CCPA and CPRA Incident Response Guidelines

What every organization needs to be prepared for California’s privacy regulations

California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) govern digital privacy for California residents. CCPA went into effect in 2020 and CPRA will go into effect in 2023, with a lookback period to 2022. Together, these regulations give Californians the right to understand how companies collect and use their personal data and prevent organizations from selling that information.

Automate CCPA & CPRA obligations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who must adhere to CCPA and CPRA?

Qualifying companies that might collect or use data about California residents, directly or through a partner, regardless of the company’s location, must adhere to these guidelines. Companies qualify for enforcement if they meet one of the following:

  • Annual gross revenue of more than $25 million
  • More than 50% of annual revenue comes from selling or sharing consumers’ personal information
  • Buys, sells, or shares personal information on more than 100,000 consumers or households annually

What data does CCPA and CPRA cover?

CCPA and CPRA give individuals the rights to understand what data will be or has already been collected about them, how that data will be used, request that data be deleted, and opt out of having that information sold to third parties.

How do CCPA and CPRA get enforced?

CPRA introduced a new self-funded agency dedicated to privacy enforcement called the California Privacy Protection Agency (CPPA). Consumers can also bring private lawsuits in some cases.

Why comply with CCPA and CPRA?

The fact that CPPA is both dedicated to enforcing the privacy regulations and funded by the penalties that come from doing so means this agency has a unique incentive to investigate violations and issue fines.

CCPA and CPRA also include clear guidelines for incident response in cases like data breaches and errors, creating strict notification requirements for companies to follow.

What CCPA and CPRA Incident Response Guidelines Entail

CCPA and CPRA require businesses to implement and maintain “reasonable security procedures.” As a result, the responsibility falls on organizations to proactively protect any data they hold from being destroyed, modified, or falling into unauthorized hands. If an organization fails to do so, they must issue a notification in compliance with the regulations’ guidelines.

Who to Contact

  • Any California resident who was affected by any data breach 
  • The state Attorney General if a single event impacts more than 500 California residents

When to Make Contact

  • “Without unreasonable delay” once the breach is discovered
  • One exception is cases where disclosing information can hinder a law enforcement investigation

How to Make Contact

The notification must be written in plain language, be titled “Notice of Data Breach,” and include:

  • Name and contact information of the reporting organization
  • Overview of what happened
  • Details on the types of personal information included in the breach
  • Timing information (date, estimated date, or a date range for when the breach occurred)
  • Telephone numbers and addresses of major credit reporting agencies if the breach exposed social security numbers, driver’s license information, or California identification card numbers
    • In these cases, the business that was the source of the breach must offer appropriate identity theft prevention and mitigation services at no cost for at least 12 months and provide all information necessary to take advantage of the offer
  • (Optional) What the business has done to protect individuals affected by the breach
  • (Optional) Advice on what affected individuals can do to protect themselves

Notification Formatting Requirements

The California state regulations also require that any notification be formatted “to call attention to the nature and significance of the information it contains,” including:

  • Clear and conspicuous titles and headings
  • Text no smaller than 10-point type

If providing the notice would cost more than $250,000, if the number of affected individuals is more than 500,000, or if the company doesn’t have proper contact information for individuals, then they must do all of the following:

  • Conspicuous posting on the organization’s website for at least 30 days (i.e. featuring a link to the notice on the home page, made obvious with larger text or contrasting colors)
  • Notification to major statewide media, plus California-based companies must also inform the California Office of Information Security

6 Types of Events That Can Trigger Notification Under CCPA and CPRA

A variety of events, including data breaches and company errors, can lead to incident response situations under CCPA and CPRA. A few of the most common include:



A ransomware attack occurs when malware steals digital  information and the attacker asks for money in exchange for releasing the data. Even if the data gets recovered, it is still exposed.


Data Theft

CCPA and CPRA treat any kind of data theft as a breach. One example is exfiltration, which is when a hacker accesses data and transfers it to their own servers or devices for ongoing access.


Improperly Sold Data

Selling individuals’ personal data when they’ve opted out of this qualifies as a breach under CCPA and CPRA, regardless of whether it was a company effort or a rogue employee.


Mistakenly Exposed Data

Mistakenly exposing personal information, for instance by sending it to the wrong person or sharing sensitive data over an insecure channel can trigger an incident or breach response situation.


Mistakenly Updated or Deleted Data

Incorrectly updating or mistakenly deleting data, even if it was an honest mistake or an incompetent employee, requires notification under CCPA and CPRA.


Stolen or Lost Physical Records

Physical data records that become lost, get stolen, or are damaged in any way (if they are the sole copy) count as a data breach since they can then fall into the wrong hands.

Why CCPA and CPRA Require Proactive Incident Response

California has consistently evolved its privacy standards over time. For instance, the state introduced CPRA to expand on what was already in place the same year that CCPA went into effect. A history of updates like this means we can expect the state will continue to update its regulations at a fairly rapid pace going forward.

As a result, when it comes to incident response for California privacy regulations, taking a proactive stance and regularly updating protocols is essential to keeping up with rapidly changing regulations.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.