The No-nonsense CCPA Compliance Checklist

California expects businesses to protect its residents’ privacy. Get a solid start on your CCPA compliance efforts with this checklist.
Richard Stevenson

by Richard Stevenson

September 15, 2022

One of the strictest privacy laws in the United States, the California Consumer Privacy Act (CCPA), defines the responsibilities of businesses to protect California residents’ privacy rights. Compliance with CCPA ensures your business can fulfill these responsibilities in a way that makes sense for your California operations. 

This 16-step CCPA compliance checklist will help you get started on your compliance journey. For more background on CCPA, check out this guide

16 Steps to Prepare for CCPA Compliance 

As you prepare to comply with CCPA, this checklist will provide a framework for measuring the scope of your company’s exposure as well as understanding the processes and controls you must implement.

1. Determine Whether Your Organization is Subject to CCPA.

CCPA excludes government agencies, non-profit organizations, and businesses that fall under other privacy regulations, such as the Healthcare Information Privacy and Portability Act (HIPAA). 

Any other companies that do business in California and meet one of the following requirements must comply with CCPA:

  • Gross annual revenue greater than $25 million.

  • Buy, sell, receive, or share PI for commercial purposes from 50,000 or more from California residents, households, and devices. 

  • Sales of PI account for more than 50% of company revenue.

Companies that do not meet any of these requirements are not subject to CCPA. Still, CCPA compliance may be useful to prepare for future growth or to reinforce your company’s social responsibility programs.

2. Audit Your Third-Party Exposure to CCPA Compliance

Most companies share consumer PI with billing services, credit card processors, and other third parties. CCPA requires these third parties to comply with your company’s PI protection policies.

Determine your third-party vendors’ compliance with CCPA, their security practices, and the controls they use to comply with your privacy policies.

3. Understand Your Exposure to Personal Information Regulation

Audit your data collection processes to understand:

  • What PI you collect.

  • How you store all PI.

  • Who in your company has access to this PI.

  • Which third parties you share this PI with.

Companies often collect more personal information than they realize, which increases their risk posture and could lead to severe financial penalties. You should identify opportunities to reduce the data you collect or limit the time you retain personal information.

4. Refine Your Data Governance

In light of the personal information you collect, review your data governance policies. An essential part of this assessment is a cost/benefit analysis of any data-selling practices. 

5. Audit and Update Your Security and Data Protection Controls

Mitigate any weaknesses in your security and data protection processes. The CCPA does not prescribe specific methods, leaving it to each business to choose reasonable security measures for storing and transmitting PI.

However, certain practices can mitigate the impact of security breaches. Consumers can’t sue companies under CCPA if, for example, their stolen personal information is encrypted.

6. Prepare an Incident Response Plan

Whether an independent process or part of an overall risk management plan, develop incident response procedures to handle CCPA violations such as stolen PI or a breakdown in privacy practices. Assign responsibilities to specific stakeholders and perform regular simulations to prepare your responses to potential incidents. 

7. Implement Identity Verification Systems

CCPA compliance requires responding to consumer requests. To do this, you must have processes to verify consumers’ identity. Granting someone access to another person’s personal information is a CCPA violation.

8. Develop a Privacy Policy

Companies must publish a statement of their privacy policies. This is often a webpage linked to the company’s home page or in its mobile app. A privacy policy describes how you collect, use, share, and sell consumer PI online and offline. The privacy policy must also explain consumers’ rights under CCPA and how to exercise those rights online and offline.

9. Develop a Notice at Collection

Companies must also provide consumers a notice at collection on or before requesting personal information. Among other things, this notice must list the categories of information you collect and why you collect them. If you sell this information, then the notice at collection must include a Do Not Sell link.

10. Implement Systems to Support Consumers’ Right to Know

CCPA defines consumers’ rights to know what personal information businesses collect about them. At any time, a consumer can ask you for a report detailing:

  • PI categories you collect from consumers.

  • Personal information specific to them you have on file.

  • Where you collect that personal information from.

  • How you use the PI you collect.

  • What kinds of third parties you share their PI with.

  • What PI categories you sell or disclose to third parties.

When a consumer submits a request, you have up to 45 days to respond with all information in the 12 months preceding their request. You can extend that window by another 45 days, provided you notify the consumer in advance.and have a reasonable explanation for why the extension is required.

You will need systems that let consumers place their requests, verify their identities, collect all relevant information, and distribute the information within the 45- to 90-day window.

11. Implement Systems to Support Consumers’ Right to Delete

California consumers have a limited right to request companies delete their personal information. Upon receiving a valid request, you have 45 days (or 90 days with a notification) to delete the information from your records and any third parties you share that information with.

Develop systems and processes to take and review these requests as well as methods to verify all relevant information has been deleted.

12. Implement Systems to Support Consumers’ Right to Opt-out

Californians aged 18 years or older may ask companies to stop selling their personal information. In the case of minors, the sale of personal information requires affirmative authorization. Minors between the ages of 13 and 16 may opt-in to the sale of their information. Companies need parental consent to sell the personal information of minors younger than 13.

Clear and conspicuous Do Not Sell My Personal Information links should send Californians to a page on your website that makes the opt-out process easy. Consumers may also submit their opt-out request in writing.

13. Implement Systems to Support Consumers’ Right to Non-discrimination

Companies may not treat consumers differently just because they exercise their rights under CCPA.

There are cases, however, where the non-discrimination right does not apply. For example, you can require consumers to provide the personal information needed to complete a transaction. A consumer unwilling to provide their information cannot expect preferential treatment.

14: Train All Personnel

Any people involved with collecting, storing, processing, selling, or sharing consumer information must follow your company’s privacy policies and procedures for protecting consumer PI. Conduct regular training sessions to ensure people understand their roles and responsibilities.

15. Use Automation to Monitor Compliance Continuously

Manually tracking CCPA compliance is impractical for companies above a certain size. Although CCPA doesn’t require an audit, you must constantly monitor data security and CCPA controls to avoid fines if you’re ever under investigation. The only way to ensure daily CCPA compliance is through automation. Crossing siloed tech stacks, automated CCPA compliance tools such as Drata give you a single view of your compliance posture.

16. Incorporate Feedback to Improve CCPA Compliance Processes

Your CCPA compliance process must evolve with the regulatory and threat landscapes. Stay ahead of these changes by developing feedback mechanisms to incorporate learnings from compliance events and conduct regular reviews of your CCPA compliance program.

Additional Steps for CPRA 

Any CCPA compliance program must be ready for revisions taking effect on January 1, 2023. Approved in a 2020 referendum, the California Privacy Rights Act (CPRA) tightens many of the CCPA’s original privacy protections. 

The CPRA’s changes:

  • Introduce principles of data minimization that limit how long companies retain PI. This information can only be stored for as long as it’s needed for the purposes stated in the privacy policy and notice at collection.

  • Extend the right to opt-out of any data sharing that does not involve a financial exchange.

  • Replace the right to know’s 12-month rolling window to all data collected on or after January 1, 2022.

  • Require certain businesses to conduct risk assessments and may require independent cybersecurity audits.

  • Require third-party contracts to clearly define the what, why, and how of any data sharing. These contracts must prohibit the vendor from using personal information outside the contractual relationship.

Potential Risks of Not Being Compliant 

For companies that collect information from minors less than 16 years old, a critical change introduced in the CPRA is a tripling of the maximum fines for privacy violations. Companies could pay up to $7,500 per violation and may be subject to civil penalties.

All other companies are still subject to the CCPA’s original penalties. In the event of a data breach, consumers may sue for up to $750 in damages per violation. 

Companies may also violate CCPA if they do not respond to consumer requests and do not respond within 30 days to notifications from the California Office of the Attorney General. If accidental, companies face penalties up to $2,500 per violation. Intentional violations, however, could cost up to $7,500 per violation.

Given these costs, companies do not need a large presence in California to see their risk exposure climb. Developing an effective CCPA compliance program is essential. Schedule a demo to see how Drata’s compliance automation solution streamlines CCPA compliance.

Trusted Newsletter
Resources for you
PCI Audits hero

PCI DSS Audit: What It Is + How to Prepare

G2 Fall Reports Thumb

Drata Shines in G2 Fall Reports

Cyberattacks on Local Govs Hero

Cyberattacks on Local Governments on the Rise, Highlighting a Need for Enhanced Security

Richard Stevenson
Richard Stevenson
Richard Stevenson is Manager of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs and security policies that meet security compliance requirements. Richard is an AWS Certified Cloud Practitioner, CompTIA CySA+, and Shared Assessment Certified Third-Party Risk Assessor specializing in SOC 2, ISO 27001, NIST 800-53, NIST 800-171, SOX, HIPAA, third-party risk management, and enterprise risk management.
Related Resources

The No-nonsense CCPA Compliance Checklist

CCPA Compliance 101 Everything You Need to Know

CCPA Compliance 101: Everything You Need to Know


GDPR vs. CCPA: Key Differences and Similarities