CCPA Compliance: Data Mapping Checklist

Data Mapping

Data mapping is the most important step in becoming CCPA compliant, as it forms the foundation for every other part of the process. Here is what you need to do to create a thorough and reliable data map for your business.

Incoming Personal Information

  • Review the CCPA's definition of "personal information"

    The CCPA’s definition of personal information is expansive, and businesses often collect more of it than they realize.

  • Identify all points where personal information is collected

    Check with every department to understand where they collect information.

  • Categorize consumer groups

    By putting consumers into groups, it’s easier to know what personal information is being collected and how it is used. This also helps with responding to privacy requests.

  • Categorize personal information collected

    Names, email addresses, transaction history, IP addresses, etc.

    • Review for exemptions

      Some of the personal information you collect may be exempt from CCPA (e.g., publicly available information, HIPAA medical information, and more).

  • Identify business purposes for collecting personal information

    Sales and marketing, providing goods and services, technical maintenance, etc.

  • Identify where consumers' personal information is stored

    This will make it much easier to respond to consumers’ privacy requests.

Outgoing Personal Information

  • Review CCPA's definition of "selling" and "sharing" of personal information

    The law’s definition of selling personal information covers many non-monetary transactions, such as receiving a discount on software. Sharing means using personal information for cross-context behavioral advertising (interest-based advertising).

  • Identify all outside parties to whom you disclose personal information

    This should cover everything from credit card processors to Google and Facebook.

  • Categorize outside parties

    Determine whether they are third parties or potentially exempted as CCPA service providers or contractors, then categorize the parties (IT infrastructure, data analytics, etc.).

  • Identify the business purpose for disclosing personal information

    Advertising services, payment processing, etc.

  • Identify all disclosures which qualify as selling or sharing personal information

    Every disclosure to third parties should be examined to determine if the business receives some valuable consideration in exchange. Learn more about this in Step 3: Vendor Classification.

Need help creating your data map?

The CCPA’s rules are complex, and businesses are collecting more personal information than ever. TrueVault simplifies the process of data mapping by providing automated, step-by-step guidance from start to finish. Contact our team today.

Schedule Call