CCPA Compliance Checklist: 12 Steps Every Business Must Take
California privacy law applies to you even if you're not based in California. Here's the complete compliance checklist.
The California Consumer Privacy Act (CCPA) — enhanced by the California Privacy Rights Act (CPRA) in 2023 — is one of the most comprehensive privacy laws in the United States. And unlike GDPR, it has specific financial thresholds that many businesses assume exempt them.
But here's the thing: if you serve California residents and handle their data, there's a good chance CCPA applies to you. California has 40 million residents — that's 12% of the US population. Most online businesses serve California residents.
Penalties: $2,500 per unintentional violation, $7,500 per intentional violation. With data on thousands of California residents, the exposure is enormous.
The 12-Step CCPA Compliance Checklist
Determine if CCPA applies to you
CCPA applies to for-profit businesses that: (a) have annual gross revenue over $25 million, OR (b) buy/sell/receive/share personal info of 100,000+ consumers/households annually, OR (c) derive 50%+ of annual revenue from selling personal information.
Map your data
Create a data map documenting every category of personal information you collect, where it comes from, how it's used, and who it's shared with. This is your foundation for CCPA compliance.
Update your Privacy Policy
Your Privacy Policy must disclose: categories of data collected, purposes for collection, categories of third parties data is shared with, consumer rights under CCPA, and how to exercise those rights.
Add a "Do Not Sell My Personal Information" link
If you sell personal information (including sharing with advertising networks), you must add a "Do Not Sell or Share My Personal Information" link to your homepage and Privacy Policy.
Build a process for consumer rights requests
You must respond to requests to know, delete, and opt-out within 45 days. Set up a designated email (privacy@yourcompany.com) and a web form for submitting requests.
Verify identity before fulfilling requests
Before disclosing or deleting personal information, you must verify the requestor's identity. For online requests, match at least 2 data points in your records.
Train your team
All staff who handle consumer inquiries must be trained on CCPA rights and how to redirect requests to your privacy team.
Update contracts with service providers
Contracts with third-party service providers must include CCPA-required terms confirming they won't sell personal information or use it beyond the contracted purpose.
Implement non-discrimination policy
You cannot deny services, charge different prices, or provide different quality to consumers who exercise their CCPA rights.
Handle minors' data carefully
For consumers under 16, you must obtain opt-in consent before selling their personal information (opt-in for under 13 must come from parent/guardian).
Prepare for CPRA (CCPA 2.0)
The California Privacy Rights Act (CPRA) expanded CCPA in 2023. It added a right to correct data, expanded sensitive personal information protections, and created the California Privacy Protection Agency (CPPA).
Conduct annual reviews
CCPA compliance isn't a one-time task. Review and update your practices annually, update your Privacy Policy to reflect any changes in data practices, and stay current on CPPA guidance.
Consumer Rights You Must Honor
Generate a CCPA-compliant Privacy Policy
Covers all CCPA and CPRA requirements. Free to get started.
Generate CCPA Notice Free