CCPA Compliance Checklist for 2026

Compliance checklists are easy to find. Useful ones are harder to come by.

Most CCPA checklists out there are either oversimplified ("update your privacy policy!") or written for Fortune 500 companies with in-house legal teams. This one is built for real businesses that need to get compliant without hiring a privacy department.

Every item below is something you actually need to do. We've organized them by category so you can tackle them systematically, and we've explained why each one matters. If you need the full context behind any of these requirements, our Complete Guide to CCPA Compliance covers everything in depth.

Before You Start: Determine Whether CCPA Applies to You

Before diving into the checklist, confirm that the CCPA actually applies to your business. You need to meet at least one of these thresholds (Cal. Civ. Code § 1798.140(d)):

• [ ] Annual gross revenue exceeds $25 million
• [ ] You annually buy, sell, or share the personal information of 100,000 or more California consumers or households
• [ ] You derive 50% or more of annual revenue from selling or sharing California consumers' personal information

If you meet any one of these, proceed with the full checklist. If you don't, the CCPA may not technically require compliance, but many of these practices are still worth adopting. See Does CCPA Apply to Small Businesses? for a frank discussion about why.

For a detailed breakdown of each threshold and how to calculate whether you're covered, check our guide on Who Does the CCPA Apply To.

Data Mapping and Inventory

You can't protect what you don't know about. Data mapping is the single most important step in CCPA compliance, and it's the one that most businesses skip or do poorly.

• [ ] Identify all categories of personal information you collect. Go beyond names and email addresses. Think about IP addresses, device identifiers, browsing history, purchase records, geolocation, cookies, and any inferences you draw from collected data.

• [ ] Document the sources of personal information. For each category, record whether it comes directly from consumers (form submissions, purchases), automatically (cookies, tracking pixels), or from third parties (data brokers, advertising partners, public databases).

• [ ] Record the business purpose for each category. Why do you collect each type of data? Completing transactions, marketing, analytics, fraud prevention, legal compliance? Be specific. "Business operations" isn't a purpose -- it's a vague gesture.

• [ ] Map where personal information is stored. Databases, CRM systems, email platforms, cloud storage, analytics tools, spreadsheets (yes, spreadsheets count), paper files. Include both internal systems and third-party platforms.

• [ ] Identify all third parties you share data with. This includes service providers (your payment processor, email marketing tool, cloud hosting), business partners, advertising networks, and analytics providers.

• [ ] Document data retention periods. How long do you keep each category of personal information? If the answer is "forever" or "we've never thought about it," that needs to change. CPRA added data minimization requirements, which means you need to only keep data as long as reasonably necessary for the purpose you collected it.

• [ ] Create a data flow diagram. Show how personal information moves through your organization -- from collection to storage to sharing to deletion. This doesn't need to be fancy. A flowchart or even a detailed spreadsheet works.

Privacy Policy Updates

Your privacy policy is both a legal requirement and the primary way you communicate your data practices to consumers. Under CCPA, it's not optional fluff -- it's a document with specific, mandatory disclosures (Cal. Civ. Code § 1798.130).

• [ ] List all categories of personal information collected in the past 12 months. Use the CCPA's defined categories: identifiers, commercial information, internet activity, geolocation, audio/visual information, professional information, education information, inferences, and sensitive personal information.

• [ ] Disclose the sources of personal information. For each category, state whether you collect it from consumers directly, from third parties, or automatically.

• [ ] State the business or commercial purpose for collecting each category. Be specific enough that a consumer could understand why you need their data.

• [ ] List the categories of third parties with whom you share personal information. And for each category of personal information, identify which third parties receive it.

• [ ] If you sell or share personal information, disclose the categories sold/shared. And identify the categories of third parties to whom you sell or share it.

• [ ] Describe each CCPA consumer right. Right to know (Cal. Civ. Code § 1798.100), right to delete (Cal. Civ. Code § 1798.105), right to opt out of sale/sharing (Cal. Civ. Code § 1798.120), right to correct, right to limit use of sensitive personal information, and the right to non-discrimination (Cal. Civ. Code § 1798.125).

• [ ] Explain how consumers can submit requests. Include all designated request channels (web form, email, phone number).

• [ ] Describe your verification process. Explain in general terms how you verify that the person making a request is who they say they are.

• [ ] Include information about authorized agents. Explain how consumers can designate an authorized agent to submit requests on their behalf.

• [ ] State data retention periods. For each category of personal information, disclose how long you keep it (or the criteria for determining the retention period).

• [ ] Include the date the privacy policy was last updated.

• [ ] Make the privacy policy available in all languages your website supports.

• [ ] Ensure the privacy policy is accessible to people with disabilities. This generally means following web accessibility guidelines (WCAG).

• [ ] Set a calendar reminder to review and update the privacy policy at least annually.

Consumer Request Handling (DSARs)

This is where theory meets practice. When a California consumer exercises their rights, you need a real process to handle it -- not just good intentions. For a complete walkthrough of DSAR handling under CCPA, see our CCPA DSAR Process guide.

Request Intake

• [ ] Provide at least two methods for submitting requests. At minimum: a toll-free phone number and a web-based method (online form or email address). If your business operates exclusively online, an email address may be sufficient.

• [ ] Create a dedicated web form for privacy requests. This should capture the consumer's identity information, the type of request (know, delete, opt-out, correct), and enough detail to process it. Keep it simple -- consumers shouldn't need a law degree to fill it out.

• [ ] Set up a dedicated email address for privacy requests. Something like privacy@yourbusiness.com. This keeps requests from getting lost in general support queues.

• [ ] Create an intake logging system. Every request needs to be tracked from receipt through completion. Record: date received, type of request, requester identity, status, response date, and outcome. A spreadsheet works for low volume. Dedicated software works better as you scale.

Identity Verification

• [ ] Establish a verification process for "right to know" requests. You must verify the requester's identity to a "reasonable degree of certainty." For requests to know categories of data, this means matching at least two data points. For requests to know specific pieces of data, you need a "reasonably high degree of certainty" -- match at least three data points plus a signed declaration under penalty of perjury.

• [ ] Establish a verification process for deletion requests. Same standard as "right to know categories" -- reasonable degree of certainty, at least two data points.

• [ ] Establish a process for opt-out requests. Opt-out requests don't require identity verification (just enough to match the request to the consumer's data).

• [ ] Create a process for authorized agent requests. If someone submits a request on behalf of a consumer, you can require the consumer to verify their identity directly with you and confirm they authorized the agent.

• [ ] Document your verification procedures. Write them down. If you're ever audited or challenged, you need to show you had a reasonable process.

For a deep dive on verification, download our Identity Verification Guide.

Request Processing

• [ ] Confirm receipt within 10 business days. You must acknowledge the request and explain what will happen next.

• [ ] Process within 45 calendar days of receipt (Cal. Civ. Code § 1798.130(a)(2)). This is your response deadline. The clock starts when you receive the request, not when you verify identity.

• [ ] If you need more time, notify the consumer of a 45-day extension within the initial 45 days. You can only extend once, and you must explain why you need more time.

• [ ] For "right to know" requests, gather all required information. Categories of data collected, sources, purposes, third parties, and (if requested and verified to a high degree) specific pieces of data.

• [ ] For deletion requests, delete from all systems. This includes your primary databases, backups (where feasible), and anywhere else the data lives. Direct your service providers to delete as well.

• [ ] For opt-out requests, stop selling/sharing the consumer's data. Implement the opt-out within 15 business days and notify all third parties to whom you've sold or shared the data in the past 90 days.

• [ ] Maintain records of all requests and responses for at least 24 months.

For practical details on processing different request types, see How to Handle CCPA Right-to-Delete and Right-to-Know Requests.

"Do Not Sell or Share" Requirements

• [ ] Determine whether you "sell" or "share" personal information. Remember: "selling" includes any transfer for monetary or other valuable consideration (Cal. Civ. Code § 1798.140(ad)). "Sharing" includes disclosing for cross-context behavioral advertising (Cal. Civ. Code § 1798.140(ah)). If you use third-party advertising tools, ad networks, or analytics that share data with other parties, you likely qualify.

• [ ] Add a "Do Not Sell or Share My Personal Information" link on your homepage (Cal. Civ. Code § 1798.135). It must be clear and conspicuous. Place it in the footer at minimum, and consider adding it to your privacy policy page as well.

• [ ] Ensure the opt-out process doesn't require an account. Consumers must be able to opt out without creating an account or logging in.

• [ ] Implement opt-out preference signals (GPC). Under CPRA regulations, businesses must treat Global Privacy Control (GPC) signals as valid opt-out requests. If a consumer's browser sends a GPC signal, you must honor it.

• [ ] Wait 12 months before asking opt-out consumers to reconsider. You can't nag them. One "are you sure?" after a year is the limit.

• [ ] Don't sell or share the personal information of consumers you know are under 16 without opt-in consent. For consumers between 13 and 16, you need the consumer's affirmative opt-in. For consumers under 13, you need a parent or guardian's consent.

For details on how this interacts with cookies and tracking technologies, see our CCPA Cookie Compliance guide.

Employee Training

• [ ] Train all employees who handle consumer inquiries. Customer support, sales, and anyone who might receive a privacy request needs to know what one looks like and where to route it.

• [ ] Train employees who handle personal information. Anyone with access to consumer data needs to understand the basics of CCPA obligations and your internal data handling policies.

• [ ] Create a quick-reference guide for consumer-facing staff. A one-page document that says: "If a customer asks about their data, here's what you say, and here's who you email." Keep it simple.

• [ ] Document your training. Record who was trained, when, and on what topics. If the California AG or CPPA comes knocking, you want to show you took training seriously.

• [ ] Schedule refresher training at least annually. Laws change. Processes change. People forget. Annual training keeps everyone current.

Vendor and Service Provider Agreements

Your CCPA compliance is only as strong as your weakest vendor. If you share personal information with service providers who mishandle it, you're the one on the hook.

• [ ] Inventory all vendors who receive personal information. This includes SaaS providers, payment processors, email marketing platforms, cloud hosting, analytics tools, advertising partners, and anyone else who touches consumer data.

• [ ] Ensure contracts with service providers include CCPA-required terms. Every agreement must: specify the business purpose for data sharing, prohibit the provider from using the data for purposes other than the contracted service, require the provider to comply with CCPA obligations, require notification if the provider can no longer meet its obligations.

• [ ] Distinguish between service providers, contractors, and third parties. Under CPRA, each has different contractual requirements. Service providers process data on your behalf. Contractors are similar but have additional restrictions. Third parties receive data for their own purposes.

• [ ] Verify vendor compliance. Ask your key vendors about their CCPA compliance posture. Do they have a process for responding to deletion requests? Can they help you fulfill consumer requests that involve data in their systems?

• [ ] Include data breach notification requirements in vendor contracts. Your vendors should be obligated to notify you promptly if they experience a breach involving your consumers' data.

• [ ] Review vendor agreements at least annually. Vendors change their practices. CCPA regulations evolve. Make sure your agreements keep up.

Security Measures

The CCPA's private right of action (Cal. Civ. Code § 1798.150) -- where individual consumers can sue you directly -- applies specifically to data breaches resulting from your failure to implement reasonable security. This makes security a compliance issue, not just an IT issue. For details on what's at stake, see our CCPA Penalties guide.

• [ ] Implement encryption for personal information in transit and at rest. Use TLS for data in transit. Encrypt sensitive data in your databases and storage systems.

• [ ] Use strong access controls. Limit who can access personal information to those who need it for their job. Use unique credentials, strong passwords, and multi-factor authentication.

• [ ] Keep all software and systems patched and updated. Unpatched vulnerabilities are the #1 cause of preventable data breaches.

• [ ] Conduct regular security assessments. At minimum, run vulnerability scans quarterly and a more thorough security review annually.

• [ ] Create and test an incident response plan. Know what you'll do when (not if) a security incident occurs. Who's in charge? Who do you notify? What's the timeline?

• [ ] Implement data minimization practices. Don't collect data you don't need. Don't keep data longer than necessary. The less data you have, the less damage a breach can cause.

• [ ] Back up data securely. And test your backups regularly. A backup you've never tested is not a backup.

Financial Incentive Programs

If you offer loyalty programs, discounts, or other incentive programs that involve collecting personal information, there are additional requirements.

• [ ] Provide a clear notice of financial incentive programs. Explain what data you collect, why, and the terms of the program.

• [ ] Obtain opt-in consent before enrolling consumers. Financial incentive programs must be voluntary, with clear opt-in.

• [ ] Allow consumers to opt out at any time. And make the opt-out process easy -- not buried behind five clicks and a phone call.

• [ ] Document how the financial incentive relates to the value of consumer data. You need to be able to explain that the discount or benefit is "reasonably related to the value" of the data you collect.

Ongoing Compliance Maintenance

CCPA compliance isn't a one-and-done project. It requires ongoing attention.

• [ ] Review and update your privacy policy at least annually. Or whenever your data practices change significantly.

• [ ] Re-run your data inventory at least annually. You're probably collecting data today that you weren't collecting six months ago.

• [ ] Monitor regulatory updates from the CPPA. The California Privacy Protection Agency continues to issue new regulations and guidance. Stay current.

• [ ] Track and report on DSAR metrics. How many requests are you receiving? What types? How quickly are you responding? Are you meeting the 45-day deadline? These metrics help you identify process problems before they become compliance failures.

• [ ] Conduct periodic compliance audits. At least annually, walk through this checklist and verify that everything is still in place and working.

• [ ] Document everything. Compliance is easier to prove when you have records. Keep documentation of your policies, procedures, training, vendor agreements, and DSAR responses.

Your Action Plan

If this checklist feels overwhelming, here's the priority order:

1. Data mapping. Everything else depends on this. Do it first.
2. Privacy policy. Get your disclosures right.
3. DSAR process. Build it before you get your first request.
4. "Do Not Sell/Share" link. If you need one, add it now.
5. Vendor agreements. Review and update.
6. Security measures. Shore up your defenses.
7. Training. Get your team up to speed.
8. Ongoing maintenance. Set reminders and build habits.

You don't need to do everything in a single weekend. But you do need to start. Pick the first item you haven't done and get moving.

References

• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
• CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)
• California Privacy Protection Agency (CPPA): Official CPPA website

---

Need a structured framework for building your DSAR process? Our DSAR Compliance Guide walks you through setting up intake, verification, processing, and response -- the core of CCPA compliance -- in a format you can implement immediately. No fluff, no filler.