How FullContact Prepared for CCPA

How FullContact Prepared for CCPA

With the California Consumer Privacy Act (CCPA) going into effect at the start of next year, FullContact has been preparing for the developments to come.

We provide brands with the ability to have the most relevant interactions with customers, prospects, and the public based on identity — so the end goals of CCPA are in line with how we view information and how it can be best used to create people-focused experiences. Our foundational belief is that people should come first. This is at odds with how some in our space use identity resolution, but this is our approach, which means we didn’t have to make many changes to comply with CCPA.

Like all companies that fall under the rules laid out in CCPA, we needed to evaluate what the legislation says and assess how it affects our business, our processes, our technology, and most importantly, our customers.

We thought it would be worth sharing our readiness plan to help guide the thinking of our customers and partners, as well as provide assurance that we’re ready for CCPA and future legislation.

Below are the steps we took and the decisions we made along the way:

Understand the CCPA law.

We read the law. We read it again. And you know what, we read it One. More. Time. We read both the legislation itself and the Attorney General’s Proposed Rulemaking Action—a 16-page document laying out and expanding on (in less legalese) the legislation itself.

Truly understand the law.

We had conversations with our lawyers, two different outside counsels, and received guidance from four different outside private entities.

Reviewed all documents provided by the state.

Including the Standardized Regulatory Impact Assessment and Fiscal Impact Report.

Evaluated our tech.

We analyzed our platform top to bottom, looking at every step of every process to ensure we could handle the various flows of user requests for their data. We determined how to manage these user requests immediately, and possibly in the future.

Changed our tech.

Significant changes to our core technology weren’t necessary; most of the engineering work was around handling requests that consumers may make and having a way to verify those requests, in addition to what we already had in place.

We implemented a system to log each request for data changes in our ticketing system. These will be held for 24 months. We’ll be tracking our number of requests and time for responses, and these statistics will eventually be published within our privacy policy after we have captured a year’s worth of data.

Updated our privacy policy.

We simplified and streamlined our privacy policy—making it more human-friendly and less lawyerly, while also clearly outlining our data use cases.

Revised our Own Your Data portal to include four options:

  1. Do not sell my data. The law specifies that companies must notify customers who have gone through us to connect to data within the past 6 months, but we’re also telling all downstream customers when someone makes this request. This requires end-users to use a webform for verification.
  2. Tell me what data you have about me. This requires end-users to use a webform for verification.
  3. Delete my data. This requires end-users to use a webform for verification.
  4. Change my data. This was required of us by GDPR so it was already an option.


We are collecting signed attestation and proof of notice from third party data.


We will have third-party training and testing on CCPA for all employees completed by December 31.

Looked at the bigger picture

As a company, we decided to apply CCPA guidelines to all people throughout the United States.

Reviewed. Reviewed. Reviewed.

As it turns out, there were lots of little things, but no major projects. We believe in transparency and we’re people-focused; we were able to make the necessary adjustments without much engineering effort.

And we’re not done. We proactively review what is coming from legislatures and ballots across the country to help guide our thinking but also because our solutions must be the most stringent.

While this area is continuing to evolve, we plan to be ahead of what’s coming.
It’s the right thing to do.

Recent Blogs