Assessing CCPA Cybersecurity Program Compliance

The question of the week (again!) we keep getting. What does the latest $1.35M fine from the CPPA ordered against the nation’s largest rural lifestyle retailer, Tractor Supply Company, mean for us? It’s the largest fine issued in the Agency’s history, marking the first major enforcement action focused on privacy notices and job applicant rights, not just consumer data. Here's what companies can learn from the issued to-do list:   ❗ Implement corrective measures, including scanning digital properties and maintaining a full and current inventory of tracking technologies ❗ Honor do not sell/share requests and opt-outs ❗ Ensure symmetry of choice in cookie consent mechanisms ❗ Review/update privacy notices for consumers, employees, and applicants ❗ Notify all employees/job applicants by email about updates to relevant privacy notices ❗ Launch CCPA training program ❗ Get vendor contracts in order ❗ Post consumer privacy request metrics on its website for five years ❗ Annual executive compliance certifications for four years ❗ Implement/maintain a program to monitor processing of consumers' requests to opt-out of sale/sharing ❗ Conduct annual website/mobile apps review to identify third parties receiving personal information collected through tracking technologies.   What exactly went wrong? 🚫 Failed to provide adequate privacy notices to consumers and job applicants 🚫 Did not honor opt-out requests submitted through its website or respect Global Privacy Control (GPC) signals. 🚫 Shared personal data with other companies without proper contractual safeguards. Most important - what should companies do? ✔️ Update consumer, employee, and job applicant privacy notices. ✔️ Maintain a live data inventory to track personal information, systems, and tracking technologies (Note: this is your proof of compliance when regulators come knocking) ✔️ Establish a cookie governance program, including systematic tracking of all pixels/cookies/trackers, oversight of vendors, and contractual compliance status. ✔️ Monitor and test cookie consent technologies (including Do Not Sell Links and GPC). YOU ARE RESPONSIBLE if they’re not working as expected, not third parties. ✔️ Audit third-party vendor and AdTech contracts to ensure vendors include appropriate privacy protections. ✔️ Test the privacy rights processes and train employees. The era of checkbox compliance is long gone. This case shows that regulators demand that company privacy programs are fully operational and in working order.   Not only are regulators watching, they’re also taking consumer complaints seriously and actively enforcing with BIG FINES. Where to start? Read your privacy notice, test your privacy rights process and those cookie consent banners. Don't be the latest site where NONE of their privacy links worked. 😕 ♻️ Share our carousel to help other privacy pros 👇

You’re the new Privacy Analyst at a U.S. retail company. Your manager just asked you to ensure the company is compliant with the California Consumer Privacy Act (CCPA), but you quickly realize there’s no data inventory or record of what personal data is being collected, where it’s stored, or who it’s shared with. How would you even begin? First, you’d start by building a data inventory — that means identifying what personal data the company collects (names, emails, browsing history, etc.), how it’s collected (forms, cookies, third-party platforms), and where it lives (CRM, marketing tools, cloud storage, etc.). You’d likely send out a questionnaire or meet with key teams (marketing, IT, sales) to gather this info. Then, you’d map the data flows — what systems touch this data, who has access, and whether it gets sent to vendors or service providers. This is essential for understanding risk and creating compliant privacy notices. Finally, you’d document it all and check it against the CCPA requirements — can users request access to their data? Can they delete it? Is there a way to opt out of data selling? This is GRC work in action.. breaking down compliance into trackable steps and helping the business stay accountable.

The California Privacy Protection Agency recently started a rulemaking process on cybersecurity audit, privacy assessment, and AI/automatic decisionmaking regulations. Here's four steps to consider now ⬇️.    1️⃣Rulemaking Process. If your org engages in rulemaking processes directly or via an industry group, review the summary below and the draft regs to identify areas to to influence. 2️⃣AI/Privacy Assessments. Consider whether any of the proposed risk assessment triggers or requirements should be added to your existing #privacy impact and AI risk assessment processes now or as these processes are developed or updated. 3️⃣Audit Gaps. Chat with your #InternalAudit and security teams to understand where your org has gaps with the #cybersecurity audit requirements (audits likely can't be done via normal #security assessment protocols). 4️⃣AI/ADMT Rights. Land or update processes to understand and keep an inventory of your org's current #AI and automatic decisionmaking technology (ADMT) uses, and track necessary info to help scope which ones would need to be changed to address the extensive proposed AI and ADMT rights.   Here is a high-level summary of some of the proposed regulations: Cybersecurity audits  🔸required for entities with $25M+ in revenue processing PI of 250k people, or sensitive PI of 50k+ (& some others too) 🔸must be an independent #audit by external auditor or internal auditor reporting to board, not business 🔸scope must include a number of listed topics and controls; some may be new like data retention, PI inventories/mapping, and PI breaches 🔸annual certifications to CPPA about audits by an org's board member Risk assessments 🔸required when data protection assessments needed under other state laws, but broader scope since employee/B2B PI included 🔸new triggers when (1) ADMT is used for "extensive profiling" (e.g., certain employee or public location monitoring, or for #targetedadvertising) or (2) PI is processed for certain AI or ADMT training 🔸must cover a number of specific topics with additional requirements for PI processing by ADMT or to train AI/ADMT 🔸details about assessments must be annually submitted to the CPPA 🔸annual executive certifications about assessments to CPPA Automated decisionmaking technologies. 🔸new requirements when using ADMT for (1) certain significant decisions, (2) "extensive profiling", or (3) certain ADMT training 🔸accuracy reviews and policies required when using ADMT for certain physical or biological identification/profiling 🔸pre-use notice requirements before certain ADMT uses occur 🔸consumer opt-out rights for certain ADMT uses 🔸consumer access rights for ADMT   There are also reg updates for consent, dark patterns, individual rights request and fulfillment procedures, and privacy notice contents.   The draft regulations will be available for public comment; an end date for the comment period was not immediately set by the CPPA in light of the forthcoming holidays. 

🚨 Major CCPA Update: New Regulations Effective Jan 1, 2026 🚨 California has finalized broad new CCPA rules that will reshape how companies manage consent, tracking, automation, and privacy governance. What’s changing? Tighter requirements for: ☑️ Cookie banners & dark pattern restrictions ☑️ Global Privacy Control (GPC) opt-outs ☑️ Privacy policy disclosures ☑️ Mobile app + IoT/AR/VR notices Plus new obligations around: ☑️ Automated decision-making technology (ADMT) ☑️ Privacy risk assessments ☑️ Cybersecurity audits Why it matters: This is a major expansion of CPPA oversight. Key requirements include: -Symmetrical, affirmative consent -Verified opt-outs (incl. GPC) -Executive certifications under penalty of perjury -Annual risk assessment summaries -Evidence-based cybersecurity audits Who’s impacted? ✔️ All CCPA-covered businesses (B2C, B2B, SaaS, HR/employee data) ✔️ Companies using tracking or behavioral advertising ✔️ Organizations using or developing automated decision-making ✔️ Teams handling sensitive data, mobile apps, or connected devices These updates establish a new baseline for privacy and AI governance in California. https://lnkd.in/epSCTgqY