CCPA Governance Guidelines

The California Consumer Privacy Act (CCPA), was enacted in June 2018 and took effect on January 1, 2020. Enforcement of the law, making organizations liable to civil suit and regulatory fines, starts on July 1st, 2020.

The CCPA grants new rights to California consumers:

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
  • The right to delete personal information held by businesses and by extension, a business’s service provider;
  • The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
Please go through our CCPA Compliance Checklist for more information.


Consumer privacy is critical for every business. The need to comply with many privacy laws is real. Non-compliance can affect your business financially and worse -- can potentially result in losing your consumer's trust. Trust is everything. Your organization needs to understand the laws and how they affect your business at every level. Everyone in the company, including the executives, should be on board with your compliance efforts. Form a group who will be responsible for privacy law compliance.

Compliance Gaps and Data Mapping

Your business should conduct a thorough analysis of all internal processes dealing with consumer information (collection, processing, selling, sharing with a vendor). During this process, you should also create detailed data flows, documentation, and list of systems that store a consumer's information. Based on the information collected, an audit of your current practices will reveal any gaps in compliance.


Develop a recurring process to update your internal and external policies. Review it with your internal compliance team and legal counsel. You must ascertain that consumers are aware of your Privacy Policy and Data Retention Policy.

The privacy policy on your website must include information on how you deal with personal information, and how is the data collected, processed, and sold (if applicable). Your website's privacy policy should be updated regularly to ensure that the latest version is available to the consumers.

Establish an internal policy to handle the consumer information and discern which information must be disclosed in response to a Data Subject Request. You must review the policies of any vendors you do business with, to make sure they are also in compliance.


Your compliance team must create procedures to deal with each type of data subject requests based on the risk assessment, data analysis, and policies that are in place. This should also include procedures on dealing with a consumer's identity verification. Your compliance team must work with other departments to have ongoing process review and modification.

IT Security

Establishing IT Security policies to protect consumer data from misuse is paramount. Have contingency plans in place to handle any consumer data incidents such as a data breach and loss of data. IT policies should also cover storage and transmission of encrypted consumer data.

System Integration and Automation

There is value in integrating your systems and automating processes. This automation will help you respond to the consumer data requests in an efficient manner. The compliance requests are time sensitive and any automation to respond to the consumer in a consistent manner will help. These automations and integrations will also avoid human error.

Legal Counsel

We recommend your business find and retain a legal counsel specializing in the field of Compliance. The legal counsel is an integral resource who can guide you appropriately. The legal counsel should be part of all discussions pertaining to consumer privacy.


Any employees that deal with consumers over the phone or electronically must be trained appropriately and apprised of any compliance policies and procedures. These employees must understand the importance of privacy laws and the sensitivity of consumers' private information.

Continued Compliance

Compliance is an ongoing process. After the policies, processes, and the compliance task force are in place, you will need to update each in response to any changes or additions to the compliance laws. This might involve re-educating and training employees appropriately.

How can we help?

Based on the information above, governance is quite involved and challenging. Our ZipComply Concierge service helps your business at the consumer end of your web presence. Our Data Governance consulting group can help you with your enterprise level governance and compliance.

  • Risk Assessment
  • Gap Analysis
  • Data Mapping and Inventory
  • Policy Management
  • Procedure Management
  • Training
  • Recurring Compliance Audits
  • IT Security
  • System Integration
  • Automation
Contact Us
Consumer on a Computer