In the United States, data privacy laws have not been expansive or comprehensive enough to warrant American companies compiling data maps, especially with how historically difficult it is to do so. In fact, it was the passage of the GDPR in the EU where user rights like data subject requests (DSRs) and clear opt-in consent became tenets companies instituted to stay compliant. 

In the years since the GDPR, the U.S. has attempted to play catch up with its own data privacy regulations, and while the nation is still far away from passing federal legislation, states have taken the impetus to carry the baton of data privacy.

The state leading the charge is California, which passed the California Consumer Privacy Act (CCPA) in 2018. The law was not as strong as its proponents anticipated, which has led to the California Privacy Rights Act, effective as of January 1, 2023. 

As Virginia and Utah also have data privacy laws coming into effect this year, this wave of momentum means American companies need to take data privacy more into consideration than ever. With the strength of the amended CCPA alone, companies processing the data of a single Californian need to comply with the law, which will impact privacy programs across the country.

While data mapping for CCPA is not an explicit requirement, just as it is not for GDPR, it has emerged as the best tool for companies looking to comply with a bevy of stricter legislation.

Key Takeaways

• Data mapping isn’t required by CCPA, but it’s essential: While not mandatory, mapping your data is one of the best ways to prepare for California’s evolving privacy laws, especially under the stricter CPRA updates.
  
• It helps identify what data you collect, where it lives, and who accesses it: Data mapping tracks what personal and sensitive data you gather, how it moves through your systems, and who touches it, which is crucial for staying ahead of breaches and privacy violations.
  
• Automated tools now make mapping easier and more accurate: Old-school spreadsheets took forever and missed a lot. Tools like MineOS, especially with Email Navigator, can now identify up to 95% of your data sources, including shadow IT.
  
• It simplifies key compliance tasks like DSRs, consent tracking, and breach response: If you don’t know where your data is, you can’t respond quickly to user requests or breaches. Data mapping fixes that by giving you full visibility.
  
• CCPA penalties are steeper now, and enforcement is tighter: With no more grace periods and fines up to $7,500 per violation (including employee data), having a data map in place isn’t just smart, it’s a safeguard.

‍

What is Data Mapping?

Data mapping is a compliance-driven process of identifying and recording all user data an organization processes and stores. Data mapping aims to understand the who, what, where, how, and why of data processing, accounting for the collection, use, storage, and sharing of data. 

• What data is being collected, processed, and/or stored
• Who in your organization has access to that data
• Where data resides, as in which specific systems and SaaS apps
• How data is being collected 
• Why data is being collected

A complete data map, especially when visualized, will show links and systems that demonstrate how data flows in your organization. 

Regulated Data under CCPA

The original CCPA legislation defines personal information as:

“Information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.”

However, the CPRA amendments create a new subset of regulated information, referred to as sensitive personal information (SPI), which is policed even more strictly.

SPI includes:

• a consumer’s social security, driver’s license, state identification card, or passport number
• a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
• a consumer’s precise geolocation
• a consumer‘s racial or ethnic origin, religious or philosophical beliefs, or union membership
• the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
• a consumer’s genetic data

The CPRA takes this new classification seriously, as a data map must feature a granular categorization of personal information types for regulatory compliance.

Why Data Mapping for CCPA Wasn’t Popular Before

Even though it has only been 5 years since the CCPA was passed, the technology in that time has advanced multitudes over. 

Data mapping done before 2022 was typically a manual process documented on spreadsheets. It involved whoever was building the map to survey every department within an organization to understand which systems they were using, why they were using them, and what data was there. 

The process took months if not more than a year and very often gave you an end result that was incomplete and outdated, as companies constantly turn over and add to their SaaS usage. Those challenges severely hamstrung the advancement of data compliance, but it was a legitimate reason for the lack of widespread data mapping under CCPA. 

Even California lawmakers understand the difficulty of getting oversight over an entire privacy program, as the CPRA amendments have written in a difference in fines and penalties for willful violations versus negligent ones. 

New Data Mapping Solutions

With the entry of multiple new players into the data privacy industry, the technological options available to companies of all shapes and sizes is impressive. 

Automated data mapping has picked up a ton of steam over the past few years as companies leave behind the days of spreadsheets and compliance questionnaires.

The only problem is, many automated data mapping tools are still not thorough enough to truly kickstart a data privacy program and CCPA compliance. 

Most data mapping solutions rely on website or cloud scans or SSO to locate data systems in use. However, website and cloud scans rarely account for more than 10% of total systems and SSO, while better, typically averages only between 30-40% of coverage. None of these options cover shadow IT or even unused systems, leaving immense risk within an organization for undetectable breaches.

This is where MineOS’ unique solution comes into play. Combined with our one-of-a-kind Email Navigator technology, we let users mix and match how they want to approach data source discovery. Our Email Navigator alone discovers the vast majority of a company’s data systems, and when run with SSO and scans can account for nearly 95% of sources. 

Why Data Mapping for CCPA matters

Even if creating a data map with MineOS’s solution can discover and classify nearly all an organization’s data, data mapping is not a CCPA or CPRA requirement. Why should any organization bother if the strictest data privacy law in the U.S. does not see a data map as a necessity?

Two reasons:

1. Because data mapping is the future of compliance, and those that adopt it and take advantage of new technology now will have a considerable leg up on competition when future data regulations do include data maps as a requirement.

2. Data mapping for CCPA compliance currently facilitates and makes a number of regulatory requirements much easier (for the CCPA and GDPR). 

Data Mapping for CCPA as the Core of a Privacy Program

Having proper overview of nearly all the data in your organization enables faster fulfillment of required compliance tasks like:

• Record of business processing activities

Similar to the RoPA requirements in the GDPR, businesses need to be able to produce a comprehensive report on their data processing activities if prompted by California authorities. 

• DSR fulfillment

CCPA brought users widespread individual data rights to the U.S., and large companies will often receive hundreds of DSRs a week asking to delete, clarify, or correct personal information. If a company does not know where data sits within its organization, satisfying DSRs becomes a tedious and time-consuming task.

• Data breach notification

CCPA requires companies to notify users in a timely manner if their data has been involved in a data breach. If an organization does not have a thorough data map that accounts for shadow IT, how can they be sure if a data breach occurs, where it happened, and who was affected?

• Maintaining consent management

Another core right the CCPA brought to Americans (Californians specifically, but many Americans based on how business is conducted online) was consent opt-in and opt-out. This essentially boils down to individuals being able to consciously say ‘yes’ or ‘no’ to companies processing, sharing, and storing their data when they use a service. Data mapping for CCPA purposes means consent management is easier to track and avoid violations. 

CCPA Increases Compliance Stakes

In addition to the value added through data mapping and the widespread expansion of ways to create a data map more accurately and quickly than ever, the CPRA amendments to the CCPA make compliance more of an organizational building block than any American data regulation. 

What do we mean? The original CCPA largely concerned the selling of data, but the CPRA has expanded the scope of the regulations to include the selling and sharing of data. This alone means companies need to be much more careful about how and who they share data with, and makes it a virtual need to lay out a geographical map of where data is going. On top of that, the CPRA now also grants employees these rights, meaning yet another layer of data responsibility. 

Meanwhile, the original CCPA 30-day grace period to fix violations has been eliminated, meaning organizations must always be vigilant of their compliance, and fines have been hiked across the board, now sitting at $7500 per affected individual for willful violations or any violation involving a child’s data. 

With the newly created CPPA agency to help oversee enforcement, California is taking data privacy as seriously as the EU. 

Pro Tip: Operationalize Your Data Map Around Consent and RoPA-Like Evidence

• Design data discovery to support purpose limitation: Tag all collected data with its declared business purpose and legal basis (e.g., opt-in consent, performance of a contract). This allows you to preemptively defend your use under CPRA §1798.100(b) and avoid claims of overcollection.
• Map SPI separately and flag high-risk combinations: Under §1798.121, “Sensitive Personal Information” has stricter opt-out and usage rules. Track it not just as a category, but flag intersections (e.g., SPI + profiling or SPI + advertising). This helps surface use cases requiring CPRA §1798.135 “Limit the Use” disclosures.
• Feed your map into your DSR fulfillment process: A live data map should generate system-to-identity linkage. This is the only scalable way to confidently fulfill CPRA deletion, access, and correction rights, especially across shadow IT.‍
• Build versioned RoPA-style exports: Even if RoPA isn’t a CCPA term, the CPPA can request proof of your processing activity under §1798.185(a)(15). Versioning data map exports gives you defensible “snapshots” for audits.

Getting Your Data Mapping for CCPA Going

When considering the overall value proposition of data mapping, the fact that data mapping solutions are more readily available and accurate than ever, and the CPRA amendments that make the CCPA stricter, companies that don’t look into creating a data map are gambling with their organization’s brand and reputation. 

Both evolving compliance requirements and the benefits data mapping brings make it an easy bet to make on the future, while also improving a company’s current privacy program. 

If you want to get your data mapping for CCPA in place before the CPRA becomes enforceable on July 1, 2023, check out how MineOS surpasses other data mapping automations to truly bring you full coverage with a demo and free PoC. 
‍

‍

Learn more about data mapping and CCPA with these resources:

• Leveraging Data Mapping for GDPR Compliance
  
• Delete Consumer Data: CCPA Guidelines
  
• Digital Operational Resilience Act Compliance: A Guide on Data Mapping‍
• Plumbing the Depths: Data Mapping in Unpredictable Waters