Going Above and Beyond:  a CCPA Risk Assessment Leads to improved processes for responding to data Subject Requests

The Challenge

clipboard icon


A traditional media company with a steadily growing online and digital marketing presence wanted to ensure it was compliant – across both its print and digital properties – with all aspects of the CCPA, from notice to potential data sales to data protection and breach preparedness.

Because of the political/social climate surrounding news organizations, the Company was concerned with being able to adroitly manage Data Subject Request obligations. Its specific focus centered on building functional processes to verify the identity of individuals and the legitimacy of requests.

The Solution



DPSA developed a custom CCPA Risk Assessment, taking into consideration the client’s industry as well as identified concerns, and examined the Company’s existing privacy operations. Our assessment confirmed that the Company did engage in CCPA-defined “sales” of personal data and also identified the following:

  • Strengths in information security and data protection practices the Company could build on to protect against the CCPA’s Private Right of Action in the event of a breach
  • Opportunities to improve data minimization in order to lessen the volume of data the Company would need to search (and either provide or delete) per Data Subject Request obligations
  • A need for greater transparency in posted Privacy Notices to help individuals understand exactly what information the Company was collecting, why it was being collected, and what was being done with it

DPSA’s customized CCPA Risk Assessment confirmed the Company’s expectations but also identified risk in areas that had not been considered. The assessment uncovered the need for a Data Inventory to generate the dataflow information and tracking that was necessary for DPSA to build a suitably comprehensive set of processes that allow the Company to validate and respond to Data Subject Requests.

The Outcome

Award Ribbon


Well in advance of the CCPA’s go-live date, the Company rolled out a custom technology solution that automates its processes for validating Data Subject Requests, verifying Data Subjects’ identity, and preparing fulsome response to Requests. The DPSA-designed system routes all questionable or complex Requests to a special workflow for increased interrogation and either completion or rejection.

Addressing the urgency of Data Subject Request management, DPSA leveraged privacy technology to build an automated workflow and tracking process for the Company. For “standard” requests, email triggers acknowledge receipt of the request, confirm verification, provide the requested information or confirm deletion, and record the date and time for each step of the process.

DPSA also created a multipoint checklist for instances where verification is more complex and the Company is exposed to greater risk from fraudulent requests. For such requests, the checklist vets an individual’s identity and ensures the legitimacy of the Request—all within the CCPA’s 45-day window.

Critically, DPSA worked with the Company to build sustainable processes that can be uniformly deployed even as US states continue to propose privacy laws with slightly differing requirements.

We offer a broad range of services that can be customized to your needs.

Contact Us Today and we can start you on a path to regulatory compliance.