CCPA Compliance Assessment

Our data privacy and compliance experts translate the technical into practical and cut through less-than-specific legal requirements to navigate the complex compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Contact Cyber Experts
/en/services/cyber-risk/assessments-testing/ccpa-compliance-assessment /-/media/kroll/images/services/ccpa-compliance-assessment-desktop-banner.jpg service

Organizations subject to the CCPA must evaluate their compliance with an increasing set of regulations designed to give consumers more control over their personal information. The CCPA, strengthened by CPRA passed in November, secures new privacy rights, audit obligations and mandates reasonable cyber security measures. To evaluate your organization’s CCPA exposure, Kroll experts can assess your organization’s current privacy and cyber security posture and build a roadmap to becoming compliant.

Initial CCPA Gap Analysis

Our experts will assess your organization’s current compliance with CCPA through a review of existing policies and controls using a cloud-based questionnaire that facilitates collaboration. The analysis identifies the relevant clauses of the statute and explains those clauses in plain English. Stakeholders from your organization, including privacy and compliance officers, information security leaders and legal counsel, can be assigned specific questions and our team will help with the completion of the questionnaire.

The initial assessment will identify gaps and provide recommendations against:

  • Adequate provision of notices regarding the collection of personal info (PI)
  • How the collection of PI is conducted and whether it matches the privacy notice
  • Assessing the value of the PI collected and documenting the method used for such calculation
  • Ability to manage requests such as:

    • Right to know
    • Right to delete
    • Right to opt out of third-party sales and sharing
    • Right to nondiscrimination
    • Right to correction
    • Right to data portability
  • Sharing of PI for behavioral advertising
  • Scope of collection and retention of PI are reasonable and documented


Business Unit and/or Vendor Assessments for CCPA

It’s important to recognize that CCPA compliance is a gradual process that may be more efficiently approached in phases, depending on the size and structure of the organization. The flexibility of our cloud-based assessment questionnaire allows organizations to examine specific business units, regions or vendors and how they’re complying with CCPA requirements from a central location. Tracking first and third-party compliance from a single dashboard gives your privacy office greater visibility and helps identify areas of focus, maximizing the impact of your efforts.

CCPA Risk Assessment Through CIS Controls™

The CCPA requires all organizations to implement reasonable security measures to protect personal information. Our experts will conduct a cyber security program assessment using the Center for Internet Security (CIS) Top 18 Controls, which have been adopted by the state of California, to evaluate your organization’s security controls and processes. The assessment includes:


Data Mapping and Inventory Exercise

The CCPA grants California consumers the right to know what personal information is being collected, used, shared or sold. To properly provide this information to clients, your organization must perform a thorough data inventory and update it on a frequent basis, mapping existing data flows and noting where data is transferred to, stored, and the security controls in place.

The data inventory exercise also helps identify third parties that may have access to PI, and our privacy and contract experts can then help review agreements to identify potential exposure, such as the inability to audit in the event of a cyber security incident.

Watch Jonathan Fairtlough, Managing Director in Kroll’s Cyber Risk practice, discuss the importance of a data inventory:

Diverse Data Privacy Managed Services

Augment your data privacy office with Kroll resources to provide strategic cover during periods of heavy activity, such as M&A, or for day-to-day privacy program management to handle anything from data subject requests tracking to structuring your data protection office in its entirety.

Full Service Support for the CCPA and Data Privacy Regulations Worldwide

Kroll merges cyber security, compliance, risk, contracts and valuations expertise to deliver practical data privacy and digital trust solutions  based on your needs, anywhere in the world.

Our experts understand the ins and outs of the CCPA regulations and several data privacy laws worldwide. We have guided organizations of all sizes through compliance and understand how to implement meaningful change. Count on Kroll to assess your current posture and help you comply with the CCPA.

Related Team

Connect with us

Yvette Gabrielian
Yvette Gabrielian
Data Insights and Forensics
Los Angeles
Gregory Michaels
Greg Michaels
Managing Director and Global Head of Proactive Services
Cyber Risk
Rich Vestuto
Rich Vestuto
Managing Director
Legal Management Consulting
New York

See all servicesStay Ahead with Kroll


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Middle Market M&A, Strategic Advisory, Debt Advisory and Private Capital Markets, Restructuring and Insolvency Services, Financial Due Diligence, Fairness Opinions, Solvency Opinions and ESOP/ERISA Advisory.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation, disputes and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.


Q4 2021 Threat Landscape: Software Exploits Abound

Feb 16, 2022

by Keith WojcieszekLaurie Iacono George Glass


Building a Data Inventory – Fundamental Steps

Apr 29, 2020


Potential Pitfalls of the CCPA Exemptions: Ensuring Reasonable Security Measures

Mar 24, 2020

Financial Compliance Regulation

Preparing for the Consumer Duty – Monitoring and Driving Customer Outcomes Using Data

Mar 24, 2023

by Mark TurnerDan YeloffMatt Austen

Press Release

Kroll Responder Recognized in 2023 Gartner Market Guide for Managed Detection and Response Services for the Third Consecutive Year

Mar 23, 2023


Kroll Launches Cyber Partner Program Delivering Lifetime Returns

Feb 28, 2023


Kroll Named an MDR “Champion” by Bloor Research

Feb 27, 2023

Press Release

Gartner Names Kroll a Representative Vendor for Managed Security Incident and Event Management

Jan 09, 2023


Kroll at RSA Conference 2023

Conference Conference Apr 24 - Apr 27, 2023 | Conference


KAPE Intensive Training and Certification

Online Event Online Event Apr 13 - Dec 07, 2023 | Online Event