Checklist Legal/Compliance CCPA/CPRA

CCPA Compliance Checklist for California Businesses

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) establish comprehensive privacy obligations for businesses collecting personal information from California residents. This checklist provides legal and compliance teams with concrete, verifiable actions required under the CCPA/CPRA framework. Each item references specific regulatory sections to facilitate audit trails, documentation, and regulatory alignment. Organizations should verify completion of each item and maintain evidence of compliance efforts.

  • Publish Privacy Policy. Develop and post a comprehensive privacy policy on your homepage and mobile app that discloses collection, use, and sharing practices. (CCPA § 1798.100(b); CPRA § 1798.130)
  • Implement Do Not Sell/Share My Personal Information Link. Display a clear, conspicuous link on the homepage enabling consumers to opt-out of personal information sales and sharing. (CCPA § 1798.120(b); CPRA § 1798.120(d))
  • Create Consumer Rights Request Portal. Establish a mechanism allowing consumers to submit verifiable requests for access, deletion, and correction of personal information. Document all requests and responses with timestamps. (CCPA § 1798.100; CPRA § 1798.100)
  • Verify Consumer Identity. Implement a documented identity verification process for all consumer rights requests that is reasonably designed to confirm requestor identity or authority. (CCPA § 1798.100(d); CPRA § 1798.100(d))
  • Respond to Access Requests Within 45 Days. Establish a process to provide requested personal information in a portable, machine-readable format within 45 days of verified consumer request. (CCPA § 1798.100(a); CPRA § 1798.100(b))
  • Respond to Deletion Requests Within 45 Days. Create documented procedures to delete consumer personal information upon verified request, except where legally required to retain data. (CCPA § 1798.105; CPRA § 1798.105)
  • Respond to Correction Requests Within 45 Days. Implement processes to correct inaccurate personal information and notify service providers of corrections. (CPRA § 1798.100(d))
  • Honor Opt-Out Preferences. Establish technical controls to immediately cease selling or sharing personal information upon valid consumer opt-out request. Maintain audit logs of opt-out implementation. (CCPA § 1798.120; CPRA § 1798.120)
  • Disclose Data Categories Collected. Document and disclose all specific categories of personal information collected from consumers in the past 12 months. (CCPA § 1798.100(a)(1); CPRA § 1798.100(a)(1))
  • Disclose Collection Purposes. Clearly identify all purposes for which personal information is collected and used. Update privacy policy with any new purposes before collection. (CCPA § 1798.100(a)(2); CPRA § 1798.100(a)(2))
  • Create Service Provider Contracts. Execute written contracts with all service providers requiring them to limit use of personal information to specified business purposes and implement reasonable security measures. (CCPA § 1798.100(d)(2); CPRA § 1798.100(w))
  • Audit Service Provider Compliance. Document periodic audits or certifications ensuring service providers comply with contractual privacy obligations and CCPA/CPRA requirements. (CCPA § 1798.100(d)(2); CPRA § 1798.100(w))
  • Implement Data Security Program. Establish and document a comprehensive information security program protecting personal information from unauthorized access, disclosure, and use. (CCPA § 1798.100(d)(2); CPRA § 1798.100)
  • Track Sale and Sharing Activities. Maintain detailed records of all personal information sales or sharing activities, including third-party recipients and data categories. (CCPA § 1798.120; CPRA § 1798.120)
  • Establish Opt-In for Minors. For consumers under 18 years old, implement affirmative opt-in for personal information sales or sharing, and parental consent for those under 13. (CCPA § 1798.120(c); CPRA § 1798.120(c))
  • Create Consumer Rights Denial Process. Document procedures to deny consumer requests when legally permitted, provide written explanations of denial reasons, and inform consumers of appeal rights. (CCPA § 1798.106; CPRA § 1798.106)
  • Limit Collection and Use of Sensitive Personal Information. Implement controls restricting collection and use of sensitive personal information (health, SSN, biometrics, etc.) to necessary business purposes only. (CPRA § 1798.121)
  • Provide Data Sharing Disclosures. Disclose all third parties with whom personal information is shared and the categories of information shared. Update disclosures when sharing practices change. (CCPA § 1798.100(a)(3); CPRA § 1798.100(a)(3))
  • Document Financial Incentives Programs. Maintain detailed records of all financial incentive or loyalty programs involving personal information, including opt-in terms and data usage. (CCPA § 1798.125; CPRA § 1798.125)
  • Conduct Privacy Impact Assessments. Perform and document Privacy Impact Assessments before implementing new processes involving large-scale personal information processing. (CPRA § 1798.100(d)(3))