Skip to main content
CCPA & CPRA Gap Assessments

CCPA & CPRA Gap Assessments for Business in California and Throughout North America

CCPA & CPRA Gap Assessments for California's Data Privacy Mandates

The California Consumer Privacy Act (CCPA) is without question landmark legislation enacted to give consumers greatly enhanced privacy rights and protection clauses within the state of California. As an organization, if you’re doing business in the state of California that meets one or more of the following criteria, then it’s time to get serious about CCPA compliance:

  • Has annual gross revenue of more than $25 million;
  • Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices, per year; or
  • Derives at least 50 percent of its annual revenues from selling consumers’ personal information.

Then, on November 3, 2020, California voters approved a ballot initiative, enacting the California Privacy Rights Act (CPRA), effectively amending the CCPA to create the most sweeping consumer data protection law in the United States.

Five-Step Process for CCPA & CPRA Gap Assessments

Centris offers CCPA & CPRA Gap Assessments for businesses seeking assistance with what’s arguably the most demanding and comprehensive data privacy regulation in the United States. Centris’ five-step CCPA & CPRA Gap Assessment process consist of the following phases:
 

(1) Defining Scoping Considerations:

Combined, the initial CCPA legislation and the newly mandated CPRA requirements are creating huge challenges for businesses having to comply with California’s sweeping data privacy measures. Therefore, it’s essential to assess and validate the following critical scoping issue when beginning a CCPA & CPRA assessment:

  • What types of categories of personal data (per CCPA 1798.140) is deemed in scope for CCPA & CPRA?
  • How is personal data being collected, used, shared & disclosed, stored, protected, retained, and disposed of?
  • What third-parties are also considered in scope for the CCPA & CPRA, why, and do they have proper controls in place?
 

(2) Assessing Data Privacy Requirements & Gaps:

The operational aspects of CCPA & CPRA compliance are far-reaching indeed as businesses need to ensure that various H.R., legal, privacy, and other prescriptive requirements are met for compliance with regards to the CCPA codes of 1798.100 to 1798.199.100. With Centris, we have a customized checklist used for ensuring full coverage of all the CCPA and CPRA codes.

 

(3) Assessing Information Security Requirements & Gaps:

Per code 1798.100, “…A business that collects a consumer’s personal information shall implement reasonable security procedures and practices. Centris will do a deep dive in identifying what “…reasonable security procedures and practices…” are in place, what gaps exist, and next steps necessary for correcting security control deficiencies in terms of technical controls and policies and procedures.

CENTRIS

Leaders in Security & Regulatory Compliance

Risk Strategies & Methodologies
Risk management planning reduces exposure to a wide-range of issues that could have detrimental effects on a business. Not knowing, planning, or responding to risks and related issues can leave an organization with few options in combating risks when they actually surface.
CENTRIS Advisory Methods
Strategic Planning & Integration
Every organization is moving towards a digitized business model, so isn’t it time to strategize on some of the most critically important elements for your business?
Explore CENTRIS Strategies
Regulatory Compliance Experts
Build scalable, adaptable, and efficient compliance solutions for increased organizational efficiency, while also improving core InfoSec, cybersecurity, operational and data privacy controls and best practices.
Regulatory Compliance For All Industries

Non-Compliance with the CCPA & CPRA Can Be Very Costly

According to a statement from the California Attorney General, businesses that include data brokers, marketing companies, media outlets, online retailers, and entities handling children’s information were found to be in violation of the CCPA in recent years. As such, California’s AG published a list of enforcement examples in which notices of CCPA noncompliance were sent to businesses, for which such issues cited included the following:

  • Not providing required notices to consumers.
  • Non-compliant service provider contracts.
  • Non-compliant privacy policy.
  • No “Do Not Sell My Personal Information” link on a website’s homepage.
  • Not providing a Notice of Financial Incentive to consumers.
  • Non-compliant opt-out process.
  • Not providing a toll-free number for consumers making CCPA requests.
  • Sales of minors’ personal information.
 

(4) Assessing Documentation Requirements & Gaps:

Policies and procedures are a heavy mandate for the CCPA & CPRA, much like many of today’s regulations. Centris can quickly identify policy and procedure gaps, along with offering comprehensive remediation services for developing all required information security, cybersecurity, operational, and human resources documentation as required within the stated CCPA and CPRA codes.

 

(5) Remediation Activities:

Almost any organization undertaking a CCPA & CPRA gap assessment will have found areas requiring remediation as the scope and reach of both the California Consumer Privacy Act and the California Privacy Rights Act can be massive. From helping establish tighter information security controls to developing robust policies and procedures – and more – we offer a full menu of CCPA & CPRA remediation services.

With Centris, we offer a wide range of data privacy, cybersecurity, and regulatory compliance solutions and services, including assessments & programsdata governancedata mappingPIADPIAGDPR assessments, CCPA/CPRA assessments, international international privacy assessments, U.S. state privacy assessments, EU Cloud Code of Conduct, Microsoft SSPA/DPR, along with data privacy programs.

Why Centris for CCPA & CPRA Gap Assessments?

  • Proven methodology that’s quick, comprehensive – and with fixed-fee pricing.
  • Experts at remediating CCPA & CPRA gaps and documentation deficiencies.
  • Experience in working with all industries and sectors relating to CCPA & CPRA.

Additional Related Services

Customized Data Privacy Programs | Data Privacy Cons...

Growing cybersecurity threats, coupled with increased laws and regulations are forcing organizations to truly take the time in assessing – and documenting – how they collect, use, share & disclose, store, protect, retain, and dispose of their data...
Read this article

EU Cloud Data Protection Code of Conduct Gap Assessm...

The EU Data Protection Code of Conduct for Cloud Service Providers, simply known as the EU Cloud Code of Conduct, is a framework consisting of a set of requirements for Cloud Service Providers (CSP) supported by a Control Catalogue. This is impor...
Read this article

Microsoft Supplier Security & Privacy Assurance Prog...

Per Microsoft, “The Microsoft Supplier Data Protection Requirements” apply to each Microsoft supplier that Processes Personal Data or Microsoft Confidential Data in connection with that supplier’s performance (e.g., provision of services, software...
Read this article

U.S. State Data Privacy Assessments, Consulting and ...

Almost every state is now following in the footsteps of California in developing comprehensive laws regarding an individual’s data privacy rights. In the near future, it’s quite possible that every state will adopt meaningful data privacy laws, a...
Read this article

International Data Privacy Assessments for U.S. and ...

While most of the world is focusing on the likes of the General Data Protection Regulation (GDPR), along with the California Consumer Privacy Act (CCPA), there’s much more to data privacy than these two well-known pieces of legislation. Canada, B...
Read this article

GDPR Assessments for Controllers and Processors

Centris offers GDPR gap assessments for organizations all throughout North America seeking assistance with what’s arguably the most demanding and comprehensive data privacy regulation in the world. GDPR compliance for U.S. companies has hit our sh...
Read this article

Data Protection Impact Assessments (DPIA) | GDPR Con...

The General Data Protection Regulation (GDPR), under Article 35, requires, under certain circumstances, that a Data Protection Impact Assessment (DPIA) be performed by controllers if certain conditions exist. Specifically, “Where a type of process...
Read this article

Privacy Impact Assessments (PIA) | Minimize Privacy ...

The safety and security of all types of data is now front and center in today’s business arena due to growing cybersecurity threats, coupled with increased data privacy laws and regulations. With Centris, our PIA process is efficient, yet compre...
Read this article

Data Mapping for Security and Privacy | Improve Deci...

The safety and security of data (all types and all formats) is now more important than ever, thanks in large part to growing data privacy and cybersecurity regulations that are impacting organizations all throughout the globe. The General Data Pro...
Read this article

Data Governance Plan and Consulting Services | PIA, ...

When performed correctly, a quality data governance assessment provides organizations with an actionable roadmap for designing and implementing a sustainable data governance program that ultimately improves efficiency, promotes transparency, enabl...
Read this article

    Protect Your Digital Systems & Ensure Compliance at All Levels

    From robust security and compliance solutions to risk analysis and corporate strategy - partner with CENTRIS for enterprise resilience.

    Let's talk about your business - Contact CENTRIS Today