The California Consumer Privacy Act (CCPA) is the first privacy law of its kind to pass in the United States – transforming the way organizations must think about and structure their privacy program. With the January 1, 2020 effective date looming, many organizations are laying the ground work for compliance now, but it can be challenging and overwhelming to know where to begin. One of the first things to consider is who from your organization should be part of your internal CCPA team.

Not unlike most privacy regulations, the CCPA impacts the entire organization. Any group within the company that collects or uses personal data will need to be a privacy champion – ensuring they’re safely and responsibly handling the personal data they interact with. While the CCPA will most likely impact the entire organization, there are a few key departments that will most likely lead the way for CCPA compliance.

What departments should be a part of your internal CCPA team?

Privacy. This will of course be the number one department to manage compliance with CCPA and privacy regulations in general, but not all companies have a dedicated privacy department, especially smaller organizations. Under the CCPA, organizations’ privacy policies must inform consumers about how data is being used and shared. Additionally, policies must contain information about the categories of personal information being collected, whether personal information is sold to third parties, and more. If you do have a privacy team they will most likely be involved by managing updates to online privacy policies, managing consumer rights internally, and overseeing general privacy compliance within your organization.

Legal. In addition to your privacy team, your general counsel or legal team will most likely take the lead with CCPA compliance. Legal is able to understand the requirements and how they will impact your organization specifically. Regardless of the extent of its participation in managing the overall CCPA program for the company, the legal team should be involved to make any necessary adjustments to the contract templates used by the organization, as well as assessing any potential CCPA associated risk.

Compliance and Risk. Compliance and risk departments are typically found in larger organizations and are likely to draft internal policies for the organization that reflect the organization’s CCPA obligations and how to implement them with defined responsibilities.

IT and Security. In some organizations, the IT or security team may in fact be the one taking the lead for privacy and security compliance. This team knows the assets and systems used internally, will be involved with data mapping exercises (although not required under the CCPA, data mapping is a necessary exercise to be able to comply with consumer rights requests (DSAR)), and will be involved in management of incidents.

Though one, or a combination, of these departments will most likely take the lead with managing CCPA compliance for your organization, there are other departments who will be impacted by the CCPA and the new rights it offers consumers.

HR. Employees may also fall under the CCPA definition of consumer. This means their personal information would subject to the regulation. Your HR team will need to be involved in making sure that all employee data handled meets compliance and will also need to ensure that any third-party vendors processing employee data are also CCPA compliant and able to meet the necessary requirements.

Support and Customer Service. Under the CCPA, businesses are required to respond to “verifiable consumer requests”. If your organization has a support or customer service team they will likely be receiving some (DSAR/SAR) and will need to be involved in the consumer rights requests internal process, including who to send the request to internally, how to process the request, steps to validate the consumer’s identity, etc.

Sales and Marketing. Sales and marketing will also be involved, especially for organizations that are in the business of selling personal information. Personal information under the CCPA is broadly defined and includes internet or other electronic network activity information, unique identifiers (which include cookies), and information regarding a consumer’s interaction with a website, application, or advertisement. This means that businesses, when responding to requests for information and deletion, will also need to know which cookies and other tracking technologies are associated with a particular person.

How OneTrust Helps with CCPA Compliance

Regardless of the maturity of your privacy program, it’s never too soon to start planning for your CCPA readiness. OneTrust for CCPA is a full set of scalable solutions and services specifically designed to support CCPA and global privacy program requirements.

For additional information, or to request a live OneTrust Privacy Management Software demo, visit or email [email protected].

Further CCPA Resources:

Check out our CCPA blog series: