CCPA COMPLIANCE CHECKLIST

CCPA compliance checklist

A practical CCPA / CPRA compliance checklist covering personal-information inventory, privacy notice, consumer rights request workflow, vendor agreements, and staff training - the operational backbone for California consumer privacy obligations.

Official source:

Read the official California Attorney General CCPA site

Download the checklist (PDF)Download DOCX

Who must comply with CCPA / CPRA

Who CCPA / CPRA applies to

Businesses that do business in California and meet at least one CCPA threshold: $26,625,000+ in annual revenue (CPPA-adjusted as of 1 January 2025), 100,000+ California consumers / households, or 50%+ of revenue from selling personal information.

Jurisdiction: Businesses subject to California consumer privacy law. Full name: California Consumer Privacy Act, as amended by the CPRA.

CCPA / CPRA Checklist

The CCPA / CPRA compliance checklist

The high-level cycle. Each item below is the visible head of a fuller process - open it in the editor to flesh out the steps, owners, and decisions your team actually runs.

Download fillable PDF Download DOCX

The PDF includes real fillable form fields - tick each checkbox in your PDF reader and fill in organisation name, owner, and dates. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

STEP 1
Confirm CCPA applicability and document the basis (revenue threshold - $26.625M+ as of 1 Jan 2025, consumer count of 100K+, or 50%+ revenue from sale of PI).
STEP 2
Inventory the personal information you collect, the sources, the purposes, and disclosures.
STEP 3
Publish a CCPA-compliant privacy notice covering all required disclosures (CCPA § 1798.100).
STEP 4
Stand up a "Do Not Sell or Share My Personal Information" link and signal-honouring mechanism.
STEP 5
Build the consumer rights request workflow - Know, Delete, Correct, Opt-Out, Limit Use of SPI.
STEP 6
Implement identity verification proportionate to the request type and the data sensitivity.
STEP 7
Update vendor agreements with service-provider / contractor / third-party terms.
STEP 8
Train staff on intake, verification, and the 45-day response window (extendable by 45 days).
STEP 9
Log all consumer requests, response times, and outcomes for the metrics report.
STEP 10
Annual review and update for legislative or regulatory changes.

FILLABLE PDF PREVIEW

CCPA / CPRA compliance checklist

California Consumer Privacy Act, as amended by the CPRA

Organisation

[Organisation name]

Owner

[Assigned to]

Target date

[Target completion date]

Reviewed by

[Reviewed by]

Confirm CCPA applicability and document the basis (revenue threshold - $26.625M+ as of 1 Jan 2025, consumer count of 100K+, or 50%+ revenue from sale of PI).

Inventory the personal information you collect, the sources, the purposes, and disclosures.

Publish a CCPA-compliant privacy notice covering all required disclosures (CCPA § 1798.100).

Stand up a "Do Not Sell or Share My Personal Information" link and signal-honouring mechanism.

Build the consumer rights request workflow - Know, Delete, Correct, Opt-Out, Limit Use of SPI.

+ 5 more checkboxes in the downloaded PDF

CCPA / CPRA Process Map

CCPA / CPRA as a process map

The operational CCPA programme as a process map - inventory, notice, rights workflow, vendor agreements, and staff training. The vendor-agreement step is the one teams underestimate; a single service provider with the wrong contractual terms re-classifies them as a third-party sale.

Open in editor

CCPA / CPRA consumer rights request workflow

A CCPA / CPRA consumer rights request workflow rendered as a BPMN 2.0 process map. The flow receives a request, verifies the consumer identity per §1798.140(y), branches on request type (access, delete, correct, opt-out of sale or sharing), fulfils or denies with a permitted reason, tracks the 45-day SLA (extendable once by 45 days), responds to the consumer, and logs the outcome to the disclosure metrics required by §999.317.

Receive a verifiable consumer request via at least two designated channels (toll-free number + website or email).
Verify the consumer's identity per §1798.140(y) and §999.323 - matching data points proportional to the sensitivity of the request.
If the consumer cannot be verified, deny the request, explain why, and treat any Delete request as an opt-out of sale or sharing instead.
If verified, identify the right invoked - access, delete, correct, or opt-out of sale or sharing - and fulfil it via the relevant downstream system.
Track the 45-day SLA (extendable once by 45 days with notice to the consumer) for substantive responses; opt-out of sale or sharing must be honoured within 15 business days.
Respond to the consumer with the fulfilment output or a permitted denial reason (e.g. legal hold, security exception, deletion exemption under §1798.105(d)).
Log the request, verification method, decision, response date, and any extensions in the consumer-rights request register for the §999.317 disclosure metrics.

CCPA / CPRA FAQ

Frequently asked questions

Is the CPRA a different law from the CCPA?

The California Privacy Rights Act (CPRA) is a 2020 ballot measure that amended and expanded the CCPA, effective 1 January 2023. The combined regime is often called "CCPA / CPRA" or just "CCPA". The CPRA added rights (Correct, Limit Use of Sensitive PI), restructured "sale" into "sale or share", and established the California Privacy Protection Agency.

Do I need to honour Global Privacy Control (GPC) signals?

Yes. The CPPA has confirmed that businesses subject to the CCPA / CPRA must honour GPC signals as a valid opt-out of sale or share for the browser sending the signal.

What is the difference between a "service provider" and a "third party" under CCPA?

A service provider processes personal information on the business's behalf under a CCPA-compliant contract that restricts use to the disclosed business purposes. A third party is everyone else - and disclosure of PI to a third party is treated as a "sale" or "share" requiring opt-out. The vendor contract language is what determines which bucket a recipient falls into.

How long do I have to respond to a consumer rights request?

Confirm receipt within 10 business days; substantively respond within 45 calendar days. You can extend by an additional 45 days where reasonably necessary, with notice to the consumer.

More Compliance Checklists

Other compliance checklists

NIST RMF compliance checklist

A practical NIST compliance checklist focused on the SP 800-37 Rev 2 Risk Management Framework: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

FedRAMP compliance checklist

A practical FedRAMP compliance checklist for cloud service providers: impact-level determination, agency sponsorship, 3PAO assessment, authorization package, and the continuous monitoring obligations that keep the ATO alive.

ITAR compliance checklist

A practical ITAR compliance checklist for entities that manufacture, broker, or export defense articles or technical data: USML determination, DDTC registration, Technology Control Plan, license / exemption strategy, and ongoing audit.

DORA compliance checklist

A practical DORA (Digital Operational Resilience Act) compliance checklist for EU financial entities: ICT risk management framework, incident classification and reporting, resilience testing, third-party register, and annual reporting - the five pillars of Regulation 2022/2554.

CMMC 2.0 compliance checklist

A step-by-step CMMC 2.

HIPAA compliance checklist

The annual HIPAA compliance cycle as a step-by-step checklist: risk analysis, policy updates, workforce training, safeguards, documentation, and re-attestation.

All compliance checklists

The full compliance hub - every checklist (HIPAA, SOC 2, PCI DSS, CMMC, NIST, FedRAMP, ITAR, DORA, SOX, CCPA) plus the regulation deep-dives (CPS 230, OSFI E-21, EU AI Act Annex IV) in one place.

Turn the CCPA / CPRA checklist into a working process

Open the CCPA / CPRA process map, rename the steps to match your organisation, and turn the checklist into a working procedure your team can run year after year.