CCPA Compliance Checklist 2026 — Everything Your Business Needs to Know

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most far-reaching state privacy law in the US. If your business meets any of the thresholds below, you need to comply — regardless of where you're headquartered.

This checklist walks you through every major requirement so you can assess your readiness and close any gaps.

Does CCPA Apply to You?

CCPA applies to for-profit businesses that collect California residents' personal information AND meet at least one of:

• $25 million+ in annual gross revenue
• 100,000+ California consumers, households, or devices whose data you buy, sell, or share
• 50%+ of annual revenue derived from selling or sharing personal information

The Checklist

1. Privacy Policy

• Publish a comprehensive privacy policy that covers:
  • Categories of personal information collected
  • Purposes for collection and use
  • Categories of third parties you share data with
  • Consumer rights and how to exercise them
  • Data retention periods (required under CPRA)
• Update your privacy policy at least once every 12 months
• Include a "Do Not Sell or Share My Personal Information" link on your homepage
• Provide a notice at the point of collection (before or at the time data is collected)

2. Consumer Rights Requests

You must be able to respond to these consumer requests within 45 days (extendable by an additional 45 days with notice):

• Right to Know — Consumers can request what personal information you've collected about them
• Right to Delete — Consumers can request deletion of their personal information
• Right to Correct — Consumers can request correction of inaccurate information
• Right to Data Portability — Provide data in a portable, machine-readable format
• Right to Opt-Out — Consumers can opt out of the sale or sharing of their data
• Right to Limit Sensitive Data Use — Consumers can limit how you use sensitive personal information

3. Opt-Out Mechanisms

• Honor Global Privacy Control (GPC) signals — This is legally required under CCPA
• Provide a "Do Not Sell or Share" link prominently on your website
• Do not require account creation to submit opt-out requests
• Process opt-out requests within 15 business days

4. Sensitive Personal Information

CCPA defines sensitive personal information broadly, including:

• Social security numbers, driver's license, state ID, passport numbers
• Financial account information (with credentials)
• Precise geolocation
• Racial or ethnic origin
• Religious or philosophical beliefs
• Contents of mail, email, and text messages
• Genetic data, biometric data, health data
• Sex life or sexual orientation

If you process sensitive data:

• Allow consumers to limit your use of sensitive personal information to what is necessary
• Disclose your use of sensitive data in your privacy policy
• Provide a "Limit the Use of My Sensitive Personal Information" link

5. Data Protection Assessments

Under CPRA regulations:

• Conduct risk assessments for processing activities that present significant risk to consumers, including:
  • Selling or sharing personal information
  • Processing sensitive personal information
  • Using personal information for automated decision-making or profiling
• Document your assessments and retain them for review by the CPPA

6. Vendor and Service Provider Contracts

• Update contracts with all service providers to include:
  • Restrictions on how they can use the data you share
  • Requirements to comply with consumer deletion requests
  • Obligations to notify you of any subcontractor engagement
• Verify that third parties you share data with have adequate privacy protections
• Maintain a list of all third parties with whom you share personal information

7. Employee and B2B Data

Since January 2023, CCPA fully applies to:

• Employee data — HR records, payroll, performance reviews
• B2B contact data — Business contacts collected in commercial transactions

Ensure your privacy notice covers these data subjects.

8. Children's Data

• For consumers under 16: Require opt-in consent before selling or sharing their data
• For consumers under 13: Require parental consent before selling or sharing their data
• Triple penalties ($7,500 per violation) apply for knowing violations involving minors

9. Data Minimization and Retention

• Collect only what is reasonably necessary for the disclosed purpose
• Disclose data retention periods in your privacy policy
• Do not retain personal information longer than reasonably necessary

10. Security Measures

While CCPA doesn't prescribe specific security standards, it does enable private lawsuits for data breaches:

• Implement reasonable security measures (encryption, access controls, monitoring)
• Maintain an incident response plan for data breaches
• Document your security practices — this is your defense in case of a breach lawsuit

Penalties for Non-Compliance

• $2,500 per unintentional violation
• $7,500 per intentional violation
• $7,500 per violation involving minors' data
• $100–$750 per consumer per incident in private lawsuits for data breaches
• No cure period — The CPPA can enforce immediately

Enforcement

CCPA is enforced by the California Privacy Protection Agency (CPPA) — a dedicated regulatory body — and the California Attorney General. The CPPA has been actively issuing enforcement actions since 2023.

What About Other States?

CCPA compliance is a strong foundation, but it doesn't cover you everywhere. As of 2026, 20 states have comprehensive privacy laws, each with different thresholds and requirements.

For example:

• Texas (TDPSA) has no consumer or revenue threshold — it applies to nearly all businesses
• Maryland (MODPA) has strict data minimization requirements beyond what CCPA requires
• Vermont (VTDPA) allows a private right of action — consumers can sue directly