Attorney-Authored · Updated 2026 · ReveredLegal

CCPA Checklist:
30+ Items for Full Compliance

Use this attorney-authored CCPA checklist to assess your business's compliance posture. This CCPA compliance checklist covers all major requirements under the California Consumer Privacy Act and CPRA amendments, updated for 2026.

Get a CCPA Compliance Review
30+

Items in this CCPA checklist covering all compliance requirements

45

Days to respond to consumer requests under CCPA checklist item 7

<30%

Of businesses subject to CCPA have completed a full compliance checklist

The Complete CCPA Compliance Checklist

Work through each section of this CCPA checklist to identify gaps in your compliance program. Items marked as critical should be addressed immediately to reduce enforcement risk.

1. Privacy Notice & Disclosures

  • Privacy policy updated within the last 12 months
  • Privacy policy discloses all categories of personal information collected
  • Privacy policy discloses purposes for collection and use
  • Privacy policy discloses categories of third parties with whom information is shared
  • "Do Not Sell or Share My Personal Information" link prominently displayed
  • Privacy notice at point of collection provided before or at time of collection

2. Consumer Rights Mechanisms

  • At least two methods for submitting consumer requests (including toll-free number)
  • Process to verify consumer identity before fulfilling requests
  • Ability to respond to requests within 45 days
  • Process to extend response deadline by 45 days with notice
  • Opt-out mechanism for sale/sharing of personal information
  • Opt-in process for consumers under 16 years of age

3. Data Inventory & Mapping

  • Complete inventory of all personal information collected
  • Data flow maps showing how information moves through systems
  • Documentation of all third parties receiving personal information
  • Retention schedules established for all categories of personal information
  • Sensitive personal information identified and separately tracked

4. Vendor & Service Provider Contracts

  • Data processing agreements with all service providers
  • Contracts prohibit service providers from selling personal information
  • Contracts require service providers to comply with CCPA
  • Annual review of vendor compliance conducted

5. Security & Cybersecurity Audit

  • Annual cybersecurity audit conducted (if processing 100K+ consumer records)
  • Reasonable security measures implemented and documented
  • Incident response plan in place and tested
  • Employee training on CCPA requirements completed
  • Data breach notification procedures established
“Businesses that complete this CCPA checklist and remediate all gaps reduce their enforcement risk by an estimated 80% — and are far better positioned to respond to CPPA investigations.”

— ReveredLegal CCPA Practice Group

Related CCPA Resources

CCPA Regulation OverviewCCPA Law RequirementsCCPA Audit RequirementsFind a CCPA LawyerCCPA Compliance GuideCCPA FAQ