California Law Compliance

California Consumer Privacy Act 2018


Compliance with California Privacy Laws

The California Consumer Privacy Act (CCPA) of 2018 was passed on 28 June 2018. The law, which will take effect on 1 January 2020, introduces new privacy rights for consumers and will force companies that conduct business in the State of California to implement structural changes to their privacy programs.

The new rights given to California consumers are similar to the rights provided in the European Union’s General Data Protection Regulation (GDPR). The CCPA also subjects non-compliant businesses to expensive fines, class-action lawsuits, and injunctions.

Compliance Tools at your Fingertips

How OneTrust Helps

OneTrust Assessment Automation and Data Inventory & Mapping supports your efforts to prepare for CCPA compliance by helping you pinpoint where personal data resides and how it is used. Data Mapping helps streamline your ability to take action when consumers exercise their rights to information, deletion, and opt-out. These modules, in combination with OneTrust Data Subject Rights Management, help automate the request fulfillment lifecycle for the new rights under the CCPA.
OneTrust Universal Consent Management tracks consent and the Preference Center module gives consumers the ability to opt-out using the “Do Not Sell My Personal Information” link from the OneTrust Preference Center.

Privacy Rights under the California Consumer Privacy Act vs. the EU’s General Data Protection Regulation

This quick-read is a discussion of the similarities and differences between the rights included in the new CCPA and in the GDPR to help get you up to speed as you map out your path to compliance.

Right to Request Information

1798.100, 1798.115

On receipt of a verifiable consumer request, organizations will have the obligation to provide consumers with details regarding how their data is processed. Consumers have the right to know the categories of personal information collected, the sources of those categories, business or commercial purposes for collecting or selling personal information, the third parties with whom the data is shared, and the specific pieces of personal information collected.

How OneTrust Helps

The OneTrust Data Subject Rights Management tool is equipped to streamline the intake of request for information. In combination with the Data Inventory & Mapping module, OneTrust enables businesses to centralize requests into a single queue, verify the identity of consumers, develop automated workflows, communicate securely with data subjects, fulfill requests, and keep records for compliance.

The New Privacy Landscape Under the CCPA

The CCPA took many businesses and privacy professionals in the United States by surprise. The law creates new rights for California consumers and will impact an estimated 500,000 organizations conducting business in California. This comprehensive guide, developed by our world-class privacy research team, explores the new consumer rights and obligations for businesses, the scope of the CCPA, and the potential consequences for non-compliance.

Right of Deletion of Personal Information


Consumers may request that any personal information collected by the business be deleted. This deletion extends to service providers as well.

How OneTrust Helps

When requests for deletion are made, businesses can identify where personal information resides by using the OneTrust Data Inventory & Mapping module. Requests are funneled into a queue via the Data Subject Rights Management tool. From the queue, tasks such as verifying the consumer’s identity, locating the data, and taking the action to delete it are auto-assigned via customizable workflows.

Right to Opt-Out


At any time, consumers can request that a business not sell their personal information to a third party. A clear and conspicuous link on the business’s webpage must say, “Do Not Sell My Personal Information.” This link should direct consumers to an opt-out option.

How OneTrust Helps

OneTrust Universal Consent helps businesses collect and maintain records of valid consent. This information is synced via API integrations to your existing systems to help ensure consumer consent remains up-to-date. With OneTrust, businesses can generate a “Do Not Sell My Personal Information” link, which directs to a secure Preference Center. From the Preference Center, consumers can opt-out if they desire. This information is then updated within the OneTrust Universal Consent module and disseminated to your integrated systems.

Obligation to Inform Consumers

At or before the collection of personal data, businesses will have the obligation to inform consumers of the categories of personal information to be collected and the purposes of its use. Additionally, consumers must be informed about the right to deletion and the right to opt-out of the sale of their personal information.

How OneTrust Helps

OneTrust integrates with existing data collection points (i.e. web forms, registration pages, mobile apps, etc.) to help you display the necessary information at the point of collection. OneTrust Universal Consent then maintains an audit trail of the information displayed when a consumer’s data was collected. Additionally, you can link to the OneTrust Preference Center from webpages or emails to provide consumers with information about how their personal information is being used.



Under the CCPA as it is currently written, organizations must offer consumers two or more methods for submitting requests. Requests should be free of charge and must be addressed within 45 days of receipt. Businesses must respond in writing and include the information from the 12-month period preceding the receipt of the request. If the consumer has an account with the business, the information should be provided through that account. If not, information should be sent in a readily available format that allows the consumer to transmit it to another entity. Businesses must disclose the required information in their privacy policy or, if they do not have such policies, on their website. Finally, businesses are not obligated to provide information to the same consumer more than twice in a 12-month period.

How OneTrust Helps

OneTrust already addresses many of the modalities outlined in the CCPA due to their similarities with Article 12 of the GDPR. OneTrust will address the differences to prepare organizations for the CCPA enforcement date.

Why Over 1,500 Customers Choose OneTrust

Most Comprehensive Technology


200 Member R&D Team Driving Product Innovation with 16 Patents Awarded

World-Class Research


Over 100 Certified Privacy Professionals In-house with Continuous Regulatory Research

Expert Global Services


Multi-lingual, 50 Person Implementation Team, and Large Partner Network to Support Privacy Initiatives

Large Active Uer Community

Active User

Thousands of Members Sharing Best Practices in 40 Global PrivacyConnect Workshops