CCPA checklist: what you actually need to do
CCPA/CPRA compliance for SaaS involves nine distinct obligation areas. Most guides focus on the consumer-facing elements (privacy policy, opt-out link) and underemphasise the operational requirements (service provider contracts, 45-day response process, GPC signal detection) that regulators actually check.
This checklist covers all nine areas, with practical implementation notes for each. Use it to do a quick self-audit before the longer interactive assessment.
Area 1: Applicability and Privacy Notice
First, confirm you're covered. CCPA/CPRA applies if you're a for-profit business doing business in California and meet at least one threshold:
- $25M+ annual gross revenues
- Buy/sell/receive/share PI of 100,000+ consumers or households per year
- 50%+ annual revenues from selling or sharing consumers' PI
If you're covered:
- ☐ Notice at or before collection: When collecting PI from California residents, provide a notice identifying the categories collected and purposes. This can be a link to your privacy policy, but it must be present at the point of collection — in your signup form, lead capture, or wherever you first collect PI.
- ☐ Comprehensive privacy policy: Published online, updated within the last 12 months. Must include: categories of PI collected and sold/shared, purposes of use, consumer rights, how to submit requests, contact information.
- ☐ Financial incentive notice: If you offer discounts/loyalty in exchange for PI, a separate notice disclosing terms is required before enrolment.
Area 2: Consumer Rights — Access and Portability
- ☐ Right to know: Consumers can request the specific PI you hold about them, categories, sources, purposes, and third parties. You respond within 45 days (45-day extension available if you notify).
- ☐ Identity verification: Documented process to verify identity before fulfilling requests. Reasonably verify identity — not so onerous it becomes a barrier, not so lax it enables fraudulent requests.
- ☐ Data portability: When providing PI, deliver it in a portable, machine-readable format where technically feasible.
- ☐ Two free disclosures per year: No charge for up to two disclosures per consumer annually.
Area 3: Consumer Rights — Deletion and Correction
- ☐ Right to deletion: Process to receive, verify, and fulfil deletion requests. Direct service providers to delete. Apply only genuine exceptions (completing the transaction, security, legal obligations, etc.).
- ☐ Downstream deletion: Notify service providers and contractors when PI is deleted in response to a consumer request.
- ☐ Right to correction (CPRA): Accept correction requests, take commercially reasonable steps to correct, direct processors to do the same. This is a 2023 CPRA addition — many 2020-era compliance programmes are missing this.
Area 4: Opt-Out of Sale and Sharing
This area has the most visible compliance requirement and is the first thing regulators check:
- ☐ "Do Not Sell or Share My Personal Information" link: On your homepage. Clearly visible. Links to an opt-out mechanism. "Sharing" under CPRA includes passing data to advertising networks for behavioural targeting — even without payment. If you run any retargeting pixels (Meta, Google, LinkedIn), you're sharing PI.
- ☐ GPC signal detected and honoured: Technical implementation to detect the Global Privacy Control browser signal (
Sec-GPC: 1header ornavigator.globalPrivacyControl) and treat it as an automatic opt-out from sale/sharing. No additional consumer action required. - ☐ No sale of PI of minors under 16: If you have users under 16, do not sell their PI without opt-in consent (parental for under 13; minor's own for 13-15).
- ☐ Opt-out honoured within 15 business days: Stop selling/sharing within 15 business days of opt-out. Do not re-engage for 12 months without consent.
Area 5: Sensitive Personal Information (CPRA)
This is the most commonly missed CPRA obligation:
- ☐ Identify SPI you collect: SSNs/government IDs, financial account/card data, precise geolocation, racial/ethnic origin, religious beliefs, union membership, private communications, genetic data, health/sex life/sexual orientation, biometric ID data, children's PI.
- ☐ "Limit the Use of My Sensitive Personal Information" link: Required on your homepage if you use SPI beyond what's necessary to provide the requested service. Separate from the "Do Not Sell or Share" link — though many businesses combine them into a single privacy choices page.
- ☐ SPI use limited to permitted purposes: Only use SPI to provide the service, prevent fraud/safety threats, or other CPPA-permitted purposes. No SPI for advertising, analytics, or profiling beyond these purposes.
Area 6: Data Minimisation and Retention (CPRA)
- ☐ Audit data collection against purposes: Remove PI collection not tied to a disclosed purpose. If you're collecting a field "just in case," stop.
- ☐ Retention schedule in privacy policy: For each PI category, disclose how long you retain it (or the criteria for determining retention). "We retain data as long as necessary" is no longer sufficient under CPRA.
- ☐ Retention enforced: Actual deletion processes exist for each PI category at the documented retention limit.
Area 7: Service Provider and Contractor Contracts
This is an operational gap for many SaaS companies who have GDPR DPAs in place but haven't added CCPA-specific terms:
- ☐ Written service provider contracts: For all vendors processing PI on your behalf, contracts must specify: limited purpose, no sale or sharing of PI, deletion obligations, cooperation with consumer rights, and sub-contractor flow-down.
- ☐ Prohibition on secondary use: Your contracts must explicitly prohibit vendors from using your customers' PI for their own business purposes beyond providing the contracted service.
- ☐ Third-party sale/sharing contracts: Where PI is sold or shared with third parties (advertising networks), contracts must specify that opted-out consumers' data is not used for cross-context behavioural advertising.
Area 8: Non-Discrimination and Consumer Request Process
- ☐ Non-discrimination: Do not deny services, charge different prices, or provide different quality to consumers who exercise their rights.
- ☐ Two request submission methods: Toll-free number AND web form/email (at minimum). Online-only businesses may satisfy both with interactive web forms.
- ☐ 45-day response window: Track request receipt dates. Respond within 45 days. If extending, notify the consumer within the initial 45 days with the reason.
- ☐ Request tracking (CPRA): Maintain records of all consumer requests received for at least 24 months. Include request type, date, response date, and outcome.
Area 9: Security and Risk Assessments
- ☐ Reasonable security measures: Implement security appropriate to your size and the nature of PI collected. The California breach notification law (§1798.81.5) and CCPA §1798.150 create private right of action for breaches resulting from failure to implement reasonable security.
- ☐ Breach notification procedure: California §1798.82 requires notification to affected consumers without unreasonable delay, and notification to the California AG if the breach affects 500+ Californians. Faster than some other state requirements.
- ☐ Risk assessments (CPRA): For high-risk processing (sale/sharing of PI, SPI processing beyond permitted purposes, large-scale profiling, ADM with significant effects), conduct and document privacy risk assessments.
Quickly vs thoroughly: how to prioritise
| Priority | Task | Why urgent | Effort |
|---|---|---|---|
| 🔴 Critical | Update privacy policy with CPRA requirements | First CPPA audit action; private right of action if breach occurs | Medium |
| 🔴 Critical | "Do Not Sell or Share" link on homepage | CPPA enforcement priority; most visible compliance signal | Low |
| 🔴 Critical | GPC signal detection and honouring | Active CPPA enforcement focus; no consumer action required | Medium |
| 🔴 Critical | Consumer request intake process | 45-day response clock starts at receipt; no process = violation | Medium |
| 🟡 High | SPI audit and "Limit Use" link if needed | CPRA 2023 addition; many companies still missing this | Medium |
| 🟡 High | Update service provider contracts | Required for CCPA/CPRA, different from GDPR DPAs | Medium |
| 🟡 High | Add right to correction process | CPRA addition; most 2020-era programmes are missing this | Low-Medium |
| 🟢 Medium | Retention schedule and data minimisation | CPRA; longer timeline but regulators are checking | High |
| 🟢 Medium | Privacy risk assessments for high-risk processing | CPRA; required before high-risk processing begins | High |
For a comprehensive interactive assessment across all nine obligation areas — with gap analysis and a remediation roadmap — use the free CCPA/CPRA Compliance Checklist Generator. To generate a compliant privacy policy that satisfies CCPA/CPRA notice requirements, use the Privacy Policy Generator. For a CCPA-specific consumer notice (the "at collection" notice), see the CCPA Privacy Notice Generator.