7-Step CPRA Compliance Requirements Checklist

The California Privacy Rights Act (CPRA) entered into action on January 1, 2023, amending portions of the California Consumer Privacy Act (CCPA).

Today, the CPRA amendments are entirely in effect, including all enforcement rules established by the California Privacy Protection Agency (CPPA), the group responsible for enforcing the act.

Websites that are subject to following the CPRA amendments to the CCPA can follow our easy compliance checklist below.

CPRA Compliance Checklist: Step-by-Step

Part 1: Perform a Privacy Audit

To comply with the CCPA as amended by the CPRA, you must perform a privacy audit so you know with certainty:

• All personal information your business accumulates
• Where it comes from
• How it’s collected

For example, you might acquire data directly from users through internet forms, by deploying cookies on their browsers, or from publicly available sources.

If you don’t know all of this information, you cannot say you’re fully compliant with the CCPA as amended by the CPRA, and your business is at risk of getting fined for violating the law.

To perform your own data inventory, consider the following techniques:

Part 2: Privacy Notification Requirements

Businesses must meet specific privacy notification obligations as part of the CPRA requirements.

To account for the CPRA amendments, post a CCPA-compliant privacy policy on your website that includes all of the following details:

• The categories of personal data you collect
• The sources the data was collected from.
• The purpose for why you collect, use, sell, or share personal data.
• If you share or sell personal data with third parties.
• The categories of the third parties with access to the data.
• The length of time you intend to retain each category of personal data.
• The criteria used to determine how long it is necessary to retain data.
• Details about consumers’ rights to request to delete their personal data.
• Details about consumers’ rights to request to correct their personal data.

You can only collect, use, retain, and share data in a way that is considered reasonably necessary to achieve the purposes you disclose in your privacy policy.

As the law requires, plan to update your privacy policy at least once every 12 months.

Part 3: Obtain Adequate Consumer Consent for Specific Data Processing

Implement a cookie consent manager on your site to provide California users with adequate consent choices for specific types of data processing, as required by the CCPA/CPRA.

If you share or sell personal information, implement the following:

• Explain that you sell or share data on a consent banner and allow users to opt-out.
• Add a compliant “Do Not Sell or Share My Personal Information” link to the footer of your website.
• Honor consent preferences the individual sets using universal opt-out mechanisms, like Global Privacy Controls (GPC).

If you want to collect sensitive personal information, implement the following:

• Explain that you wish to collect sensitive personal information on a consent banner and allow users to opt-out.
• Inform consumers of their right to limit the use of their sensitive data to only what is reasonably necessary for performing services or providing goods.
• Add a compliant “Limit the Use of My Sensitive Personal Information” link to your website.
• Honor consent preferences the individual sets using universal opt-out mechanisms.

Part 4: Contractual Obligations for Sharing or Selling Personal Data

Under the CCPA as amended by the CPRA, businesses that share or sell personal information make and implement contacts that meet the following obligations:

• Specify what personal data is shared or sold.
• Explain how long the third party has access to the data.
• Specify the specific purposes for sharing or selling the personal data.
• Obligate the third party to comply with all applicable obligations to provide the same level of security as the CCPA/CPRA requires.
• Give your business the right to take reasonable, appropriate steps to help the third party use personal data in a way that’s compliant with all CCPA/CPRA business obligations.
• Require the third party to notify your business if it cannot meet the CCPA/CPRA guidelines outlined by the contract.
• Give your business the right to take reasonable, appropriate steps to stop and remediate the unauthorized use of personal data.

You must also ensure that your business and the third party sign the contract.

Part 5: Consumer Rights and Verifiable Consumer Requests

Businesses under the CCPA as amended by the CPRA must comply with consumer’s rights to request to:

• Access their personal data
• Correct or amend their personal data
• Delete their personal data
• Opt out of having their data sold or shared
• Limit the use of their sensitive personal data

These consumers also have the right to non-discrimination for acting on their privacy rights.

For example, this means you cannot:

• Deny a consumer goods or service.
• Charge different prices or rates, implying it’s a penalty.
• Provide a different level of service or quality of goods implying it’s a penalty.
• Suggest consumers will receive a different price, rate, or quality of goods for acting on their rights.
• Retaliate against employees, applicants, or contractors who exercise their privacy rights.

But you can:

• Charge an alternate price or different legal or quality of service reasonably related to the value provided by their personal information.
• Offer consumers loyalty, reward, and club programs or premium features and discounts for providing their personal information.

To comply with this portion of the law, you must provide consumers with two or more methods for acting on their privacy rights, which may include:

• Post a Data Subject Access Request (DSAR) form on your site.
• Honor universal opt-out mechanics (UOOMs) set on users’ browsers or by a browser extension, like Global Privacy Controls (GPC).
• Link to a specific email address or physical address they can send requests to.

You must then disclose and deliver the requested information for free within 45 days of receiving a verifiable consumer request.

Part 6: Security Procedures and Practices

The CCPA, as amended by the CPRA, requires businesses to implement reasonable security measures and protocols based on the nature and amount of personal data collected.

While the law is not specific about what security measures you must use, it does require you to protect it from unauthorized or illegal:

• Access
• Destruction
• Use
• Modification
• Disclosure

The CPRA gives California consumers broader rights to pursue private action against businesses that collect their data if that data is ever breached or compromised.

Part 7: Collecting and Processing Personal Data From Children

The CPRA introduced requirements businesses must follow if they want to collect and process children’s data under the CCPA, which includes:

• Obtaining explicit opt-in consent before selling or sharing personal data of a minor under age 16.
• Establishing a way for minors or their legal guardians to specify that the consumer is between 13 and 16 or under age 13.

CPRA Requirements FAQ

Now that you’ve viewed the CPRA compliance checklist, let’s walk through some of the most frequently asked questions about the CPRA.

Summary

The CPRA is not a standalone law — it’s an amendment to the CCPA.

If your business meets the legal threshold, you must comply with all data collecting and processing requirements outlined by the law, which include:

• Posting a compliant privacy policy that meets all notification obligations.
• Obtaining adequate consent from California users for specific processing activities.
• Using compliant contracts with any third-party entities you share or sell data to.
• Providing two or more ways for users to submit verifiable requests to act on their privacy rights.
• Implementing appropriate security measures to protect persoanal information from unauthorized access.

Make it easy on your business, and use our CPRA compliance checklist to help guide you.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author