supernav-iconJoin Us at AWS re:Invent 2024

Contact Sales

  • Sign In
  • Get Started
HomeBlogCCPA Compliance Checklist

CCPA Compliance Checklist: A No-nonsense Guide

Our 16-step CCPA compliance checklist can ensure you protect consumer data and meet security requirements outlined in the California Consumer Privacy Act.
Troy Fine

by Troy Fine

November 16, 2023
ccpa-checklist-hero
Contents
Quick Refresher: What Is the CCPA?16-Step CCPA Compliance ChecklistCCPA Compliance FAQHow Drata Can Help You Stay CCPA Compliant

One of the strictest privacy laws in the United States, the California Consumer Privacy Act (CCPA), defines the responsibilities of businesses to protect California residents’ privacy rights. Becoming CCPA compliant ensures your business can fulfill these responsibilities in a way that makes sense for your California operations. The only problem? CCPA compliance is a high bar to clear. 

In its State of CCPA Compliance report, CYTRIO found that only 11% of companies meet all CCPA requirements. Here, we’ll explain its guidelines, note which organizations must comply with the CPPA, and share a checklist to help keep you compliant.

Quick Refresher: What Is the CCPA?

The CCPA is a 2018 policy defining the responsibilities of for-profit businesses to protect California residents’ privacy rights. Specifically, it was passed to protect Californians’ personal information (PI) in the wake of data leaks from companies like Facebook and Google. The CCPA holds businesses accountable for lack of cybersecurity and empowers customers by reinforcing data privacy rights. 

CCPA vs CPRA: What’s the Difference?

After a 2020 referendum, the State of California amended its CCPA with the California Privacy Rights Act (CPRA). The CPRA strengthened privacy protections by introducing Sensitive Personal Information (SPI) as a new category, which includes data like Social Security Numbers, financial account details, and biometric information. Businesses must now provide specific rights for SPI, including the ability for consumers to limit its use and disclosure.

Another major change is the introduction of data minimization and retention rules. Under the CPRA, businesses must limit the collection of personal information to what’s necessary for specific purposes and define retention periods for all PI. Consumers also gain the right to correct inaccurate information businesses hold about them.

Despite these changes, the CPRA retains much of the CCPA’s framework. Core rights—like access, deletion, and opting out of data sales—remain intact. Since taking effect on March 29, 2023, the two policies work as one to protect California residents’ privacy rights, and are still referred to as “CCPA”. 

CCPA-definition

Who Does CCPA Compliance Apply To?

Companies that do business in California and meet one of the following requirements must comply with the CCPA:

  • You have gross annual revenue above $25 million.

  • You buy, sell, receive, or share PI for commercial purposes from 100,000 or more California residents, households, and devices.

  • Your PI sales account for more than 50% of company revenue.

The CCPA’s requirements also extend to third-party vendors you work with. Under the CCPA, a third party is any entity that receives PI from a business but is not directly employed by it or operating under its branding. This definition excludes service providers, who process data strictly on behalf of a business under a contractual agreement. 

Companies that don’t meet these requirements are not subject to comply with the CCPA. Still, CCPA compliance may help prepare you for future growth and reinforce your company’s social responsibility programs. Once you have the policies in place required for CCPA compliance, it can also help reduce the time and effort required to comply with other industry compliance frameworks like the GDPR.

Note: The CCPA excludes government agencies, nonprofit organizations, and businesses under other privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

CCPA Scope and Types of Data Collected

The CCPA defines personal data as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." 

The categories of personal information under the CCPA are:

  • Full name

  • Mailing address

  • Contact information

  • IP address

  • Consumer preferences and purchase history

  • Sensitive personal information (such as legal ID numbers, SSN, financial information, biometric data, etc.)

Publicly available information falls outside the scope of the CCPA. For example, press statements and public social media posts aren’t protected.

Penalties for Non-Compliance with the CCPA

Failing to comply with the law can get expensive—fast. Unintentional violations can cost you up to $2,500 per violation, while intentional ones can reach $7,500 per violation. On top of that, data breaches caused by insufficient security can result in private consumer lawsuits, with damages ranging from $100 to $750 per person, per incident—or higher if actual harm exceeds that amount.

Beyond the financial toll, there’s the reputational fallout. A compliance failure can make headlines, drive away customers, and damage trust in your company. Privacy-conscious consumers have little patience for companies that mishandle their data, and once trust is lost, it’s hard to win back.

Non-compliance also disrupts your business from an operational standpoint. Investigations, lawsuits, and rushed process overhauls can sap resources and stall momentum. The costs of addressing these issues far exceed the effort required to achieve compliance right from the start.

16-Step CCPA Compliance Checklist

As you prepare to comply with the CCPA, this checklist will provide guidance to help you understand the processes and controls you must implement. 

Interactive checklist goes here

Download CCPA Compliance Checklist (PDF)

1. Understand Your Exposure to Personal Information Regulation

The CCPA forefronts user consent when selling and storing their information. However, even with a customer’s permission, businesses must carefully manage the data they retain. Companies also need to factor in data minimization by only collecting data needed for specified business purposes. 

Companies often collect more personal information than they realize, which increases their risk posture and could lead to severe financial penalties. You should identify opportunities to reduce the data you collect or limit the time you retain that data.

Here’s an actionable breakdown of what to do:

  • Take inventory of your data: Create a detailed list of all PI your business collects (e.g. names, addresses, online identifiers like IP addresses, sensitive information such as Social Security numbers, etc.)

  • Map where this data comes from: Review all the channels through which PI enters your systems. This includes web forms, transactional systems, and third-party integrations such as marketing platforms or CRM tools. Don’t overlook offline sources like in-person interactions or paper forms, which may later be digitized and incorporated into your data ecosystem.

  • Assess storage practices: Once you’ve mapped your data, examine where and how it’s stored. Personal information could reside in cloud storage systems, on local servers, or in physical files. 

  • Review access controls: Determine who within your organization can access PI and whether those permissions align with their job responsibilities.

  • Pinpoint data retention practices: How long are you keeping PI, and why? CCPA compliance often means limiting data retention to what’s necessary for business purposes.

2. Audit Your Third-Party Exposure to CCPA Compliance

Most companies share consumer PI with billing services, credit card processors, and other third parties. The CCPA requires these third parties to comply with your company’s PI protection policies. Determine your third-party vendors’ compliance with the CCPA, their security practices, and the controls they use to comply with your privacy policies.

The CPRA adds an extra obligation for third parties. Vendor contracts restrict the use of users’ personal information outside of their contractual relationship. So, third-party contracts must explicitly state:

  • What data parties share

  • Why they shared this data

  • Who they share this data with

  • How the shared data must be protected

It’s also a good idea to formalize your approach to third-party management. A documented policy can guide your team in choosing compliant vendors, evaluating existing partnerships, and addressing non-compliance when it arises. For instance, if a vendor fails to meet their obligations under the CCPA, your policy should outline steps for remediation or, if necessary, contract termination.

The reality is that third-party relationships are one of the most vulnerable points in your compliance ecosystem. Overlooking even a minor vendor’s non-compliance could put your business at risk. 

3. Audit and Update Your Security and Data Protection Controls and Processes

The CCPA holds businesses accountable for implementing cybersecurity controls and performing a risk assessment relevant to retaining and safeguarding customer data. If a business can’t protect its users’ PI, those customers can file a lawsuit against the company. Hence, investing in data protection and CCPA security controls is essential. The CCPA does not prescribe specific methods, leaving it to each business to choose reasonable security measures for protecting PI.

Note: Certain practices can mitigate the impact of security breaches. Consumers can’t sue companies under the CCPA if, for example, their stolen personal information was encrypted or de-identified.

4. Refine Your Data Governance

Understand the personal information you collect and evaluate your data governance approach to ensure it aligns with the CCPA. Strong data governance:

  • Emphasizes users’ data rights under the CCPA

  • Protects PI from outside threats

  • Ensures third parties meet CCPA standards

  • Records information accurately

5. Prepare an Incident Response Plan

Even with the best security measures in place, no system is foolproof. Data breaches happen, and the CCPA expects businesses to be ready when they do. Whether as an independent process or part of an overall risk management plan, you need to develop incident response procedures to handle violations such as stolen PI or a breakdown in privacy practices.

A strong response plan starts with clear roles and responsibilities. Who’s in charge of identifying the breach? Who communicates with consumers or regulators? Make sure everyone involved knows what they need to do and perform regular simulations to prepare your responses to potential incidents.

The CCPA also has specific requirements for notifying consumers in the event of a data breach. If their personal information is compromised, you’re expected to inform them promptly, explain what happened, and what steps they can take to protect themselves. Your plan should outline how to handle these notifications clearly and professionally in order to minimize panic while staying transparent.

An incident response is also about containment. What systems need to be isolated? How will you secure vulnerable data? And how fast can you identify the scope of the breach? Your plan must address these questions and provide step-by-step instructions for mitigating damage.

6. Implement Identity Verification Systems

CCPA compliance requires responding to consumer requests. Prior to responding, you must have processes in place to verify the requestor’s identity. Granting someone access to another person’s personal information is a CCPA violation. 

Examples of identity verification processes you can implement include:

  • Knowledge-based verification: Request information that only the individual would know, such as account numbers, recent transaction details, or other unique identifiers.

  • Two-factor authentication (2FA): Before fulfilling a request, send a verification code to the customer’s registered email or phone number to confirm their identity.

  • Document verification: To access sensitive information, ask them to provide scanned or uploaded copies of government-issued IDs or other official documents.

  • Authentication via account logins: Direct consumers to submit their requests through a secure, authenticated account on your platform.

In addition, identity verification should also consider the user’s age, which influences your data collection and handling activities:

  • Californians can ask companies to stop selling their personal information at any time. 

  • For minors between the ages of 13 and 16, the sale of personal data requires their affirmative authorization.

  • Companies need parental or legal guardian’s consent to sell the personal information of children younger than 13.

7. Develop a Privacy Policy

Companies must publish a statement of their privacy policies. This is often a webpage linked to the company’s home page or on its mobile app. A privacy policy describes how you collect, use, share, and sell consumer PI online and offline. The privacy policy must also explain consumers’ rights under the CCPA and how to exercise those rights.

The CPRA added principles of correcting inaccurate information and data minimization that limits how companies can retain, use, and share collected PI. In your privacy policy, note how long you intend to keep data for business purposes. You should also include this information in a notice at collection. 

8. Develop a Notice at Collection

Companies must also provide consumers a notice at collection on or before requesting personal information. Among other things, this notice must list the categories of information you collect and why you collect it. If you sell this information, then the notice at collection must include a “Do Not Sell” link.

9. Implement Systems to Support Consumers’ Right to Opt Out

Clear and conspicuous “do not sell my personal information” links should be available on your business’s website. This should send users to a page that allows them to opt out of data sales, even without creating an account to do so. Opt-out options like these help comply with CCPA’s website technical specification requirements. If these methods are not available, consumers should be able to submit their opt-out request in writing. The CPRA extends the right to opt-out of any form of data sharing, regardless if it involves financial compensation or not. 

Note: After opting out, businesses must wait 12 months before asking users to opt back into the sale of their personal information.

10. Implement Systems to Support Consumers’ Right to Know and Correct their Information

The CCPA also gives consumers a right to know what personal information businesses collect from them, so companies need systems that let consumers request to see their data. For example, a customer can ask you for a report detailing their personal information at any time.

When a consumer submits a request, you have up to 45 days to verify and respond with all the requested information. You can extend that window by another 45 days, however it requires that you notify the consumer in advance and the cause for delay is reasonable, such as data retrieval issues after a breach. 

The response must include:

  • The categories of PI collected.

  • The purpose of collecting the information.

  • The categories of third parties the information has been shared with.

  • A copy of the specific information you’ve collected about them, if requested.

From there, users can request changes to correct or update any inaccurate information related to them. Businesses can enable this through any of the following methods:

  • Web form

  • Publicly available email address

  • Toll-free number

CCPA-rights

11. Implement Systems to Support Consumers’ Right to Delete

California consumers have a right to request companies delete their personal information. Upon receiving a valid request, you have 45 days (or 90 days with valid reason and sufficient notification) to delete the information from your records. Failure to delete this data can lead to penalties or fines. 

When a consumer submits a deletion request, your business has to:

  • Verify the request: Confirm the identity of the requestor using your established verification process to prevent unauthorized deletions.

  • Delete the data: Remove the specified information from your systems, including backups and archives, unless an exemption applies.

  • Notify third parties: Inform any service providers or third parties with whom the data was shared, ensuring they also delete the information.

Note that not all data must be deleted, and the CCPA allows businesses to retain PI if:

  • It’s needed to complete a transaction or provide a service requested by the consumer.

  • Retention is required for legal compliance, security, or fraud prevention.

  • The data is used for internal purposes, like debugging.

12. Implement Systems to Support Consumers’ Right to Nondiscrimination

Under the CCPA, businesses are prohibited from discriminating against consumers who exercise their rights under the law. This means that opting out of data sales, requesting access to personal information, or asking for data deletion shouldn’t result in penalties, higher prices, or reduced services for the consumer.

To comply with the right to nondiscrimination, your business must ensure:

  • Equal treatment: Consumers who exercise their privacy rights should receive the same quality of service as those who don’t. For example, a consumer opting out of data sales shouldn’t experience slower service or fewer features on your platform.

  • Transparent incentive structures: While the CCPA allows businesses to offer financial incentives (like discounts or rewards) in exchange for personal information, these must be clearly disclosed. Consumers should understand what they’re trading for these benefits and have the option to opt out without losing baseline access to services.

  • Documentation of policies: Maintain clear records of how your business upholds nondiscriminatory practices. This could include policies on pricing, features, or service terms for all customers, regardless of their privacy preferences.

There are cases, however, where the nondiscrimination right does not apply. For example, you can require consumers to provide the personal information needed to complete a transaction. A consumer unwilling to provide their data cannot expect preferential treatment.

13. Offer Privacy Training for All Personnel

Any employees and contractors involved with collecting, storing, processing, selling, or sharing consumer information must follow your company’s privacy policies and procedures for protecting consumer PI. Conduct regular training sessions to ensure people understand their roles and responsibilities.

Be mindful that not everyone in your company interacts with consumer data the same way, so your privacy training should reflect those differences. For example, customer service teams are often on the front lines of handling consumer inquiries. They need to know how to process access and deletion requests, verify identities, and communicate privacy rights effectively.

The focus shifts to the technical side for IT and security teams. These employees should understand how to implement encryption, manage access controls, and detect potential vulnerabilities. Their training might also include detailed breach response protocols, so they can act effectively in the event of a security incident.

Marketing teams require a different lens altogether. Since they often deal with data for targeted advertising or analytics, they must understand the nuances of the CCPA’s opt-out provisions and how to handle consumer preferences responsibly. 

14. Use Automation to Continuously Monitor Compliance 

Manually tracking CCPA compliance is impractical for companies above a certain size. These businesses can stay within CCPA guidelines with a continuous compliance platform. While audits aren’t required by the CCPA, businesses should monitor their security practices to avoid fines in case they ever get investigated. 

Automation helps provide daily CCPA compliance. Crossing siloed tech stacks, automated CCPA compliance tools such as Drata give you a single view of your compliance posture.

15. Conduct Independent Risk Assessments

The CPRA states that high-risk organizations that retain PI or sensitive data may need independent risk assessments from an independent third party to stay compliant. These tests should resemble the data protection impact assessments (DIPAs) that the GDPR requires.

Risk assessments involve evaluating your data handling practices to ensure they align with both legal requirements and best practices. This includes analyzing:

  • How PI is collected, stored, and shared.

  • Whether your security measures are sufficient to protect consumer data.

  • Potential risks associated with third-party vendors and service providers.

Independent risk assessments take this process a step further by involving external experts. An objective third-party evaluation offers several benefits, including:

  • Unbiased insights: External assessors can identify blind spots that internal teams might overlook.

  • Credibility: Demonstrating that your risk assessment was conducted by a trusted third party can strengthen your compliance posture during audits or regulatory reviews.

  • Actionable recommendations: Experts often provide practical advice for mitigating risks and improving processes.

After third parties check how a business manages consumer safety and privacy risks, they share the results with a regulatory agency. These tests should occur at least once a year. 

16. Incorporate Feedback to Improve the CCPA Compliance Processes

Your CCPA compliance process must evolve with the regulatory and threat landscapes. Stay ahead of these changes by developing feedback mechanisms to incorporate learnings from compliance events and conduct regular reviews of your CCPA compliance program.

CCPA Compliance FAQ

To help you cover your bases, we answered a few frequently asked questions about CCPA non-compliance costs and key ideas. 

What Are the Risks of CCPA Non-Compliance?

Companies that violate CCPA standards face fines from the attorney general and lawsuits from customers. If accidental, companies face penalties reaching $2,500 per violation. Intentional violations, however, could cost up to $7,500 per violation. In the event of a data breach, consumers may sue for up to $750 in damages per violation. 

You can face a penalty for:

  • Non-compliant privacy policies 

  • Ignoring CCPA requirements on cybersecurity

  • Not responding to user requests covered by CCPA rights

  • Lack of transparency over data retention

  • Selling customer information without giving an opt-out option

  • Discriminating against customers who exercised their consumer rights

  • Ignoring notifications from the California Office of the Attorney General

CCPA-penalties

Who Do CCPA Protections Apply To?

The CCPA protects people with a primary residence in California, regardless if the person is temporarily outside of the state. So, you're protected whether you’ve lived in California for a decade or need to stay on a yearlong work placement. 

What Are the Key Principles of the CCPA?

The CCPA places value on accountability, control, and transparency. Here’s what each principle means in context: 

  • Accountability: Businesses should ensure that they follow CCPA regulations and appropriately respond to requests from data subjects. 

  • Control: Users deserve control over their data, so they should have a say in what data gets collected and used. 

  • Transparency: Consumers must be informed how their personal data is collected, used, and shared. Additionally, businesses shall communicate how consumers can exercise their rights.

How does CCPA compliance benefit my business?

CCPA compliance positions your business as a leader in privacy and transparency. When consumers see that you prioritize their data protection, it builds trust and strengthens brand loyalty. Plus, CCPA compliance often aligns with other data privacy frameworks, like GDPR, reducing the effort required to meet multiple regulations. 

What’s the difference between CCPA and CPRA?

The California Privacy Rights Act (CPRA) expands upon the CCPA by introducing additional protections for consumers and stricter requirements for businesses. Key differences include the creation of a new category of Sensitive Personal Information (SPI), which includes data like Social Security Numbers and biometric information, and the right for consumers to limit the use and disclosure of SPI. 

The CPRA also establishes data minimization rules, requiring businesses to limit data collection to what is necessary and to define retention periods. 

While the CPRA builds on the foundation of the CCPA, businesses already compliant with the latter will find much of their preparation transferable.

How Drata Can Help You Stay CCPA Compliant

You don’t need a large presence in California to understand the importance of the CCPA. As the bar for staying compliant rises, organizations need to meet that challenge head-on. By following our CCPA compliance checklist, you can meet the highest standards of data privacy and cybersecurity

If you can’t find a way to stay CCPA compliant, Drata can help. Our platform will automate compliance processes, ensuring you’re always audit-ready. Our approach to continuous compliance will also reduce the risk of data breaches and protect your users’ data. Finally, if you have any questions about compliance standards, our team of experts can lend a hand.

Schedule a demo to see how Drata’s compliance automation solution streamlines meeting CCPA security requirements.

Trusted Newsletter
Resources for you
Boost Risk Response Rates List

Boost Risk Response Rates with GRC Automation

Drata Product Roundup.png

Streamlining Security and Compliance in Q3: Key Enhancements Released this Quarter

Tips for Flawless Penetration Testing List

Don’t Fall For These Traps: Expert Tips for Flawless Penetration Testing

Troy Fine
Troy Fine
Troy Fine is a 10-year auditor. His area of expertise focuses on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
List 13 states with comprehensive privacy laws

These Are the 13 States With Comprehensive Consumer Privacy Protection Laws

Privacy by Design is Crucial to AI

Privacy by Design Is Crucial to the Future of AI

Trust & Privacy by Design Drata-s AI Philosophy (1)

Trust and Privacy by Design: Drata's AI Philosophy

How AI impacts privacy

The AI Dilemma: Harnessing the Power of AI While Protecting Privacy