CCPA Compliance Checklist (2026)

What is CCPA/CPRA and who does it apply to?

The California Consumer Privacy Act (CCPA), effective January 1, 2020, and significantly amended by the California Privacy Rights Act (CPRA), effective January 1, 2023, is the United States' most comprehensive state privacy law. It is enforced by the California Attorney General and, for CPRA violations, the California Privacy Protection Agency (CPPA).

CCPA/CPRA applies to for-profit businesses that collect personal information of California consumers and meet any one of these thresholds: annual gross revenues over $25 million; buy, sell, or share for commercial purposes the personal information of 100,000 or more consumers or households; or derive 50% or more of annual revenues from selling or sharing consumers' personal information (Cal. Civ. Code §1798.140(d)).

Key CPRA changes from 2023

CPRA significantly expanded CCPA. New rights include: the right to correct inaccurate personal information (Cal. Civ. Code §1798.106), and the right to limit the use and disclosure of sensitive personal information (§1798.121). CPRA also created a new category of sensitive personal information — including Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, and health data — which receives heightened protections. The opt-out requirement now explicitly covers "sharing" (cross-context behavioural advertising) in addition to "selling."

Penalties under Cal. Civ. Code §1798.155 are up to $2,500 per unintentional violation and $7,500 per intentional violation. For data breaches involving consumers' sensitive information, a private right of action under §1798.150 allows statutory damages of $100 to $750 per consumer per incident.

How to use this CCPA/CPRA compliance checklist

Start with your data inventory — you cannot honour consumer rights or write an accurate privacy notice without knowing what personal information you collect, why, and with whom you share it. The most critical immediate steps are: update your privacy policy (§1798.100), establish a process to handle consumer rights requests within 45 days (§1798.105), and determine whether you "sell" or "share" personal information, which triggers the "Do Not Sell or Share" link requirement (§1798.120).

If your business also serves EU residents, review our GDPR checklist. If you handle health data, the HIPAA checklist likely applies as well.

What this checklist is for, and what it is not

This checklist is for for-profit businesses that meet at least one CCPA applicability threshold (Cal. Civ. Code §1798.140(d)). It covers the core consumer rights, privacy notice requirements, opt-out mechanisms, service provider obligations, and data security requirements that an organisation's legal or compliance team can self-assess. It includes CPRA amendments effective from January 1, 2023, and enforceable from July 1, 2023.

What it does not cover: other US state privacy laws enacted since 2023 (Virginia, Colorado, Connecticut, Texas, Montana, Oregon, and others have enacted separate privacy laws with similar but distinct requirements); sector-specific California laws such as the California Medical Information Act (CMIA); the CPPA's ongoing rulemaking on automated decision-making and risk assessments, not finalised as of May 2026; or specific legal interpretation of what constitutes a "sale" or "sharing" in your particular data flows. Last verified May 2026 against the CCPA/CPRA text at oag.ca.gov/privacy/ccpa.

Real-world CCPA enforcement cases

In August 2022, the California Attorney General settled with Sephora Inc. for $1.2 million in the first major publicly resolved CCPA enforcement action. The AG found that Sephora failed to disclose that it was selling consumers' personal information to third parties, failed to process opt-out requests made via the Global Privacy Control (GPC) browser signal, and failed to cure these violations within the 30-day cure period. The case established that GPC compliance is legally required — a finding confirmed in the AG's published guidance.

In February 2024, the California AG settled with DoorDash for $375,000 after finding that DoorDash sold personal information of California consumers through participation in a marketing cooperative without providing required disclosures or an opt-out right. DoorDash was treating data shared with the cooperative as a non-regulated marketing activity; the AG found it met the CCPA definition of "sale." The case is a warning for any business participating in data sharing arrangements with third-party marketing platforms.

The California Privacy Protection Agency issued its first enforcement actions in 2025, focusing on opt-out mechanisms, privacy notice completeness, and the "Do Not Sell or Share" right. The CPPA's enforcement approach emphasises systemic violations across many consumers. The most common violations found involve incomplete privacy notices and non-functional opt-out mechanisms.

Common CCPA mistakes

Treating the "Do Not Sell or Share" link as cosmetic. Cal. Civ. Code §1798.120 requires a clear and conspicuous link on the homepage and in the privacy policy. Many businesses add this link but route it to a page that does not actually halt data sharing. Ad retargeting pixels, analytics tools with data sharing enabled, and social media tracking plugins typically continue operating after the link is clicked if the underlying data flows are not addressed. The link is only compliant if the business actually stops selling or sharing data following a consumer exercise of the right.

Not honouring Global Privacy Control signals. The California AG's Sephora settlement explicitly stated that failure to process GPC browser signals constitutes a violation of the CCPA opt-out right. GPC is a browser signal that communicates a "Do Not Sell or Share" preference automatically. Many businesses are unaware they must respect GPC signals in the same way as a manual opt-out request.

Uncertainty around sale versus share. CPRA introduced "sharing" (cross-context behavioural advertising) to close a loophole where businesses argued that providing data to advertising platforms without monetary consideration was not a "sale." Many businesses have updated their privacy policies to reference both but have not changed their data flows or upstream agreements to reflect that sharing is now regulated. If your site runs third-party advertising trackers, you are almost certainly "sharing" personal information as defined by Cal. Civ. Code §1798.140(ah).

What changed in CCPA/CPRA: 2024 to 2026

CPRA amendments became fully enforceable from July 1, 2023, introducing the CPPA as the dedicated enforcement agency, new rights (right to correct, right to limit use of sensitive personal information), new obligations (data minimisation for sensitive data, retention limitations, annual cybersecurity audits for high-risk processing), and the business/contractor/service provider structure. Businesses that updated practices for CCPA in 2020 and have not revisited them since may have gaps against the CPRA amendments.

The CPPA has been conducting rulemaking on automated decision-making technology (ADMT) and cybersecurity audit and risk assessment requirements. As of May 2026, final ADMT rules had not been published. Draft regulations propose that businesses using ADMT for significant decisions (credit, employment, housing, insurance) must provide pre-use notices and opt-out rights. Monitor cppa.ca.gov for final rules.

Texas (TDPSA, effective July 2024), Montana (MCDPA, effective October 2024), and Oregon (OCPA, effective July 2024) enacted consumer privacy laws. Virginia, Connecticut, Colorado, and Utah have had privacy laws in force since 2023. These laws share structural similarities with CCPA but differ on thresholds, cure periods, and enforcement. A CCPA-compliant programme is a strong foundation, but multi-state US businesses should assess each state law separately. Last reviewed May 2026 by the Zeta Solutions editorial team.