Skip to content

Q&A: CCPA Enforcement Arrives, What Merchants Need to Do Now

CNP q&a - CCPA

Merchants were expected to begin complying with the California Consumer Privacy Act (CCPA) in January, but enforcement of the law only began this week on July 1, 2020.

CCPA gives Californians the right to opt out of the sale of their personal information. Similar to European Union’s General Data Protection Regulation (GDPR), which went into official enforcement in 2018, residents of the state can also ask to have their data deleted and to know what information about them has been collected. The requirements apply to for-profit businesses that have annual revenues of more than $25 million, possess the personal information of 50,000 or more consumers, households, or devices; or earn more than half of their annual revenue from selling consumers’ personal information.

The law will apply to every online retailer that sells to California consumers, as most merchants collect a consumer’s name, location, IP address and identifiers that track their web and app use on internet-connected devices. Business face steep fines if they don’t comply, including a civil penalty of up to $7,500 per record for each intentional violation, and $2,500 per record for each unintentional violation.

 survey conducted last year from personalization data vendor PossibleNOW of 1,500 businesses found only eight percent of merchants felt ready to comply with the law at the time.

CardNotPresent recently published guidelines and suggestions for getting things in order to comply with CCPA.

Ameesh Divatia, co-founder and CEO of Baffle, a data protection solutions provider, spoke to CNP about where he thinks merchants are with understanding the law now, and what they need to be doing to ensure compliance now that the law is enforced. 

(Link to the Article)

Join our newsletter

Schedule a Demo with the Baffle team

Meet with Baffle team to ask questions and find out how Baffle can protect your sensitive data.


No application code modification required


Deploy in hours not weeks


One solution for masking, tokenization, and encryption


AES cryptographic protection


No impact to user experience