CCPA Explained for Developers

TL;DR: Who must comply with the CCPA? Any business collecting data from California residents must comply, regardless of location. How does CCPA compliance change workflows? It requires mandatory disclosures, consumer data access and deletion, and regular data procedure reviews.

A key U.S. policy to be aware of is the California Consumer Privacy Act (CCPA), the first of its kind in the United States. It took effect on January 1st, 2020, and was later amended with additional data protections by the California Privacy Rights Act (the majority of which took effect on January 1st, 2023).

The CCPA is only increasing in relevance as other States use it as a template in the creation of their own privacy protection acts, namely Virginia’s CDPA, Colorado’s CPA, and Utah’s UCPA. In this article, we’ll explain who is covered by the Act, why you should care about it regardless of your business's location, and how the CCPA might affect your development workflow.

Before you continue: This isn't legal advice, and you should consult with legal counsel to ensure you’re implementing CCPA properly for your circumstances.

Who Must Become Compliant With CCPA?

The CCPA's standards are directed primarily at data-driven platforms. The Act defines minimum thresholds and target audiences with easy-to-understand metrics that are widely available in summary online.

The CCPA departs from other, similar policies in defining its target protected audience. Previous policies outline the differences between consumers and customers, which determine a company’s responsibilities for data collection, storage, and sale. The CCPA covers California residents, a far broader category.

If your platform, service, or business collects data from California residents for sale, diagnostic use, or other reasons, you likely fall under CCPA coverage, even if your business is not registered in the state of California. A development team must be aware of the data they gather, where and how it is stored, and, more importantly, be able to convey this to other teams within their organization, particularly the legal team.

How Would Your Development Flow Change to Achieve Compliance?

If your business must comply with the CCPA, your development team will have specific obligations for data collection, storage, and processing. These include integrating mandatory notice disclosures into your platform to inform consumers about what data is collected, processed, and shared.

• Developers will need to work much closer with their legal team to stay updated about the specificity of regulations as they pertain to a particular platform or development process. In addition to inserting more frequent contact with the legal team, CCPA requires businesses to disclose information regarding the collection and use of data to the consumer, including the ability to opt in and out of this collection and sharing. Developers must work directly with their legal teams to ensure this disclosure is up-to-date with the current state of the product.
• Due to the nature of this disclosure and the actions consumers must be allowed to have, the development team must alter their platform to become more flexible and variable in data collection, including the ability for consumers to request copies of their personal information and its deletion. Depending on a platform’s existing structure, this may take a development team extra time to add or adjust.
• To ensure that the platform and product are CCPA compliant, DevOps will need to conduct a comprehensive review of current data collection and storage procedures to ensure there are no outstanding privacy infractions or structural weaknesses to be immediately addressed.
• In addition to internal structures and procedures, entities covered by the CCPA hold certain additional responsibilities for data shared with third-party vendors and service providers. Developers will need to address outstanding contracts with their legal team to ensure that the third party is itself compliant and that the contract maintains your platform’s integrity.
• Development teams should establish a recurring review process to ensure that all future changes to the platform are CCPA compliant. These review processes should also update the legal team on any changes to data collection. These regular reviews should include a review of third-party tools and infrastructure as relevant.

What if my team doesn’t target California Residents?

There are plenty of reasons to become familiar with the CCPA, or even become CCPA compliant, even if your business does not target California residents.

Many of the CCPA standards assist in establishing a cohesive, accountable development team that is prepared against data breaches and understands the proper procedures in the event of a breach. Record-keeping policies help keep track of what data is being stored and where, and bakes in more intentionality to the development process.

Additionally, the CCPA has only increased in popularity and relevance, becoming a template for other states to pass their own consumer privacy laws. Even if your team doesn’t operate in California or target California residents, these trends indicate it may soon fall under similar regulations. Becoming familiar with these standards ensures a smooth transition into new obligations and allows for expansion into markets that already require these more stringent protections. In short, taking steps towards compliance builds the resilience and flexibility needed for success in a complex legal landscape now and in the future.

Protecting customer data is important for building and maintaining trust. Your data is one of the most valuable parts of your organization. Did you know that Doppler can help protect your customer data by ensuring secure access to your application secrets? Learn more about how we can help manage your API keys, tokens, and more.