CCPA Compliance Checklist for Businesses (2026)
Meeting the requirements of the California Consumer Privacy Act (CCPA) involves more than updating a privacy policy. Businesses that meet the law's applicability thresholds must build operational processes for handling consumer requests, managing vendor relationships, and documenting data practices. The CPRA amendments (effective January 1, 2023) and 2026 regulatory updates added further requirements around sensitive personal information, risk assessments, and cybersecurity audits.
This checklist walks through each compliance obligation in practical terms, organized by implementation priority. Whether you are starting from scratch or auditing an existing program, each step maps directly to a specific CCPA provision.
Step 1: Determine Whether the CCPA Applies to Your Business
Before investing in compliance infrastructure, confirm that your business meets at least one of the CCPA's applicability thresholds. As of the 2025 CPI adjustment:
- Revenue threshold: Gross annual revenue exceeds $26.625 million in the preceding calendar year
- Data volume threshold: Buys, sells, or shares personal information of 100,000 or more California residents or households
- Data revenue threshold: Derives 50% or more of annual revenue from selling or sharing California residents' personal information
The CCPA applies to for-profit businesses only. Nonprofits and government agencies are generally exempt. The business must also collect personal information from California residents (or have others collect it on the business's behalf) and determine the purposes and means of processing that information.
If your business does not meet any threshold today, monitor growth. Crossing a threshold mid-year triggers compliance obligations.
Step 2: Map Your Data
Data mapping is the foundation of every other compliance step. You cannot fulfill consumer requests, write an accurate privacy policy, or conduct risk assessments without knowing what data you collect, where it goes, and how long you keep it.
What to Document
For each category of personal information your business collects:
- Source: Where the data comes from (directly from consumers, third parties, automated collection)
- Categories collected: Identifiers, commercial information, internet activity, geolocation, biometric data, sensitive personal information, etc.
- Purpose: The business or commercial reason for collecting and processing this data
- Recipients: Service providers, contractors, and third parties who receive the data
- Retention period: How long you keep the data before deletion
- Sale or sharing: Whether the data is sold or shared for cross-context behavioral advertising
Sensitive Personal Information
Flag any categories that qualify as sensitive personal information under the CPRA: government identifiers, financial credentials, precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric data, health data, sexual orientation data, private communications content, and neural data.
Sensitive PI triggers additional obligations, including the consumer's right to limit its use and potential risk assessment requirements.
Step 3: Update Your Privacy Policy
The CCPA requires covered businesses to maintain a privacy policy that is updated at least every 12 months. The policy must disclose specific information in clear, understandable language.
Required Privacy Policy Disclosures
Your privacy policy must include:
- Categories of personal information collected in the preceding 12 months
- Categories of sources from which personal information is collected
- Business or commercial purposes for collecting, selling, or sharing personal information
- Categories of third parties to whom personal information is disclosed
- Categories of personal information sold or shared in the preceding 12 months (or a statement that the business has not sold or shared personal information)
- Categories of personal information disclosed for a business purpose in the preceding 12 months
- Retention periods for each category of personal information (added by CPRA)
- A description of each consumer right and instructions on how to submit requests
- Methods for submitting requests: At minimum, a toll-free phone number and a website address (for businesses operating online, an email address and web form)
- Date of last update
Sensitive Personal Information Disclosure
If your business collects sensitive personal information, the privacy policy must separately identify those categories and explain how the business uses and discloses them.
Accessibility
The privacy policy must be available in the languages in which the business provides contracts, disclaimers, sale announcements, and other information to California consumers. It must also be accessible to consumers with disabilities.
Step 4: Implement Required Website Links
Depending on your data practices, the CCPA requires specific links on your website homepage.
"Do Not Sell or Share My Personal Information"
If your business sells or shares personal information, you must post a clear, conspicuous link titled "Do Not Sell or Share My Personal Information" on your homepage. This link must lead to a page where consumers can submit an opt-out request without creating an account or providing unnecessary personal information.
"Limit the Use of My Sensitive Personal Information"
If your business uses or discloses sensitive personal information beyond what is necessary to provide the goods or services the consumer requested, you must also post a "Limit the Use of My Sensitive Personal Information" link.
Combined Link Option
Businesses that honor opt-out preference signals (such as Global Privacy Control) may use a single combined link (e.g., "Your Privacy Choices") instead of separate links, provided they offer a frictionless experience for consumers who use those signals.
Step 5: Build a Consumer Request Handling Process
The CCPA grants consumers several rights that require businesses to have operational processes in place. Building these processes before requests arrive prevents scrambling and missed deadlines.
Request Types to Handle
| Request Type | Description | Response Deadline |
|---|---|---|
| Right to Know | Consumer asks what personal information you have collected, sold, or shared | 45 days (extendable to 90) |
| Right to Delete | Consumer asks you to delete their personal information | 45 days (extendable to 90) |
| Right to Correct | Consumer asks you to fix inaccurate personal information | 45 days (extendable to 90) |
| Right to Opt Out | Consumer directs you to stop selling or sharing their data | Act on request within 15 business days |
| Right to Limit Sensitive PI | Consumer directs you to limit use of sensitive personal information | Act on request within 15 business days |
Intake Channels
Provide at least two methods for consumers to submit requests. For businesses operating primarily online, the CPPA regulations require:
- An interactive web form
- An email address, toll-free number, or mail address
Opt-out requests must be submittable without requiring the consumer to create an account.
Verification Process
Before fulfilling a request to know, delete, or correct personal information, you must verify the requester's identity. The level of verification should match the sensitivity of the information involved:
- For access to categories of data: Match at least two data points the consumer provides against information you already maintain
- For access to specific pieces of data: Match at least three data points and obtain a signed declaration under penalty of perjury
- For deletion requests: Match at least two data points
You cannot ask for more personal information than necessary for verification. Any information collected for verification purposes can only be used for that purpose.
Response Timeline
- Acknowledge receipt within 10 business days, informing the consumer of the verification process
- Complete the request within 45 calendar days of receipt
- If more time is needed, notify the consumer of the extension and the reason before the 45-day deadline expires
- Maximum response period: 90 calendar days from receipt
If you deny a request (in whole or in part), explain the reason and inform the consumer of their right to submit a complaint.
Step 6: Honor Opt-Out Preference Signals
Businesses must detect and honor opt-out preference signals sent by consumers' browsers or devices. The most common signal is Global Privacy Control (GPC).
Technical Implementation
- Configure your website to detect the GPC signal (the
Sec-GPC: 1HTTP header) - When detected, treat the signal as a valid request to opt out of sale and sharing
- Do not display a pop-up asking the consumer to confirm the signal
- Do not require the consumer to take any additional steps
The Attorney General's settlement with Sephora in 2022 established that failure to honor GPC signals constitutes a CCPA violation. The 2025 joint investigative sweep by California, Colorado, and Connecticut further signals that enforcement around opt-out preference signals is a priority.
Step 7: Review and Update Vendor Contracts
The CCPA requires specific contractual terms with every entity that processes personal information on your behalf.
Service Provider Agreements
Contracts with service providers must:
- Identify the specific business purposes for which the service provider processes personal information
- Prohibit the service provider from selling or sharing the personal information
- Prohibit use of the data for any purpose other than the contracted business purposes
- Require the service provider to notify you if it can no longer meet its CCPA obligations
- Require cooperation with consumer rights requests (deletion, access, correction)
- Include data retention and deletion requirements
Contractor Agreements
Contracts with contractors must include the same provisions as service provider agreements, plus:
- A certification that the contractor understands the CCPA restrictions and will comply with them
- A grant of rights to the business to take reasonable steps to ensure the contractor uses personal information in a manner consistent with the business's CCPA obligations
Third-Party Disclosures
If you sell or share personal information with third parties, your agreements must specify the purposes for which the third party can use the information and require the third party to comply with the CCPA.
Step 8: Implement Employee Training
Individuals responsible for handling consumer inquiries about your privacy practices must be trained on CCPA requirements. The California Attorney General's CCPA page specifies that this training should cover:
- How to direct consumers to exercise their rights
- How to process and respond to each type of consumer request
- Verification procedures
- Timelines and documentation requirements
- How to escalate unusual or complex requests
Document your training program, including who was trained, when, and on what topics. This documentation can serve as evidence of good-faith compliance in the event of an investigation.
Step 9: Conduct Risk Assessments (2026 Requirement)
Under regulations finalized in September 2025, businesses must conduct risk assessments for processing activities that present significant risk to consumer privacy.
When Risk Assessments Are Required
- Selling or sharing personal information
- Processing sensitive personal information
- Using automated decisionmaking technology (ADMT) for significant decisions
- Processing personal information of children or consumers known to be under 16
- Processing personal information in ways that present a significant risk to consumer privacy or security
What a Risk Assessment Must Include
Each risk assessment must:
- Identify the processing activity and the personal information involved
- Describe the purposes and benefits of the processing
- Identify the potential risks to consumers' privacy
- Weigh benefits against risks
- Document safeguards the business has implemented to mitigate identified risks
Businesses must submit to the CPPA an attestation that they completed all required risk assessments and a summary of their findings by April 1, 2028.
Step 10: Conduct Cybersecurity Audits (2026 Requirement)
The same 2026 regulatory package requires certain businesses to conduct annual cybersecurity audits.
Who Must Conduct Audits
Businesses whose processing of personal information presents "significant risk to consumers' security" must conduct annual cybersecurity audits. The threshold considers factors such as the volume and sensitivity of data processed and the business's history of security incidents.
Audit Scope
The cybersecurity audit must assess whether the business's security practices are appropriate given the nature, scope, and purpose of data processing. The audit should evaluate:
- Safeguards against unauthorized access, destruction, use, modification, or disclosure
- Process for identifying and addressing vulnerabilities
- Incident response capabilities
- Employee security training and awareness
- Physical and technical access controls
Businesses must submit an attestation to the CPPA confirming completion of the audit and summarizing findings.
Step 11: Establish Ongoing Monitoring
CCPA compliance is not a one-time project. Build processes for ongoing monitoring and updates.
Annual Tasks
- Update privacy policy at least every 12 months
- Review data mapping for new categories of collection, new vendors, or changed purposes
- Audit vendor contracts for CCPA-required provisions
- Conduct cybersecurity audit (if applicable under 2026 regulations)
- Complete risk assessments for new high-risk processing activities
- Refresh employee training annually
Triggered Updates
- When crossing a new applicability threshold
- When adding a new category of personal information collection
- When engaging a new service provider, contractor, or third party
- When receiving a CPPA enforcement advisory or inquiry
- When a relevant regulation is amended
Common Compliance Mistakes
Based on enforcement actions and CPPA advisories, the most frequent compliance failures include:
- Failing to honor GPC signals: The Sephora settlement established that ignoring browser-level opt-out signals violates the CCPA
- Incomplete opt-out mechanisms: The Disney settlement revealed that some opt-out processes did not fully stop data sale and sharing
- Selling data without disclosure: Businesses that share data with advertising partners often fail to recognize and disclose these transfers as "sales" or "sharing"
- Missing or buried homepage links: The "Do Not Sell or Share" link must be clear and conspicuous, not hidden in a footer menu
- Inadequate request verification: Requesting too much or too little information to verify consumer identity
- Stale privacy policies: Failing to update the privacy policy annually or after material changes
Related California Privacy Resources
- What Is CCPA? (comprehensive CCPA overview)
- CCPA vs CPRA: Key Differences Explained
- [California Data Privacy Laws](/us-laws/data-privacy-laws/california-data-privacy-laws) (parent hub)
- CCPA Opt-Out Rights
- California Biometric Privacy Laws
- California Data Breach Notification Laws
This article provides general legal information, not legal advice. CCPA regulations continue to evolve, and requirements may change. Consult an attorney for advice specific to your situation.
More California Laws
Sources and References
- CCPA Overview (California Attorney General)(oag.ca.gov).gov
- CPPA Regulations Portal(cppa.ca.gov).gov
- CPPA FAQ(cppa.ca.gov).gov
- CPI-Adjusted Monetary Thresholds(cppa.ca.gov).gov
- CCPA Updates: Cybersecurity Audits, Risk Assessments, ADMT Regulations(cppa.ca.gov).gov
- CPPA Finalizes Privacy Regulations (Sept 2025)(cppa.ca.gov).gov
- CPPA Consumer Privacy Act Regulations(cppa.ca.gov).gov
- Global Privacy Control (GPC)(oag.ca.gov).gov
- AG Sephora Settlement ($1.2M)(oag.ca.gov).gov
- CCPA Enforcement Case Examples(oag.ca.gov).gov
- Joint Investigative Sweep: CA, CO, CT(cppa.ca.gov).gov
- AG Disney Settlement ($2.75M)(oag.ca.gov).gov
- CCPA Full Text (Cal. Civ. Code 1798.100-1798.199.100)(leginfo.legislature.ca.gov).gov