CCPA Compliance for Virtual Assistants: A Business Owner's Guide
The California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA), gives California residents significant rights over how businesses collect, use, and share their personal information. If your business serves California customers and your virtual assistant handles that customer data, CCPA obligations extend to your VA relationship.
This guide explains whether CCPA applies to you, what it requires of your VA relationship, and how to stay compliant without disrupting operations.
See also: GDPR requirements for virtual assistants, data security best practices for VAs, how to create a VA NDA agreement.
Does CCPA Apply to Your Business?
CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds:
- Annual gross revenue exceeding $25 million
- Buys, sells, or receives/shares for commercial purposes the personal information of 100,000 or more California residents/households annually
- Derives 50% or more of annual revenue from selling California residents' personal information
If your business doesn't meet these thresholds, CCPA likely doesn't apply - but CPRA's stronger protections may apply to your vendor relationships regardless, and building good data hygiene practices is always wise.
The VA as a "Service Provider" Under CCPA
Under CCPA, when you engage a VA to process personal information on your behalf, they typically qualify as a Service Provider - a company/individual that processes personal information for a specific business purpose under a written contract.
As a Service Provider, your VA:
- May only use California resident data for the purposes specified in your contract
- Cannot sell or share the data for their own purposes
- Cannot retain, use, or disclose the data outside of your instructions
- Must delete or return data at the end of the service relationship
This is distinct from a Third Party, where data is shared for the recipient's own independent use.
The Service Provider Contract Requirement
CCPA requires a written contract with any Service Provider who processes personal information on your behalf. This contract must:
- Specify that the personal information is disclosed only for limited and specified purposes
- Obligate the Service Provider to comply with CCPA
- Give you the right to take reasonable steps to ensure CCPA compliance
- Require the Service Provider to notify you if they can no longer meet CCPA obligations
- Give you the right to take reasonable and appropriate steps to stop/remediate unauthorized use
In practice, you're adding CCPA language to your VA service agreement or including a separate addendum. Many attorneys offer CCPA addendum templates for small business vendor agreements.
What Your VA Must and Cannot Do with California Data
Your VA CAN:
- Access and process California resident data for the specific tasks you've assigned (customer service, CRM updates, email management, etc.)
- Retain data only for as long as necessary to provide the service
- Disclose data to sub-processors (tools they use) that are also bound by CCPA service provider restrictions
Your VA CANNOT:
- Sell California residents' personal information
- Share the data with any third party for commercial purposes outside your instructions
- Use the data to build profiles about California residents for the VA's own business purposes
- Retain data beyond the termination of your service relationship without written permission
California Consumer Rights Your VA Must Support
California residents have the following rights under CCPA/CPRA, and your VA may encounter requests for these in their daily work:
| Consumer Right | Response Requirement |
|---|---|
| Right to Know | Within 45 days, disclose what personal info is collected, how used, and who it's shared with |
| Right to Delete | Honor deletion requests (with limited exceptions) within 45 days |
| Right to Correct | Correct inaccurate personal information within 45 days |
| Right to Opt-Out of Sale/Sharing | Honor opt-outs within 15 business days |
| Right to Limit Use of Sensitive PI | Restrict use of sensitive categories (SSN, health data, financial data) |
| Right to Non-Discrimination | Cannot discriminate against consumers exercising CCPA rights |
Train your VA to recognize these requests and immediately escalate them to you. CCPA has strict timelines and penalties for failure to respond.
Sensitive Personal Information Under CPRA
The CPRA introduced a category of "Sensitive Personal Information" with heightened protections. If your VA handles any of the following, additional restrictions apply:
- Social Security numbers, driver's license numbers
- Financial account details (account numbers, login credentials)
- Precise geolocation data
- Racial/ethnic origin, religious beliefs, health or medical information
- Contents of private emails/texts unless you're the intended recipient
- Genetic or biometric data
Restrict your VA's access to sensitive PI to the absolute minimum needed for their specific tasks.
Data Minimization and Retention Policies
CPRA (effective 2023) strengthened CCPA with explicit data minimization requirements:
- Collect only personal information that is reasonably necessary and proportionate to the purposes for which it's collected
- Do not retain personal information for longer than is necessary
- Apply this to your VA's data access: give them access to the minimum fields needed, not entire customer databases
Build a simple data retention policy for your VA:
- Customer service data: retain for support lifecycle + 90 days
- Lead data: retain while lead is active + 12 months post-close
- Financial transaction data: per applicable financial record retention laws
Auditing Your VA's CCPA Compliance
CCPA gives you the right to audit your Service Provider's compliance. Practical steps:
- Quarterly: Review what California resident data your VA has access to and whether the scope is still appropriate
- Annually: Confirm your VA's tools and sub-processors have their own CCPA-compliant data practices
- At offboarding: Document that California resident data has been returned or destroyed per your contract
Frequently Asked Questions
Does CCPA apply to B2B data or just consumer data?
CCPA primarily covers personal information of California residents acting as consumers. Business contact information used strictly for B2B transactions has had some exemptions, though these have evolved. Consult a privacy attorney for your specific situation.
Can my VA be based outside the US and still handle California customer data under CCPA?
Yes - CCPA applies based on where your customers are, not where your VA is located. Ensure your Service Provider contract covers CCPA obligations regardless of your VA's geography.
What's the penalty for CCPA violations?
The California Attorney General can impose civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a private right of action for data breaches - $100–$750 per consumer per incident, or actual damages.
If I'm already GDPR compliant, am I CCPA compliant?
GDPR compliance gives you a strong foundation, but CCPA/CPRA has distinct requirements - particularly around the right to opt-out of sale/sharing and the specific contract language for service providers. You'll need to review your VA agreements specifically for CCPA.
Ready to Hire a Compliant VA?
Virtual Assistant VA connects businesses with vetted virtual assistants who understand data handling requirements and can operate within your privacy compliance framework.