual gross revenues exceeding $25 million,
- Process the personal information of more than 50,000 consumers, households, or devices annually,
- Derive more than 50% of their annual revenue from selling consumer personal information.
What Does the CCPA Say About Data Classification?
Technically, nothing.
There are no specific provisions in the CCPA that require businesses to perform data classification.
However, data classification can significantly support compliance with several of the CCPA's requirements.
Section 1798.105(a)
“A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”
If all data collected is stored in a structured database, you may have control over it. But once that data is exported for reports or analysis in Excel or other formats, control can be lost. This is where data classification becomes useful.
To comply with deletion requests, businesses must also instruct service providers to delete the consumer’s personal information from their records. Classifying unstructured documents helps ensure that sensitive data is not overlooked and reduces the risk of it leaking or being reintegrated into your systems.
Section 1798.150(a)(1)
“Any consumer whose nonencrypted or nonredacted personal information […] is subject to unauthorized access and exfiltration, theft, or disclosure […] may institute a civil action…”
To meet the CCPA’s security expectations, businesses must maintain reasonable security procedures and practices appropriate to the nature of the information.
Classifying data allows you to:
- Identify where personal or sensitive data is stored,
- Apply the appropriate level of protection, and
- Prevent unauthorized access or breaches.
Summary
While the CCPA does not explicitly require data classification, it does require companies to:
- Know what personal data they are processing (data inventory),
- Know where that data is stored, and
- Protect it based on its sensitivity and criticality.
Implementing data classification is not just a best practice—it’s a strategic advantage in meeting CCPA requirements and reducing legal and reputational risks.
