CCPA/CPRA Compliance Checklist: Complete Guide for Businesses in 2026

Assess whether your business meets the applicability thresholds: annual gross revenue over $25 million, buying/selling/sharing personal information of 100,000+ consumers or households, or deriving 50%+ of revenue from selling or sharing personal information.

Map all personal information your business collects, including categories, sources, purposes, third parties it is shared with, and retention periods. This data map is the foundation of your entire compliance program.

Determine whether your business sells or shares personal information as defined by CCPA/CPRA. Note that "sharing" includes cross-context behavioral advertising, even without monetary exchange.

Review all vendor relationships to classify third parties as service providers, contractors, or third parties under CCPA/CPRA definitions. Each category has different contractual and compliance requirements.

Compare your existing privacy program against CCPA/CPRA requirements, paying special attention to new CPRA requirements for sensitive personal information, data minimization, and purpose limitation.

Identify whether you collect or process sensitive personal information (SSN, financial accounts, precise geolocation, race/ethnicity, health data, etc.) which triggers additional CPRA requirements including a separate right to limit use.

Revise your privacy policy to include all CCPA/CPRA-required disclosures: categories of personal information collected, purposes, consumer rights, retention periods, and whether you sell or share data. Update at least annually.

Add a clear and conspicuous link on your homepage allowing consumers to opt out of the sale or sharing of their personal information. Implement the Global Privacy Control signal as an additional opt-out mechanism.

Create systems to receive and fulfill consumer requests for access, deletion, correction, portability, and opt-out. Provide at least two request methods (toll-free number and web form) and respond within 45 days.

Establish reasonable methods for verifying consumer identity before fulfilling access, deletion, or correction requests. Verification standards should be proportional to the sensitivity of the data requested.

If you collect sensitive personal information, provide a "Limit the Use of My Sensitive Personal Information" link and processes to restrict use to purposes authorized by CPRA.

Update contracts with service providers and contractors to include CCPA/CPRA-required provisions such as limitations on data use, return or deletion obligations, and compliance certifications.

Define and enforce retention periods for each category of personal information. CPRA requires that retention be limited to what is reasonably necessary for the disclosed purpose.

Ensure technical and organizational security measures are in place proportional to the sensitivity of personal information. CCPA provides a private right of action for breaches resulting from failure to maintain reasonable security.

Review collection practices to ensure you only collect personal information reasonably necessary and proportionate to the disclosed purposes. Eliminate unnecessary data collection points.

Provide training to all employees who handle consumer inquiries or personal information on CCPA/CPRA requirements, consumer rights, and your internal procedures. Focus especially on customer-facing and data-handling staff.

Submit test requests through all intake channels (web, phone, email) to verify that processes work correctly, identity verification is adequate, and responses are delivered within the 45-day timeline.

Test the "Do Not Sell or Share" link and Global Privacy Control integration to ensure opt-out requests are properly recorded and propagated to all data sharing partners.

Review service provider and contractor agreements for CCPA/CPRA compliance. Verify that data flows match contractual provisions and that vendors are not using personal information beyond permitted purposes.

Verify that your privacy policy accurately reflects current data collection, use, sharing, and retention practices. Ensure all CCPA/CPRA-required disclosures are present and up to date.

Test that deletion requests result in actual data removal (or anonymization) across all systems, backups, and service providers within required timelines. Document any exceptions and legal bases for retention.

Review and update your privacy policy at least once per year to reflect changes in data practices, new categories of information collected, and any changes in how you sell, share, or process personal information.

Maintain records of all consumer rights requests received, fulfilled, denied, and response times. CPRA requires publishing annual metrics on requests received and median response times.

Stay current with California Privacy Protection Agency rulemaking, enforcement actions, and guidance that may affect your compliance program. CPRA established this new agency with expanded enforcement powers.

Update your data inventory whenever new data collection activities, systems, or vendor relationships are introduced. Conduct a full review at least annually to ensure accuracy and completeness.

CPRA requires businesses to conduct regular cybersecurity audits and risk assessments for high-risk processing activities. Establish a framework for these assessments as regulations are finalized.