Back to Blog
CCPACaliforniaCompliance

CCPA Compliance Checklist 2026

Everything California businesses need to know about CCPA/CPRA compliance, including new requirements effective in 2026.

January 10, 20267 min readBy Jennifer Rodriguez

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is now fully in effect. Here's your complete checklist for 2026 compliance.

Does CCPA Apply to Your Business?

CCPA applies if you do business in California AND meet any of these thresholds:

  • Annual gross revenue exceeds $25 million
  • Buy, sell, or share personal information of 100,000+ California consumers annually
  • Derive 50% or more of annual revenue from selling or sharing personal information

Note: "Sharing" now includes providing data to third parties for cross-context behavioral advertising, even without monetary exchange.

Privacy Policy Requirements Checklist

Required Disclosures

Your privacy policy must include:

  • Categories of personal information collected in the past 12 months
  • Sources of that information
  • Business or commercial purposes for collection
  • Categories of third parties with whom you share information
  • Categories sold or shared in past 12 months (or state if none)
  • Categories disclosed for business purposes in past 12 months
  • How long you retain each category of information
  • Consumer rights and how to exercise them

Consumer Rights Section

Clearly explain these rights:

  • Right to Know: Request what information you have
  • Right to Delete: Request deletion of their data
  • Right to Correct: Request correction of inaccurate data
  • Right to Opt-Out: Opt out of sale/sharing
  • Right to Limit Use: Limit use of sensitive personal information
  • Right to Non-Discrimination: No retaliation for exercising rights

Website Requirements

"Do Not Sell or Share" Link

If you sell or share personal information, you must have a clear link titled "Do Not Sell or Share My Personal Information" on your website. This should lead to an easy opt-out mechanism.

"Limit Use" Link

If you process sensitive personal information, provide a "Limit the Use of My Sensitive Personal Information" link.

Request Submission Methods

Provide at least two methods for consumers to submit requests (e.g., toll-free number and web form). Online-only businesses need only provide an email address.

Operational Requirements

Request Response Times

  • Acknowledge receipt within 10 business days
  • Respond to request within 45 calendar days
  • Extension of up to 45 additional days if necessary (with notice)

Verification

Implement reasonable verification methods to confirm request authenticity. The level of verification should match the sensitivity of the data.

Training

Ensure employees who handle consumer requests understand CCPA requirements.

Record Keeping

Maintain records of consumer requests and responses for at least 24 months. Include metrics in your privacy policy if you receive 10 million+ consumer requests annually.

Contracts with Service Providers

Ensure contracts with service providers and contractors include:

  • Specific purposes for data processing
  • Prohibition on selling or sharing the data
  • Obligation to assist with consumer requests
  • Notification requirements for breaches

Create Your Privacy Policy Today

Generate a professional, legally-compliant privacy policy in minutes.