7-Step CPRA Compliance Requirements Checklist

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: February 22, 2024

Generate a Free CPRA Privacy Policy
CPRA-Checklist-01

The California Privacy Rights Act (CPRA) entered into action on January 1, 2023, amending portions of the California Consumer Privacy Act (CCPA).

Today, the CPRA amendments are entirely in effect, including all enforcement rules established by the California Privacy Protection Agency (CPPA), the group responsible for enforcing the act.

Websites that are subject to following the CPRA amendments to the CCPA can follow our easy compliance checklist below.

Table of Contents
  1. CPRA Compliance Checklist: Step-by-Step
  2. CPRA Requirements FAQ
  3. Summary

CPRA Compliance Checklist: Step-by-Step


Part 1: Perform a Privacy Audit

To comply with the CCPA as amended by the CPRA, you must perform a privacy audit so you know with certainty:

  • All personal information your business accumulates
  • Where it comes from
  • How it’s collected

For example, you might acquire data directly from users through internet forms, by deploying cookies on their browsers, or from publicly available sources.

If you don’t know all of this information, you cannot say you’re fully compliant with the CCPA as amended by the CPRA, and your business is at risk of getting fined for violating the law.

To perform your own data inventory, consider the following techniques:

Part 2: Privacy Notification Requirements

Businesses must meet specific privacy notification obligations as part of the CPRA requirements.

To account for the CPRA amendments, post a CCPA-compliant privacy policy on your website that includes all of the following details:

  • The categories of personal data you collect
  • The sources the data was collected from.
  • The purpose for why you collect, use, sell, or share personal data.
  • If you share or sell personal data with third parties.
  • The categories of the third parties with access to the data.
  • The length of time you intend to retain each category of personal data.
  • The criteria used to determine how long it is necessary to retain data.
  • Details about consumers’ rights to request to delete their personal data.
  • Details about consumers’ rights to request to correct their personal data.

You can only collect, use, retain, and share data in a way that is considered reasonably necessary to achieve the purposes you disclose in your privacy policy.

As the law requires, plan to update your privacy policy at least once every 12 months.

Part 3: Obtain Adequate Consumer Consent for Specific Data Processing

Implement a cookie consent manager on your site to provide California users with adequate consent choices for specific types of data processing, as required by the CCPA/CPRA.

If you share or sell personal information, implement the following:

If you want to collect sensitive personal information, implement the following:

  • Explain that you wish to collect sensitive personal information on a consent banner and allow users to opt-out.
  • Inform consumers of their right to limit the use of their sensitive data to only what is reasonably necessary for performing services or providing goods.
  • Add a compliant “Limit the Use of My Sensitive Personal Information” link to your website.
  • Honor consent preferences the individual sets using universal opt-out mechanisms.

Part 4: Contractual Obligations for Sharing or Selling Personal Data

Under the CCPA as amended by the CPRA, businesses that share or sell personal information make and implement contacts that meet the following obligations:

  • Specify what personal data is shared or sold.
  • Explain how long the third party has access to the data.
  • Specify the specific purposes for sharing or selling the personal data.
  • Obligate the third party to comply with all applicable obligations to provide the same level of security as the CCPA/CPRA requires.
  • Give your business the right to take reasonable, appropriate steps to help the third party use personal data in a way that’s compliant with all CCPA/CPRA business obligations.
  • Require the third party to notify your business if it cannot meet the CCPA/CPRA guidelines outlined by the contract.
  • Give your business the right to take reasonable, appropriate steps to stop and remediate the unauthorized use of personal data.

You must also ensure that your business and the third party sign the contract.

Part 5: Consumer Rights and Verifiable Consumer Requests

Businesses under the CCPA as amended by the CPRA must comply with consumer’s rights to request to:

  • Access their personal data
  • Correct or amend their personal data
  • Delete their personal data
  • Opt out of having their data sold or shared
  • Limit the use of their sensitive personal data

These consumers also have the right to non-discrimination for acting on their privacy rights.

For example, this means you cannot:

  • Deny a consumer goods or service.
  • Charge different prices or rates, implying it’s a penalty.
  • Provide a different level of service or quality of goods implying it’s a penalty.
  • Suggest consumers will receive a different price, rate, or quality of goods for acting on their rights.
  • Retaliate against employees, applicants, or contractors who exercise their privacy rights.

But you can:

  • Charge an alternate price or different legal or quality of service reasonably related to the value provided by their personal information.
  • Offer consumers loyalty, reward, and club programs or premium features and discounts for providing their personal information.

To comply with this portion of the law, you must provide consumers with two or more methods for acting on their privacy rights, which may include:

  • Post a Data Subject Access Request (DSAR) form on your site.
  • Honor universal opt-out mechanics (UOOMs) set on users’ browsers or by a browser extension, like Global Privacy Controls (GPC).
  • Link to a specific email address or physical address they can send requests to.

You must then disclose and deliver the requested information for free within 45 days of receiving a verifiable consumer request.

Part 6: Security Procedures and Practices

The CCPA, as amended by the CPRA, requires businesses to implement reasonable security measures and protocols based on the nature and amount of personal data collected.

While the law is not specific about what security measures you must use, it does require you to protect it from unauthorized or illegal:

  • Access
  • Destruction
  • Use
  • Modification
  • Disclosure

The CPRA gives California consumers broader rights to pursue private action against businesses that collect their data if that data is ever breached or compromised.

Part 7: Collecting and Processing Personal Data From Children

The CPRA introduced requirements businesses must follow if they want to collect and process children’s data under the CCPA, which includes:

  • Obtaining explicit opt-in consent before selling or sharing personal data of a minor under age 16.
  • Establishing a way for minors or their legal guardians to specify that the consumer is between 13 and 16 or under age 13.

CPRA Requirements FAQ

Now that you’ve viewed the CPRA compliance checklist, let’s walk through some of the most frequently asked questions about the CPRA.

Does the CPRA apply to my business?

The CCPA, as amended by the CPRA, applies to your business if you’re located in California or if you meet any one of the following guidelines:

  • You earned $25 million in gross annual revenue as of January 1 from the previous calendar year.
  • You annually buy, sell, or share the personal information of 100,000 or more California consumers or households (up from 50,000 before the CPRA amendments entered into force).
  • You derive 50% or more of your gross annual revenue from the selling or sharing of personal information.

When did the CPRA take effect?

Most of the statutory CPRA requirements took effect on January 1, 2023, but the enforcement rules went into effect on July 1, 2023.

Originally, the enforcement rules were supposed to look back to data collected as far back as January 1, 2022, but the CPPA did not finalize their recommendations on time.

As a result, California courts postponed enforcement until March 29, 2024, but the CPPA appealed the decision.

On February 9, 2024, it was announced that California’s Third District Court of Appeal sided with the CPPA, reverting the effective date back to July 1, 2023.

The amended law is now entirely in force, and businesses must ensure they comply with all obligations regarding any data collected from July 1, 2023, and onwards.

How did the CPRA amend the CCPA?

The CPRA introduced the following primary changes to the CCPA:

  • It expanded the legal threshold of the law, making it more small-business friendly.
  • It introduced the concept of sharing personal information.
  • It added the category of sensitive personal information.
  • It introduced new consumer rights, including the right to opt out of the sharing of their data and to limit the use of their sensitive personal data.
  • It changed and expanded the business obligations, including introducing security requirements and contractual obligations.
  • It introduced the CPPA as the agency responsible for enforcing and implementing the law.
  • It removed the 30-day cure period for violations, allowing the CPPA to determine if a business gets a grace period on a case-by-case basis.

Who enforces the CPRA?

The CCPA/CPRA is enforced by the California Privacy Protection Agency or CPPA, an independent group created by the CPRA amendments.

They create enforcement rules and guidelines and are also responsible for teaching the public about compliance best practices.

The CPPA replaced the California Attorney General, who was previously responsible for enforcing the CCPA.

What are the penalties for violating the CPRA?

If you violate the CCPA/CPRA, you could receive the following fines:

  • $2,500 per non-intentional violation
  • $7,500 per intentional violation or any offense involving a minor under age 16

There is no specific grace or cure period for correcting CCPA/CPRA violations. Instead, the CPPA may provide you with one if they determine it’s necessary.

Consumers can also pursue private action against businesses that violate the CCPA/CPRA if:

  • Their nonencrypted and nonredacted personal data gets compromised or breached.
  • Their email address, in combination with a password or other details permitting access to an account, gets compromised or breached.

Can Termly help with CCPA/CPRA compliance?

Termly offers a Privacy Policy Generator that includes the proper clauses to help businesses comply with the CCPA as amended by the CPRA.

Backed by our legal team and data privacy experts, it asks basic questions about your business and makes a unique policy based on your answers.

We also offer a consent management platform (CMP) configurable to present California users with adequate consent options based on the requirements of the CCPA/CPRA.

It includes access to a DSAR form you can embed on your site to help your users submit verifiable consumer requests.

Summary

The CPRA is not a standalone law — it’s an amendment to the CCPA.

If your business meets the legal threshold, you must comply with all data collecting and processing requirements outlined by the law, which include:

  • Posting a compliant privacy policy that meets all notification obligations.
  • Obtaining adequate consent from California users for specific processing activities.
  • Using compliant contracts with any third-party entities you share or sell data to.
  • Providing two or more ways for users to submit verifiable requests to act on their privacy rights.
  • Implementing appropriate security measures to protect persoanal information from unauthorized access.

Make it easy on your business, and use our CPRA compliance checklist to help guide you.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources