7 Step CCPA Compliance Checklist for Websites and Apps

Josh Langeland, CIPM

written by Josh Langeland, CIPM September 13, 2023

Generate a Free CCPA Privacy Policy
CCPA-Checklist-for-Full-Compliance-01

Want to set your website or app up for full compliance under the recently amended California Consumer Privacy Act (CCPA)?

Below, we’ve created an easy-to-follow CCPA compliance checklist plus some additional tips and tricks to ensure you legally comply with one of the US’s strictest data privacy laws.

Table of Contents
  1. CCPA Compliance Checklist (Updated with CPRA Requirements)
  2. CCPA Checklist Requirements Explained
  3. Tips for Complying With the CCPA and CPRA
  4. Penalties for Not Complying With the CCPA
  5. CCPA Compliance FAQ
  6. How Termly Helps Your Business Comply With the CCPA
  7. Summary

CCPA Compliance Checklist (Updated with CPRA Requirements)

Below is an easy-to-follow checklist covering all aspects of CCPA compliance for businesses applicable to websites and apps — with CPRA amendments included.

Part 1 – Audit your website or app

Solution: Manually audit what information you collect and use our Cookie Scanner to find what cookies you use.

Source
  • Perform a privacy audit:

    • Determine what personal information your platform collects by performing a website or app audit. Be sure to include cookies or other trackers.
Inaccuracies in your data collection can lead to fines for noncompliance.
Part 2 – What you MUST disclose at or before the point of data collection

Solution: Create a CCPA-compliant Privacy Policy and include…

Source
  • The categories of personal information collected, the purposes for which it’s collected or used, and whether you share or sell the information.
  • If you collect sensitive information, state what categories are collected, the purposes for the collection and use, and whether it’s shared or sold.
  • The length of time you intend to retain each category of personal and sensitive personal information or the criteria used to determine that the period you keep it for is necessary.
1798.100 (a)
  • Inform consumers about their right to request to delete any personal information and explain how they may do so by submitting a verifiable consumer request.
1798.105 (b)
  • Inform consumers about their right to request to correct their personal information and explain how they may do so by submitting a verifiable consumer request.
1798.106 (b)
  • Disclose the categories of personal information you’ve collected about consumers.
  • Disclose the categories of sources from which the personal information is collected.
  • Disclose the business or commercial purpose for collecting, selling, or sharing the information.
  • Disclose the categories of third parties with access to the information.
  • Inform consumers that they have a right to request the specific pieces of personal information you collect about them.
1798.110 (c) (1-5)
  • Only collect, use, retain, and share data in a manner that is reasonably necessary to achieve the goals you originally disclosed.
1798.100 (c)
Part 3 – Contractual obligations for sharing or selling personal information

Solution: Create a Data Processing Agreement (DPA) that you and the third party must sign that states the following:

Source
  • Specify what personal information is sold or disclosed for a limited time with specific purposes.
  • Obligate the other entity to comply with applicable obligations and provide the same level of security and data protection as the CCPA outlines.
  • Grant your business the right to take reasonable and appropriate steps to help ensure the third-party entity uses the personal information in a manner consistent with the business obligations under the CCPA.
  • Require the third-party entity to notify your business if it determines it can no longer meet its obligations under the contract outlined by the CCPA.
  • Grant your business the right to take reasonable and appropriate steps to stop and remediate the unauthorized use of personal information.
1798.100 (d)
Part 4 – Consumer Opt-Out Rights, Limit the Selling and Sharing of Personal Information, and non-discrimination

Solution: Use legally compliant links, honor browser consent preferences, and publish a DSAR or SAR form.

Source
  • If you share or sell personal information, inform consumers that they have the right to opt out of the sharing or selling of their personal information and:

    • Provide a compliant “Do Not Sell or Share My Personal Information” link on your website or app or honor their consent preference browser settings.
1798.120 (a – d)
  • If you collect sensitive personal information, inform consumers of their right to limit its use to only what is necessary for performing services or providing goods reasonably and:

    • Provide a compliant “Limit the Use of My Sensitive Personal Information” link on your website or app or honor their consent preference browser settings.
1798.121 (a – d)
  • Ensure your business does not discriminate against a consumer for exercising their data privacy rights, including but not limited to implementing any of the following:

    • DON’T deny goods or services.
    • DON’T charge different prices or rates, including through discounts or other benefits implying penalties.
    • DON’T provide a different level of service or quality of goods.
    • DON’T suggest the consumers will receive a different price or rate for goods and services or a different level of quality of goods or services.
    • DON’T retaliate against an employee, applicant, or contractor for exercising their rights.
    • YOU CAN Charge a different price or rate or a different level of quality or service if your services are reasonably related to the value provided by their personal information.
    • YOU CAN offer loyalty, rewards, premium features, discounts, or club card programs.
1798.125 (1) (a-e), (2), & (3)
Part 5 – Verifiable Consumer Requests and Your Business Obligations

Solution: Provide users with options like a DSAR Form, a specific email address, and honor Global Privacy Controls (GPCs).

Source
  • You MUST provide consumers with two or more methods for requesting access to their personal information.
1798.130(a)(1)(A)
  • You MUST disclose and deliver the requested information free of charge and within 45 days of receiving a verifiable consumer request.
1798.130(1)(2)(A)
Part 6 – Requirements Regarding Security Procedures and Practices

Solution: Implement reasonable security protocols based on the nature of the information collected.

Source
  • Implement reasonable security procedures and practices based on the nature of the personal information to protect it from unauthorized or illegal access, destruction, use, modifications, and disclosures.
1798.100 (e)
Part 7 – Display Your Privacy Policy

Solution: Make your privacy policy prominent to users.

Source
  • Display your privacy policy prominently and conspicuously on every page of your website and wherever your app can be downloaded. Also, add a link to your app’s menu.
1798.100 (b)

CCPA Checklist Requirements Explained

In this section, I’ll further explain the requirements in the above CCPA checklist.

What Qualifies as Personal Information Under the CCPA?

Section 1798.140(v)(1) of the amended CCPA defines personal information, in part, as:

… information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household…

The law keeps this definition broad to account for current and future technology.

Below see a list of every piece of personal information currently listed in the text of the CCPA:

  • Real names
  • Alias
  • Postal address
  • Unique personal identifier
  • Online identified
  • IP address
  • Email address
  • Account name
  • Social security number
  • Driver’s license number
  • Passport number
  • Other similar identifiers
  • Characteristics protected under California or federal law
  • Commercial information
  • Records of personal property
  • Biometric information
  • Internet or other election network activity information
  • Browsing history
  • Search history
  • Information regarding consumers’ interaction with a website, app, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information
  • Inferences drawn from any information in this list used to create a consumer profile
  • Sensitive personal information

However, the highlighted text in the screenshot below shows what doesn’t qualify as personal information according to this law:

personal-information-according-to-CCPA

The legal definition of public information means anything lawfully made available from federal, state, or local government records. It also covers information consumers choose to make available as long as they haven’t restricted the data to a specific audience.

Sensitive Personal Information

The CPRA amendments to the CCPA introduced the category of sensitive personal information to the law, which includes:

  • Social security numbers
  • Driver’s license numbers
  • State identification card numbers
  • Passport numbers
  • Log-in account information or financial account information, credit or debit card in combination with any required security or access code or credentials
  • Precise geolocation
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
  • Contents of a consumer’s mail, email, or text messages
  • Genetic data
  • Health data
  • Sex life or sexual orientation

Consumers have the right to limit how their sensitive information is used at any time and can request that it be only processed for whatever is reasonably necessary to perform the services or provide the goods.

According to Section 1798.121, you must honor requests not to use or disclose their sensitive data, and any service providers or contractors that assist you must do the same.

How Does the CCPA Define Sharing?

Under the amended CCPA, consumers have the right to opt out of the selling and sharing of their personal information.

It’s important to understand how the law defines sharing and its relation to selling when filling out your CCPA checklist because the legal definitions don’t match how we use these terms in everyday conversations.

Sharing, according to Section 1798.140 (ah), means taking any of the following actions regarding consumer personal information:

  • Sharing
  • Renting
  • Releasing
  • Disclosing
  • Disseminating
  • Making available
  • Transferring
  • Otherwise communicating orally, in writing, or by electronic means

The CCPA doesn’t care if a monetary transaction occurs between your business and a third party when sharing personal information.

There doesn’t need to be a value exchange of any kind. A user can still opt out of the use of their data for things like cross-context behavioral advertising even if no money trades hands.

Information About CCPA-Compliant Risk Assessments

If you process information that could pose a significant risk to consumer privacy or security, you must regularly perform cybersecurity audits and submit risk assessments to the California Privacy Protection Agency (CPPA).

The CPRA amendments to this law introduced the CPPA as the administrative enforcement agency, replacing what used to be the duty of the California Attorney General’s Office.

Within the risk assessment, you must:

  • Include if you process sensitive personal information
  • Identify and weigh the benefits resulting from the processing of the information for your business, the consumer, any other stakeholders, and the public
  • Compare the benefits to the risks to the rights of the consumer concerning the processing of the information
  • Maintain the goal of restricting and prohibiting the processing of the information if the risks outweigh the benefits

The CPPA is responsible for providing the public with a report summarizing all risk assessments filed with the agency.

CCPA Security Requirements

California introduced Civil Code section 1798.81.5 to provide guidance on how businesses can implement reasonable security measures concerning the personal information collected.

According to Section 1798.150 of the amended CCPA, it’s your responsibility to keep your users’ personal information safe, or else they can pursue civil action against you if:

  • Their nonencrypted, nonredacted personal information is accessed or exfiltrated without authorization, is stolen, or disclosed as a result of poor security protocols
  • Their email address — in combination with their password, security question answers, or any other answer that would permit access to an account — is accessed or exfiltrated without authorization, is stolen, or disclosed as a result of poor security practices

You must implement reasonable, appropriate security measures to prevent any consumer personal information from unauthorized access, destruction, use, modification, or disclosure.

Tips for Complying With the CCPA and CPRA

If you want to set your business up for CCPA and CPRA compliance, implement all of the following tips:

Penalties for Not Complying With the CCPA

The penalties for not complying with the CCPA, even by mistake, include:

  • $2,500 per non-intentional violation
  • $7,500 per intentional violation or for any offense involving a minor under the age of 16

There is no longer a grace period for curing CCPA violations now that the CPRA amendments are in force.

Instead, the California Privacy Protection Agency (CPPA) decides on an individual basis how much time each business has to correct its mistakes and will consider whether the company:

  • Intentionally violated the CCPA
  • Made an effort to cure the alleged violation

Consumers can also pursue private action against businesses if:

  • Nonencrypted and nonredacted personal information gets compromised
  • Their email addresses, in combination with a password or other details permitting access to an account, get breached

CCPA Compliance FAQ

Want a bit more information about complying with the CCPA? Check out some common questions we get about this data privacy law below.

What is the CCPA?

The CCPA is a state law passed in California that outlines business obligations for entities collecting and processing user personal information and describes citizens’ rights.

When did CCPA become active?

It came into force on January 1, 2020, and was amended by the Consumer Privacy Rights Act (CPRA) as of January 1, 2023.

Any portions of the CCPA unaffected by the CPRA amendments remain in place.

Who does the CCPA protect?

The CCPA only protects natural persons in California. If you aren’t a California resident, you are not granted the data privacy rights outlined by the CCPA.

Who does the CCPA apply to?

The CCPA applies to entities that do business in California and meet any one of the following thresholds:

  • Earned $25 million in gross annual revenue as of January 1 from the previous calendar year
  • Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households
  • Derived 50% or more of your gross annual revenue from the selling or sharing of personal information

What is the difference between the CCPA and CPRA?

The CPRA is a set of amendments written to adapt and update portions of the CCPA. Both are now in force and are collectively referred to as simply the CCPA, the amended CCPA, or the CCPA as amended.

How Termly Helps Your Business Comply With the CCPA

Our legally backed tools, generators, and consent solutions can help your business fully comply with all facets of the CCPA and the CPRA amendments.

We offer all of the following necessary business resources:

Next up, I’ll walk you through how you can rely on each of these tools for full CCPA compliance.

Policy Generators and Templates

You can use our Privacy Policy Generator and free template to create a compliant CCPA privacy policy in minutes.

Thanks to our legal team and data privacy experts, our solutions include the proper clauses and information required by the recent CPRA amendments.

They also cover the following:

  • General Data Protection Regulation (GDPR)
  • The UK GDPR
  • California Online Privacy Protection Act (CalOPPA)
  • Virginia Consumer Data Protection Act (CDPA)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)

With our Privacy Policy Generator, all you need to do is answer a few simple questions about your business, and our tools create a compliant, easy-to-read policy for you.

No hassles, no stress, just ease.

Take a look at a screenshot of our CCPA-compliant generator below.

Termly-CCPA-compliant-generator

You can also download and customize our free template and simply replace the blank sections of the document with details about your company.

See a sample of what our privacy policy template looks like below.

Termly-privacy-policy-template

Whichever solution you choose, you can trust that our legal team and data privacy experts have vetted all of our generators and templates. That way, you can rest easy knowing your business is set up for successful privacy compliance.

Consent Management Platform (CMP)

Our Consent Management Platform, backed by our legal team and data privacy experts, can easily be configured to comply with all CCPA consent requirements.

According to the law, consumers have the right to opt out of certain types of data processing, and our accessible consent preference center meets this legal requirement.

Plus, you can customize a cookie banner and create an accurate cookie policy to keep your California consumers adequately informed.

Below, see an example of what our CMP tools look like.

Termly-CMP-tools

Remember, cookies and other trackers qualify as personal information under the CCPA, and consumers have the right to know what information you’re tracking. Use our website Cookie Scanner tool for auditing your website and locating all cookies it currently uses.

Data Subject Access Request (DSAR or SAR) Forms

As part of our CMP, you’ll have access to a DSAR or SAR form so your consumers can easily follow through on their rights to request to access, correct, or delete their personal information.

“Do Not Sell or Share My Personal Information” & “Limit the Use of My Personal Information” Links

Our consent management platform also provides you with compliant “Do Not Sell or Share My Personal Information,” which you can embed in the footer of your website or application to meet the requirements outlined by Section 1798.135(a)(3) of the law, screenshotted below.

Do-Not-Sell-or-Share-My-Personal-Information

To streamline the process for your users to follow up on their privacy rights, the CCPA says that you can combine this link with the “Limit the Use of My Sensitive Personal Information” link as long as both features are available to consumers.

Summary

You can use our checklist to set your business up for successful CCPA compliance.

Remember, you’ll need a:

  • Privacy policy
  • EULA (for software)
  • Cookie policy
  • Consent management platform
  • DSAR or SAR forms
  • DPAs

You can write all these documents yourself, use free templates, or make the entire process even easier by accessing our full suite of compliant CCPA website policy generators and consent solutions.

Josh Langeland, CIPM
More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author

Related Articles

Explore more resources