Want to set your website or app up for full compliance under the recently amended California Consumer Privacy Act (CCPA)?
Below, we’ve created an easy-to-follow CCPA compliance checklist plus some additional tips and tricks to ensure you legally comply with one of the US’s strictest data privacy laws.
CCPA Compliance Checklist (Updated with CPRA Requirements)
Below is an easy-to-follow checklist covering all aspects of CCPA compliance for businesses applicable to websites and apps — with CPRA amendments included.
Part 1 – Audit your website or app
Solution: Manually audit what information you collect and use our Cookie Scanner to find what cookies you use.
|Inaccuracies in your data collection can lead to fines for noncompliance.
Part 2 – What you MUST disclose at or before the point of data collection
|1798.110 (c) (1-5)
Part 3 – Contractual obligations for sharing or selling personal information
Solution: Create a Data Processing Agreement (DPA) that you and the third party must sign that states the following:
Part 4 – Consumer Opt-Out Rights, Limit the Selling and Sharing of Personal Information, and non-discrimination
Solution: Use legally compliant links, honor browser consent preferences, and publish a DSAR or SAR form.
|1798.120 (a – d)
|1798.121 (a – d)
|1798.125 (1) (a-e), (2), & (3)
Part 5 – Verifiable Consumer Requests and Your Business Obligations
Solution: Provide users with options like a DSAR Form, a specific email address, and honor Global Privacy Controls (GPCs).
Part 6 – Requirements Regarding Security Procedures and Practices
Solution: Implement reasonable security protocols based on the nature of the information collected.
CCPA Checklist Requirements Explained
In this section, I’ll further explain the requirements in the above CCPA checklist.
What Qualifies as Personal Information Under the CCPA?
Section 1798.140(v)(1) of the amended CCPA defines personal information, in part, as:
“… information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household…”
The law keeps this definition broad to account for current and future technology.
Below see a list of every piece of personal information currently listed in the text of the CCPA:
- Real names
- Postal address
- Unique personal identifier
- Online identified
- IP address
- Email address
- Account name
- Social security number
- Driver’s license number
- Passport number
- Other similar identifiers
- Characteristics protected under California or federal law
- Commercial information
- Records of personal property
- Biometric information
- Internet or other election network activity information
- Browsing history
- Search history
- Information regarding consumers’ interaction with a website, app, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
- Inferences drawn from any information in this list used to create a consumer profile
- Sensitive personal information
However, the highlighted text in the screenshot below shows what doesn’t qualify as personal information according to this law:
The legal definition of public information means anything lawfully made available from federal, state, or local government records. It also covers information consumers choose to make available as long as they haven’t restricted the data to a specific audience.
Sensitive Personal Information
The CPRA amendments to the CCPA introduced the category of sensitive personal information to the law, which includes:
- Social security numbers
- Driver’s license numbers
- State identification card numbers
- Passport numbers
- Log-in account information or financial account information, credit or debit card in combination with any required security or access code or credentials
- Precise geolocation
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union membership
- Contents of a consumer’s mail, email, or text messages
- Genetic data
- Health data
- Sex life or sexual orientation
Consumers have the right to limit how their sensitive information is used at any time and can request that it be only processed for whatever is reasonably necessary to perform the services or provide the goods.
According to Section 1798.121, you must honor requests not to use or disclose their sensitive data, and any service providers or contractors that assist you must do the same.
How Does the CCPA Define Sharing?
Under the amended CCPA, consumers have the right to opt out of the selling and sharing of their personal information.
It’s important to understand how the law defines sharing and its relation to selling when filling out your CCPA checklist because the legal definitions don’t match how we use these terms in everyday conversations.
Sharing, according to Section 1798.140 (ah), means taking any of the following actions regarding consumer personal information:
- Making available
- Otherwise communicating orally, in writing, or by electronic means
The CCPA doesn’t care if a monetary transaction occurs between your business and a third party when sharing personal information.
There doesn’t need to be a value exchange of any kind. A user can still opt out of the use of their data for things like cross-context behavioral advertising even if no money trades hands.
Information About CCPA-Compliant Risk Assessments
If you process information that could pose a significant risk to consumer privacy or security, you must regularly perform cybersecurity audits and submit risk assessments to the California Privacy Protection Agency (CPPA).
The CPRA amendments to this law introduced the CPPA as the administrative enforcement agency, replacing what used to be the duty of the California Attorney General’s Office.
Within the risk assessment, you must:
- Include if you process sensitive personal information
- Identify and weigh the benefits resulting from the processing of the information for your business, the consumer, any other stakeholders, and the public
- Compare the benefits to the risks to the rights of the consumer concerning the processing of the information
- Maintain the goal of restricting and prohibiting the processing of the information if the risks outweigh the benefits
The CPPA is responsible for providing the public with a report summarizing all risk assessments filed with the agency.
CCPA Security Requirements
California introduced Civil Code section 1798.81.5 to provide guidance on how businesses can implement reasonable security measures concerning the personal information collected.
According to Section 1798.150 of the amended CCPA, it’s your responsibility to keep your users’ personal information safe, or else they can pursue civil action against you if:
- Their nonencrypted, nonredacted personal information is accessed or exfiltrated without authorization, is stolen, or disclosed as a result of poor security protocols
- Their email address — in combination with their password, security question answers, or any other answer that would permit access to an account — is accessed or exfiltrated without authorization, is stolen, or disclosed as a result of poor security practices
You must implement reasonable, appropriate security measures to prevent any consumer personal information from unauthorized access, destruction, use, modification, or disclosure.
Tips for Complying With the CCPA and CPRA
If you want to set your business up for CCPA and CPRA compliance, implement all of the following tips:
Penalties for Not Complying With the CCPA
The penalties for not complying with the CCPA, even by mistake, include:
- $2,500 per non-intentional violation
- $7,500 per intentional violation or for any offense involving a minor under the age of 16
There is no longer a grace period for curing CCPA violations now that the CPRA amendments are in force.
Instead, the California Privacy Protection Agency (CPPA) decides on an individual basis how much time each business has to correct its mistakes and will consider whether the company:
- Intentionally violated the CCPA
- Made an effort to cure the alleged violation
Consumers can also pursue private action against businesses if:
- Nonencrypted and nonredacted personal information gets compromised
- Their email addresses, in combination with a password or other details permitting access to an account, get breached
CCPA Compliance FAQ
Want a bit more information about complying with the CCPA? Check out some common questions we get about this data privacy law below.
What is the CCPA?
The CCPA is a state law passed in California that outlines business obligations for entities collecting and processing user personal information and describes citizens’ rights.
When did CCPA become active?
It came into force on January 1, 2020, and was amended by the Consumer Privacy Rights Act (CPRA) as of January 1, 2023.
Any portions of the CCPA unaffected by the CPRA amendments remain in place.
Who does the CCPA protect?
The CCPA only protects natural persons in California. If you aren’t a California resident, you are not granted the data privacy rights outlined by the CCPA.
Who does the CCPA apply to?
The CCPA applies to entities that do business in California and meet any one of the following thresholds:
- Earned $25 million in gross annual revenue as of January 1 from the previous calendar year
- Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households
- Derived 50% or more of your gross annual revenue from the selling or sharing of personal information
What is the difference between the CCPA and CPRA?
The CPRA is a set of amendments written to adapt and update portions of the CCPA. Both are now in force and are collectively referred to as simply the CCPA, the amended CCPA, or the CCPA as amended.
How Termly Helps Your Business Comply With the CCPA
Our legally backed tools, generators, and consent solutions can help your business fully comply with all facets of the CCPA and the CPRA amendments.
We offer all of the following necessary business resources:
- Consent Management Platform (CMP)
- Data Subject Access Request forms (DSAR or SAR)
- “Do Not Sell or Share My Personal Information” link
- “Limit the Use of My Personal Information” link
Next up, I’ll walk you through how you can rely on each of these tools for full CCPA compliance.
Policy Generators and Templates
Thanks to our legal team and data privacy experts, our solutions include the proper clauses and information required by the recent CPRA amendments.
They also cover the following:
- General Data Protection Regulation (GDPR)
- The UK GDPR
- California Online Privacy Protection Act (CalOPPA)
- Virginia Consumer Data Protection Act (CDPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
No hassles, no stress, just ease.
Take a look at a screenshot of our CCPA-compliant generator below.
You can also download and customize our free template and simply replace the blank sections of the document with details about your company.
Whichever solution you choose, you can trust that our legal team and data privacy experts have vetted all of our generators and templates. That way, you can rest easy knowing your business is set up for successful privacy compliance.
Consent Management Platform (CMP)
Our Consent Management Platform, backed by our legal team and data privacy experts, can easily be configured to comply with all CCPA consent requirements.
According to the law, consumers have the right to opt out of certain types of data processing, and our accessible consent preference center meets this legal requirement.
Below, see an example of what our CMP tools look like.
Remember, cookies and other trackers qualify as personal information under the CCPA, and consumers have the right to know what information you’re tracking. Use our website Cookie Scanner tool for auditing your website and locating all cookies it currently uses.
Data Subject Access Request (DSAR or SAR) Forms
As part of our CMP, you’ll have access to a DSAR or SAR form so your consumers can easily follow through on their rights to request to access, correct, or delete their personal information.
“Do Not Sell or Share My Personal Information” & “Limit the Use of My Personal Information” Links
Our consent management platform also provides you with compliant “Do Not Sell or Share My Personal Information,” which you can embed in the footer of your website or application to meet the requirements outlined by Section 1798.135(a)(3) of the law, screenshotted below.
To streamline the process for your users to follow up on their privacy rights, the CCPA says that you can combine this link with the “Limit the Use of My Sensitive Personal Information” link as long as both features are available to consumers.
You can use our checklist to set your business up for successful CCPA compliance.
Remember, you’ll need a:
- EULA (for software)
- Consent management platform
- DSAR or SAR forms
You can write all these documents yourself, use free templates, or make the entire process even easier by accessing our full suite of compliant CCPA website policy generators and consent solutions.