Complete CCPA/CPRA Compliance Checklist for 2026

Who Needs to Comply with CCPA/CPRA?

The California Consumer Privacy Act (as amended by CPRA) applies to for-profit businesses that meet any of these thresholds:

Annual gross revenue over $25 million

Buy, sell, or share personal information of 100,000+ California consumers or households

Derive 50% or more of annual revenue from selling or sharing consumer personal information

Even if you're below these thresholds, complying is smart — other states are copying California's framework, and it sets a strong baseline.

The 2026 CCPA/CPRA Compliance Checklist

Data Inventory & Mapping

Identify all personal information you collect — Names, emails, IP addresses, device IDs, browsing history, purchase records, geolocation, biometrics Document data sources — Website forms, cookies, third-party purchases, customer support interactions, mobile apps Map data flows — Where does data go after collection? Internal systems, cloud storage, third-party processors, analytics tools Classify data by sensitivity — CPRA created a "sensitive personal information" category with extra protections (SSN, financial data, precise geolocation, health data, racial/ethnic origin) Document retention periods — How long do you keep each data type, and why?

Consumer Rights Implementation

CPRA grants California consumers extensive rights. You need processes for each:

Right to Know

Consumers can request what personal information you've collected about them You must respond within 45 days (extendable to 90) Response must cover: categories collected, sources, business purpose, third parties shared with, and specific data points

Right to Delete

Consumers can request deletion of their personal information You must also direct service providers to delete Document valid exceptions (legal obligations, security, completing transactions)

Right to Correct

Consumers can request correction of inaccurate personal information You must use commercially reasonable efforts to correct the data

Right to Opt-Out of Sale/Sharing

Provide a "Do Not Sell or Share My Personal Information" link on your website Honor Global Privacy Control (GPC) signals automatically Stop selling/sharing data within 15 business days of receiving a request

Right to Limit Use of Sensitive Personal Information

Provide a "Limit the Use of My Sensitive Personal Information" link if you collect sensitive data Only use sensitive data for purposes the consumer would reasonably expect

Website & Technical Requirements

Privacy policy — Updated within the last 12 months, includes all CCPA-required disclosures "Do Not Sell or Share" link — Prominently displayed in footer or navigation "Limit Use of Sensitive Info" link — If applicable At least two methods for submitting requests — Typically web form + toll-free number (email also acceptable for online-only businesses) Identity verification process — Reasonable security procedures to verify requestors are who they claim to be GPC signal handling — Your site must detect and honor browser-level opt-out signals Cookie consent for cross-context behavioral advertising — "Sharing" under CPRA includes targeted advertising based on cross-site tracking

Contracts & Vendor Management

Service provider agreements — Written contracts with every vendor that processes personal information on your behalf Contractor agreements — Similar requirements for contractors Third-party sale/share agreements — Written contracts when you sell or share personal information Audit rights — Contracts should include your right to audit vendor compliance Subprocessor restrictions — Service providers can't share data further without your authorization

Internal Policies & Training

Employee training — Staff who handle consumer requests must understand CPRA requirements Records retention — Keep records of consumer requests and your responses for 24 months Risk assessments — CPRA requires regular cybersecurity audits and risk assessments for high-risk processing Incident response plan — Procedures for data breaches, including the 72-hour notification window

Sensitive Personal Information Handling

CPRA added extra protections for these categories:

Social Security numbers, driver's license, passport numbers

Financial account details (with credentials)

Precise geolocation

Racial or ethnic origin

Religious beliefs

Union membership

Personal communications (mail, email, text content)

Genetic data

Biometric data

Health information

Sexual orientation data

For each sensitive category you process:

Document the specific business purpose Ensure purpose is consistent with consumer expectations Provide the "Limit Use" link if using sensitive data beyond what's necessary to provide the service

CPRA Enforcement in 2026: What to Watch

The California Privacy Protection Agency (CPPA) has ramped up enforcement significantly:

Automated decision-making regulations are now finalized — if you use algorithmic profiling, you need opt-out mechanisms

Cybersecurity audit requirements are being phased in for businesses whose processing presents significant risk

Risk assessments are required for processing that presents significant risk to consumers' privacy

Children's data — Enhanced protections and higher fines for violations involving minors' data

Tools to Simplify CCPA Compliance

Managing all of this manually is possible but painful. Here's where automation helps:

Data mapping — Tools like PrivaBase can automatically discover and classify personal information across your systems

Request management — Automate consumer request intake, verification, and fulfillment to meet the 45-day deadline consistently

Vendor tracking — Maintain a living inventory of service providers and their contract status

Continuous monitoring — Get alerted when your website falls out of compliance

PrivaBase's free tier includes website scanning and basic compliance monitoring — enough to identify your biggest gaps without spending a dollar.

Key Takeaways

CCPA/CPRA compliance is a continuous process, not a one-time project

Data mapping is the foundation — you can't protect what you can't find

The "Do Not Sell or Share" link and GPC signal handling are non-negotiable

Sensitive personal information requires extra care under CPRA

Start with the highest-risk areas: cookie tracking, consumer request handling, and vendor contracts

Need to see where your website stands? Run a free compliance scan to get started.