US Regulations & Programs

IAM Maturity Assessment for CCPA/CPRA

The California Consumer Privacy Act, as amended by the CPRA, grants California consumers rights over their personal information and expects businesses to maintain reasonable security procedures. For identity programs it mainly shapes customer registration, consent and preference handling, and identity verification for consumer requests.

Maturity threshold
2.0 / 4.0
Mapped questions
3
IAM domains
1
Assessment scope
CIAM
Identity Expectations

What CCPA/CPRA Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to CCPA/CPRA citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Consent, notice, and opt-out handling across the customer identity lifecycle
  • Customer registration designed around purpose limitation and data minimization
  • Identity proofing and verification that supports consumer rights requests
Question Mapping

AXIS Questions Mapped to CCPA/CPRA

3 of the 37 questions in the AXIS bank carry CCPA/CPRA citations, including 2 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to CCPA/CPRA, with domain, capability, and framework references
QuestionDomainCapabilityCCPA/CPRA references
CIAM-01
Domino
CIAMRegistration & OnboardingCCPA
CIAM-02
Domino
CIAMConsent & Privacy ManagementCCPA/CPRA (Notice & choice); CPRA (purpose limitation); CCPA/CPRA (opt-out enforcement)
CIAM-05CIAMCustomer Onboarding, Identity Proofing & KYCCCPA
Scoring Model

How AXIS Scores CCPA/CPRA Alignment

A threshold model: each mapped control either meets the CCPA/CPRA maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 2.0 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For CCPA/CPRA, a mapped control counts as passing when its answered maturity level reaches 2.0: documented and repeatable. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for CCPA/CPRA in a given assessment reflects the answers selected. The table above lists every question whose answer options carry CCPA/CPRA citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

CCPA/CPRA is scored in the customer identity (CIAM) and full assessment scopes, where its mapped controls are assessed.

It is shown when the assessed organization operates in: Retail, Technology/SaaS. Other industries see only the frameworks relevant to them.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to California Consumer Privacy Act (CCPA/CPRA). Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how CCPA/CPRA applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against CCPA/CPRA

Run the AXIS assessment and get your maturity score, CCPA/CPRA alignment, and a prioritized roadmap in one pass. No signup required to start.