CCPA compliance

Helping organizations comply with the California Consumer Privacy Act.

CCPA grants consumers the right to request a business to disclose the categories of personal data, sources from which that data is collected, the business purposes for collecting or selling the data, and what third parties the private information is shared. On January 1, 2021, these rights extend to employees.

What is CPRA?

CPRA amends the CCPA to create additional consumer privacy rights, such as the right of correction and the right to limit the use and disclosure of sensitive personal information.

It also establishes the California Privacy Protection Agency (CPPA), shifting rulemaking and enforcement authority from the California Attorney General to the new state agency.

CPRA effectively nullifies the debate, incorporating individuals’ ability to opt-out of the sharing of information — not just its sale — for behavioral advertising purposes. Businesses would have to disclose how long they keep data and ensure that the timeline is only as long as is “reasonably necessary."

CPRA goes into effect on January 1, 2023 with retroactive oversight into a company’s data practices as far back as January 2020. 

CCPA timeline

How Mazars helps

Our experienced privacy specialists help organizations understand the risk exposure from the CCPA and define a clear plan to mitigate compliance risk in the areas of:

Privacy governance

  • Policy development
  • Privacy notice
  • Vendor contract management

Data classification

  • Privacy classification
  • Data security controls

Compliance monitoring

  • Risk assessment (PIA/DPIA)
  • Demonstrate compliance
  • Risk management program
  • Data registry (RoPA)


  • Cure activities
  • Consumer rights requests
  • AG response
  • Incident & data breach response

CCPA enforcements

  • Who can Enforce? Enforcements are ordered by the California Attorney General
  • Cost of Fines? $7,500 fine per violation, $100-$750 per incident or damages; whichever is greater
  • Obligations? Disclose types of private data collected, processed, shared and sold
  • Verify identity of consumer before fulfilling requests
  • Respond to Consumer Rights request within 45 days
  • Quality of service can not be reduced due to consumer objections

Common CCPA data challenges data controls

  • Creating a control environment that maps regulator requirements

Data discovery

  • Understanding where data is located and where it is shared inside and outside the company

Data classification

  • Current state assessment of the data type, and data controls

Data management

  • How to enforce rules and demonstrate compliance (Internal and 3rd party)

Data response

  • Responding to data subject requests and breach notification to Attorney General and consumer

Data retention

  • Understanding how to manage data retention across the organization


  • Siloed systems
  • Lack of interfaces
  • Limited infrastructure


  • Limited personnel
  • Integrated skill sets
  • High cost

Ready to get started?

Contact us