CCPA Compliance Timeline

This timeline is informational only. It may not be suited for every organization and is not legal advice. To receive specific advice on how to comply with the CCPA, please consult
an attorney.

DOWNLOAD PDF

By March 1, 2019
CCPA Assessment

Your organization should perform a CCPA assessment to see what steps it needs to take.

The CCPA requires that organizations take specific steps to handle and protect the personal information of California residents. As a first step, it’s important to know what your organization does and what it still needs to do.

By April 1, 2019
Data Mapping

Your organization should begin mapping where and how personal information of California residents is collected, stored, transmitted, and sold.

The CCPA requires that organizations be able to find, and in some cases delete, specific pieces of personal information. To do that, organizations need to know where they’ve stored personal information of California residents and with whom they’ve shared it.

By May 1, 2019
Agreements with Service Providers

Your organization should start reviewing contracts with organizations and individuals with whom your organization shares personal information to ensure they contain CCPA-required terms.

In some cases, your organization may need to renegotiate your existing contracts. Moving forward, your organization should plan to include CCPA-required terms in any new contracts that involve personal information.

By July 1, 2019
Consumer Request

Your organization should have a system to collect, track, and respond to requests from California residents to access or delete their personal information.

The CCPA allows California residents to request that organizations (1) grant them access to their data, (2) delete their data, and (3) provide them with information about how their data is being used. Organizations must respond to these requests within 45 days.

By August 1, 2019
Opt Out Requests

Your organization should have a system to collect and track the names of consumers who do not want your organization to sell their personal information.

The CCPA allows California residents to request that organizations not sell their personal information. It is important that organizations keep an accurate list of those names.

By September 1, 2019
Policies and Procedure

Your organization should have policies and procedures for its employees about CCPA requirements.

If your organization is investigated, your policies and procedures may help demonstrate your efforts to meet CCPA requirements.

By September 1, 2019
Privacy Disclosures

Your organization should have a privacy notice.

The notice must explain (1) what personal information the organization collects, (2) who the organizations collects that data from, (3) the purpose for collecting that data, and (4) who the organization shares that data with or sells data to. The notice must also disclose the rights of California consumers under CCPA, including the right to opt out of the sale of personal information. The CCPA requires that organizations disclose this information online. The privacy notice must be accessible from your organization’s homepage.

By December 1, 2019
Training

Your organization should inform its employees about CCPA requirements or provide privacy training.

Training should take place before the CCPA becomes effective. Organizations need to periodically update their training even after the law takes effect.

January 1, 2020
Effective Date of the CCPA

With a few exceptions, organizations that handle personal information of California residents must be prepared to comply with the CCPA by this date.

CCPA Compliance Timeline

This timeline is informational only. It may not be suited for every organization and is not legal advice. To receive specific advice on how to comply with the CCPA, please consult
an attorney.

DOWNLOADABLE PDF