Iubenda logo
Start generating


Table of Contents

CCPA compliance checklist

If the CCPA applies to you (you can take the short assessment here to see if it applies to you), you can use the checklist below to quickly review or asses your basic CCPA compliance.

Firstly, let’s recap, what is the CCPA? The California Consumer Privacy Act (CCPA) is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The CCPA puts in place new requirements for processing personally identifiable information and grants Californian consumers additional rights.

CCPA Checklist

Complete Assessment of your processes and business systems

One of the most important actions when it comes to compliance is to honestly review your processes and systems.
Here are some questions to help with the assessment. You can tick the questions off as you answer them.

  What categories of personal data do I collect and which categories of third-parties do I share this data with?
  Which sources do I collect this information from and what are their categories (e.g. analytics)?
  What are the reasons or purposes of my data collection?
  Which CCPA consumer rights (if any) do not apply to my processing activities?
  Which exceptions reasonably and honestly apply to my scenario?
  Am I keeping track of all the service providers* that access consumers’ personal information on my behalf?
  Can I reliably contact these parties to fulfil things like deletion requests?
  Do I maintain reliable records of the information and the categories of personal information I collect for each consumer?
  Do I have the documents (e.g privacy policy or terms and conditions) I need to make legally required disclosures available on my website?

*Service Providers are entities that collect personal information on behalf of the business and not for their own purposes – it’s similar to a Processor under the GDPR. Full definition and exceptions here https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf (pg.14)

Make Required Disclosures and Honor Consumer Rights When Exercised

The Right to be Informed

  Keep internal records of the type of processing you do (including who your service providers are) so that you’re able to include relevant details in your privacy policy, and potentially at the point of data collection (e.g a contact form) if applicable.
  Displaying CCPA related language, disclosures, and instructions in your privacy policy
  Update privacy policy every 12 months

The Rights of Access & Portability

  Have in place a way of retrieving information processed on specific consumers. One approach to this is simply being aware of what processes typically apply to particular user groups or transactions. From there you can compare against your internal privacy, sales, database or consent records to retrieve the relevant information.
  Have the means of fulfilling access requests either through regular mail or electronically (such as email, file download, etc.) in a format that’s easy to use and that allows the information to be easily transmitted to another person or company without hindrance.

The Right to Opt-out

  Display a CCPA notice of collection;
  Display a “Do Not Sell My Personal Information” (DNSMPI) link that allows the consumer to opt-out
  Actually facilitate the opt-out and stop the selling action for the particular consumer

The Right to Opt-in

  Ensure that in cases where you are aware that the consumer is a minor under the age of 16 you do not sell their information unless explicitly authorized to do so by a parent or guardian (for minors under 13) or if explicitly authorized to do so by the minor consumer in cases where the minor is between the ages of 13-16.

The Right to not be discriminated against

  Do Not Discriminate Against Consumers Exercising Their Rights.

See also