• As Jan. 1, 2020 nears, we continue to examine regulatory readiness and what businesses need to think about for CCPA compliance. In a previous post, we discussed five steps businesses should take for compliance:

    1. Audit, analysis, and assessment
    2. Awareness
    3. Designed future-state
    4. Operationalization model
    5. Ongoing governance 

    While compliance is still a moving target, we wanted to break out how to apply these steps in detail. This particular post will focus primarily on step 1: audit, analysis, and assessment. Please note: this post applies to the CCPA as currently written, as of July 31, 2019; if the bill is amended, this post may be updated.

    Step 1 is all about mapping existing processes and data flows against CCPA requirements to scope the impact of changes and identify stakeholders. Getting everything ready from the outset will streamline processes and implementation.

    The Audit: what are your compliance obligations?

    While your compliance obligations may vary depending on your specific business model, in broad strokes, you should be prepared to offer consumers the right to disclosure, access, deletion, opt out, and equal service.

    Further, the CCPA requires businesses to inform consumers of the rights listed above in their privacy policy and update that policy on an annual basis, as well as provide a link on their homepage titled, “Do Not Sell My Personal Information,” to facilitate opt outs of the sale of information.

    Analysis and assessment: how will the above obligations affect your business and how should you plan to execute on them?

    Largely, the CCPA focuses on providing consumers with greater transparency into data collection and processing. As such, when it comes to organizational impact, there are a number of workflows to consider, internally and externally.


    When thinking about what you need to do for internal compliance, keep in mind that the CCPA has a one year look-back for access requests. While the CCPA goes into effect in 2020, you should be ready to provide data as far back as Jan 1, 2019.

    • Data hygiene—If you haven’t already, now is the time to focus on exactly what you’re collecting and why. This will address the consumer’s right to disclosure, and you should be prepared to address why you collect the data you do. To reduce liability, you should consider only collecting the minimum amount of data necessary required for your business operations.
      Typical stakeholders may include: data science, marketing, analytics, and legal.
    • Privacy policy updates—As mentioned previously, the CCPA requires businesses to inform California consumers of the rights listed above. Your legal teams should review existing policies to ensure this is addressed.
      Typical stakeholders may include: legal.
    • Site updates—An appropriately updated website should enable a consumer to exercise their right to opt out and access or delete their personal information.
      Typical stakeholders may include: IT and web development.
    • Systems and process updates—To ensure compliance with executing a consumer opt out, access, or deletion request, you should consider how you plan to process opt outs and provide and/or delete consumer data. This may involve passing opt outs to other partners down the line or signaling deletion requirements to your customer relationship management (CRM) system.
      Typical stakeholders may include: data science, engineering, product development, and legal.


    It makes sense to focus on data-sharing with existing and new vendors and their compliance road maps to help streamline compliance.

    • Existing vendor assessments—Before the CCPA goes into effect, consider taking full inventory of who you’re working with, why you work with them, and what they’re collecting and processing. It also makes sense to review your contracts and ask about their compliance plans.
    • New vendor consideration—Regulatory compliance for something as complex as data privacy isn’t easy. Frequently it makes sense to work with a third party focused on a specific aspect of compliance. For example, working with a partner to fulfill data subject access requests or a consent management platform to handle opt outs.

    While compliance is always an ongoing effort, the audit, analysis, and assessment phase makes sure you have an accurate idea of your current preparedness to help determine what’s necessary for a company-level concerted effort for compliance. 

    Subscribe to RampedUp.us to be one of the first to read the next blog in our CCPA readiness series on Step 2: Awareness and Designed Future State. 

    The information provided in this blog does not constitute legal advice. Please consult your legal counsel to obtain legal advice.


    Subscribe to RampUp