CCPA / CPRA Compliance Checklist
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is one of the strongest privacy laws in the United States. This guide covers everything you need to comply.
What is CCPA / CPRA?
The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, granting California residents new rights over their personal information. The California Privacy Rights Act (CPRA), effective January 1, 2023, significantly amended and expanded the CCPA.
Together, CCPA/CPRA create a comprehensive privacy framework that governs how businesses collect, use, share, and sell the personal information of California residents. The law also established the California Privacy Protection Agency (CPPA) to enforce the regulations.
Who Does CCPA Apply To?
CCPA applies to for-profit businesses that do business in California and meet any one of the following thresholds:
- •Annual gross revenue exceeding $25 million.
- •Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices annually.
- •Derive 50% or more of annual revenue from selling or sharing California residents' personal information.
Key Requirements Checklist
Determine if CCPA applies to your business
Assess whether you meet the revenue, data volume, or data-sale thresholds that trigger CCPA obligations.
Map your data collection practices
Create a comprehensive inventory of the personal information you collect, the sources, and the business purposes.
Update your privacy policy
Disclose the categories of personal information collected, purposes, third-party sharing, and consumer rights. Update at least every 12 months.
Provide a "Do Not Sell or Share My Personal Information" link
Display a clear, conspicuous link on your homepage allowing consumers to opt out of the sale or sharing of their personal information.
Implement opt-out preference signals
Honour Global Privacy Control (GPC) and other opt-out preference signals as valid requests under CPRA.
Establish consumer request processes
Provide at least two methods for consumers to submit requests (e.g., toll-free number and web form). Respond within 45 days.
Verify consumer identity for requests
Implement reasonable verification procedures before fulfilling access, deletion, or correction requests.
Review service provider contracts
Ensure contracts with service providers and third parties include CCPA-required data processing restrictions.
Implement data minimisation (CPRA)
Collect only personal information that is reasonably necessary and proportionate to the disclosed purposes.
Conduct risk assessments (CPRA)
Perform regular cybersecurity audits and risk assessments for processing activities that present significant risk to consumer privacy.
Consumer Rights Under CCPA / CPRA
Right to Know
Consumers can request disclosure of the categories and specific pieces of personal information a business collects about them.
Right to Delete
Consumers can request deletion of their personal information, with certain exceptions.
Right to Opt-Out
Consumers can direct a business to stop selling or sharing their personal information.
Right to Non-Discrimination
Businesses cannot deny goods or services, charge different prices, or provide different quality based on exercising privacy rights.
Right to Correct (CPRA)
Consumers can request that a business correct inaccurate personal information.
Right to Limit Use of Sensitive Data (CPRA)
Consumers can limit the use and disclosure of sensitive personal information to what is necessary.
Penalties for Non-Compliance
CCPA/CPRA violations carry both administrative and civil penalties:
Administrative Fines
Up to $2,500 per unintentional violation and $7,500 per intentional violation. Fines are tripled for violations involving minors.
Private Right of Action
Consumers can sue for $100 to $750 per incident (or actual damages) in the event of a data breach resulting from inadequate security practices.
Verifica la tua conformità ora
Usa Pryvii per analizzare automaticamente il tuo sito web e ottenere un punteggio di conformità con raccomandazioni pratiche.