CCPA Compliance Checklist: The Complete 2026 Guide for Businesses
With over $4 million in CCPA fines already issued in Q1 2026 alone, the California Consumer Privacy Act is no longer a law businesses can afford to ignore. Whether you are starting from scratch or updating an existing privacy program, this CCPA compliance checklist walks you through every requirement — organized by priority and mapped to actual enforcement patterns.
Use this checklist alongside our privacy law calculator to confirm whether CCPA applies to your business, and our interactive California compliance checklist for a personalized action plan.
Step 1: Determine If CCPA Applies to Your Business
CCPA (as amended by CPRA) applies to any for-profit business that collects personal information from California residents and meets at least one of the following thresholds:
- Revenue threshold: Annual gross revenue exceeding $25 million.
- Data volume threshold: Buys, sells, or shares the personal information of 100,000 or more California consumers or households annually.
- Revenue from data: Derives 50% or more of annual revenue from selling or sharing personal information.
Key point: You do not need to be based in California. If you serve California residents and meet any threshold, CCPA applies. Run your business through our compliance calculator to check.
Step 2: Map Your Data Practices
Before you can comply, you need to know what data you collect and how it flows through your organization. This data mapping exercise is the foundation of every other CCPA requirement.
- Inventory all personal information categories: identifiers (name, email, IP address), commercial information (purchase history), internet activity (browsing data, search history), geolocation data, biometric data, professional information, education records, and inferences drawn from any of these.
- Document the sources: Where does each category come from? (Directly from consumers, third-party data brokers, cookies and tracking technologies, public records.)
- Identify third-party sharing: Map every vendor, partner, analytics provider, and advertising network that receives personal information from you.
- Classify sharing as sale, sharing, or service provider relationship: Under CCPA, "sale" means exchanging personal information for monetary or other valuable consideration. "Sharing" means disclosing personal information for cross-context behavioral advertising. Service provider relationships require written contracts with use restrictions.
Step 3: Implement Consumer Rights Mechanisms
CCPA grants California consumers specific rights that your business must honor within 45 days of a verifiable request. Here is the full list:
Right to Know
Consumers can request disclosure of the categories and specific pieces of personal information you have collected, the sources, business purposes, and third parties with whom you share it. You must provide at least two methods for submitting requests (typically a web form and a toll-free number).
Right to Delete
Consumers can request deletion of personal information you collected from them. You must also direct your service providers and contractors to delete. Exceptions exist for legal obligations, security, and completing transactions.
Right to Correct
Added by CPRA, consumers can request correction of inaccurate personal information. You must use commercially reasonable efforts to correct the information.
Right to Opt Out of Sale/Sharing
This is the requirement that has triggered the most enforcement action. You must provide a clear "Do Not Sell or Share My Personal Information" link on your website homepage. See our opt-out compliance guide for details.
Right to Limit Use of Sensitive Personal Information
If you process sensitive personal information (Social Security numbers, financial accounts, precise geolocation, racial or ethnic origin, health data, etc.), consumers can request you limit its use to what is necessary for the service they expect.
Non-Discrimination
You cannot discriminate against consumers who exercise their privacy rights — no denying goods, charging different prices, or providing a different quality of service.
Step 4: Opt-Out and GPC Compliance
This section deserves special attention because opt-out violations account for the majority of CCPA enforcement actions in 2026, including the $2.75 million Disney settlement and the $375,000 Ford penalty.
- Display the opt-out link: A "Do Not Sell or Share My Personal Information" link must appear on your homepage.
- Honor Global Privacy Control (GPC): Under CCPA regulations, you must treat the GPC signal as a valid opt-out request. This means when a browser sends the
Sec-GPC: 1header, you must stop selling or sharing that user's personal information. Check your obligations with our GPC compliance checker. - Confirm opt-out requests: Provide a confirmation page or notification when a consumer opts out.
- Avoid dark patterns: Do not use confusing language, multiple clicks, or manipulative design to discourage opt-outs. The CPPA has explicitly defined dark pattern violations.
- Symmetric design: The path to opt out must be no more difficult than the path to opt in.
Step 5: Update Your Privacy Policy
Your privacy policy must be updated at least once every 12 months and include:
- Categories of personal information collected in the preceding 12 months.
- Categories of sources from which information is collected.
- Business or commercial purposes for collecting, selling, or sharing.
- Categories of third parties to whom you disclose personal information.
- A description of each consumer right and how to exercise it.
- Contact information for submitting requests (web form and toll-free number).
- Whether you sell or share personal information of consumers under 16.
- The date the policy was last updated.
Step 6: Service Provider and Contractor Agreements
Every vendor that processes personal information on your behalf needs a written contract that:
- Identifies the specific business purpose for processing.
- Prohibits the vendor from selling or sharing the personal information.
- Prohibits retention, use, or disclosure beyond the business purpose.
- Requires the vendor to comply with CCPA and cooperate with consumer rights requests.
- Grants you the right to take reasonable steps to verify compliance.
Step 7: Data Security and Risk Assessments
CPRA added new requirements around data security:
- Implement reasonable security measures: The Comstar settlement ($515,000) showed that inadequate risk assessments and missing incident response plans are actionable violations.
- Conduct regular risk assessments: If your processing presents significant risks to consumer privacy, you must conduct and submit risk assessments to the CPPA.
- Cybersecurity audits: Businesses meeting certain thresholds must perform annual cybersecurity audits.
Step 8: Special Categories — Minors and Sensitive Data
- Children under 13: You cannot sell or share their personal information without opt-in consent from a parent or guardian.
- Teens 13-15: You cannot sell or share their personal information without their affirmative opt-in consent.
- Sensitive personal information: Must display a "Limit the Use of My Sensitive Personal Information" link if you use sensitive data beyond what is necessary to provide the requested service.
Step 9: Train Your Team
CCPA requires that all individuals responsible for handling consumer inquiries about your privacy practices are trained on the law's requirements. This includes customer service representatives, IT staff handling DSARs, marketing teams making data-sharing decisions, and legal or compliance personnel.
Step 10: Document Everything for Enforcement Readiness
The CPPA and California AG have significantly ramped up enforcement in 2026. Maintain records of:
- All consumer rights requests received, how they were processed, and response times.
- GPC signal detection logs and how your systems responded.
- Privacy policy update history.
- Service provider agreements and DPA documentation.
- Employee training records.
- Data mapping and risk assessment documentation.
View the latest enforcement actions on our enforcement tracker, and compare CCPA requirements with other state privacy laws to build a multi-state compliance program.
Last updated: March 28, 2026.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.