O
Ocybersec
Cybersecurity & vCISO Services
Free Assessment Tool
CCPA · Data Mapping & Inventory Assessment
Is your organization ready for
CCPA Data Mapping compliance?
Answer 25 questions across 5 key CCPA data mapping domains and get an instant readiness score — no email required. Understand your exposure before a California consumer exercises their rights.
✓ 25 questions · ~5 minutes
✓ Instant donut chart results
✓ Covers all 5 data mapping domains
✓ 100% free
Assessment Progress
0 of 25 answered
1
D1 — Personal Information Inventory
Identifying and cataloguing all categories of personal information collected
D1 — Q1
Does your organization maintain a formal, up-to-date inventory of all categories of personal information (PI) collected from California consumers, including name, email, IP address, purchase history, and inferences?
D1 — Q2
Have you identified and documented all sources through which personal information is collected (e.g., website forms, mobile apps, cookies, third-party data brokers, customer support interactions)?
D1 — Q3
Does your inventory specifically identify Sensitive Personal Information (SPI) as defined under CPRA, such as Social Security numbers, financial account details, precise geolocation, health data, and biometric data?
D1 — Q4
Is the personal information inventory reviewed and updated at least annually, or whenever a new data collection process, product feature, or third-party integration is introduced?
D1 — Q5
Does the inventory document the business or commercial purpose for collecting each category of personal information, aligned with your Privacy Policy disclosures?
2
D2 — Data Flows & Processing Activities
Mapping how personal information moves, is processed, and shared across systems
D2 — Q1
Has your organization created data flow diagrams or maps that document how personal information moves from collection through storage, processing, and deletion across all internal systems?
D2 — Q2
Are all internal systems, databases, and applications that store or process California consumer personal information identified, documented, and included in your data map?
D2 — Q3
Does your data map document all instances where personal information is shared with, sold to, or disclosed to third parties, service providers, contractors, and business partners?
D2 — Q4
Have you identified and documented any cross-border transfers of California consumer personal information to systems or processors located outside the United States?
D2 — Q5
Does your organization have a process to assess and document whether any sharing of personal information constitutes a "sale" or "sharing" under CCPA/CPRA, including through advertising technology (cookies, pixels, SDKs)?
3
D3 — Data Retention & Deletion
Managing how long personal information is kept and how it is securely disposed of
D3 — Q1
Does your organization have a documented data retention schedule that specifies how long each category of personal information is retained, tied to a specific business purpose or legal requirement?
D3 — Q2
Is there an automated or documented manual process to delete or de-identify personal information when it reaches the end of its retention period across all systems, including backups and archives?
D3 — Q3
Can your organization fulfill a consumer's Right to Delete request within 45 days, including instructing service providers and contractors to delete the consumer's personal information from their systems?
D3 — Q4
Are data retention policies applied consistently to personal information held by third-party service providers and contractors, with contractual obligations to delete data upon termination of service?
D3 — Q5
Does your organization have a documented process for securely disposing of physical and digital personal information (e.g., shredding, cryptographic erasure, degaussing) with audit trail evidence?
4
D4 — Consumer Rights Management
Operationalizing CCPA consumer rights: Know, Delete, Opt-Out, Correct, and Limit
D4 — Q1
Does your organization have a documented, operational process to receive, verify, and respond to consumer Right to Know requests within the 45-day CCPA timeline, with the ability to grant a 45-day extension when necessary?
D4 — Q2
Is there a clear and conspicuous "Do Not Sell or Share My Personal Information" link on your website, and is there a documented opt-out process that stops sale/sharing within 15 business days of the consumer request?
D4 — Q3
Does your organization have a consumer identity verification process for rights requests that is reasonably designed to verify identity without requiring consumers to create an account or provide excessive information?
D4 — Q4
Can your organization fulfill the Right to Correct inaccurate personal information and the CPRA Right to Limit Use of Sensitive Personal Information, with documented processes for both?
D4 — Q5
Does your organization maintain a log or record of all consumer rights requests received, the responses provided, the timelines met, and the outcomes, for at least 24 months?
5
D5 — Third-Party & Vendor Data Governance
Ensuring service providers, contractors, and partners meet CCPA obligations
D5 — Q1
Does your organization maintain a complete inventory of all third-party service providers, contractors, and business partners that receive, access, or process California consumer personal information on your behalf?
D5 — Q2
Do all contracts with service providers and contractors include CCPA-required provisions prohibiting them from selling or sharing personal information, retaining or using it beyond the stated purpose, or combining it with data from other businesses?
D5 — Q3
Does your organization conduct periodic assessments or audits of third-party service providers to verify they are handling personal information in compliance with CCPA contractual requirements?
D5 — Q4
When onboarding new vendors or tools that will process California consumer PI (e.g., CRM, analytics, marketing platforms), is there a formal privacy review or data protection impact assessment conducted before deployment?
D5 — Q5
Does your Privacy Policy accurately disclose all categories of personal information collected, the purposes of collection, and all categories of third parties with whom PI is shared or sold, updated within the last 12 months?
Answer all 25 questions to generate your report
0%
CCPA Score
Calculating...
Score Summary
✓ Compliant controls
–
~ Partial controls
–
✕ Non-compliant controls
–
Total questions
25
Weighted score
–
Score by CCPA Domain
Key Gaps Identified
Next Step · Free Full Privacy Assessment
Data mapping is just the start.
Full CCPA compliance covers much more.
Book a free 30-minute discovery call and receive a complete CCPA & SOC 2 Type 1 gap assessment covering all controls — with a prioritized remediation roadmap delivered within 10 business days.
🔍 Full CCPA & SOC 2 gap assessment
📋 Prioritized remediation roadmap
🤝 No obligation · 30 minutes
🤖 AI-powered · Results in 10 days
Founder-led · 25+ years experience · Serving US Startups & SMBs