CCPA Compliance Checklist: 10 Steps to Get Your Business Compliant
Meeting CCPA requirements can feel overwhelming, but breaking it down into actionable steps makes it manageable. Use this checklist to ensure your business covers every critical area of compliance.
1. Determine If CCPA Applies to Your Business
Review the CCPA thresholds: $25 million annual revenue, 100,000+ consumers' data processed, or 50%+ revenue from selling personal information. If you meet any one of these, you must comply.
2. Map Your Data Collection Practices
Conduct a thorough data inventory. Document what personal information you collect, where it comes from, how it is used, who it is shared with, and how long it is retained.
3. Update Your Privacy Policy
Your privacy policy must disclose the categories of personal information collected, the purposes of collection, consumer rights under CCPA, and how consumers can submit requests. Update it at least annually.
4. Add a "Do Not Sell or Share" Link
Place a clear, conspicuous "Do Not Sell or Share My Personal Information" link on your website homepage. This link must be easy to find and must lead to a functional opt-out mechanism.
5. Implement Consumer Request Processes
Set up at least two methods for consumers to submit requests (e.g., a web form and a toll-free number). You must acknowledge requests within 10 days and respond within 45 days.
6. Build a Verification Process
Create a process to verify the identity of consumers making requests. The verification standard should be proportional to the sensitivity of the information requested.
7. Review Service Provider Agreements
Ensure your contracts with service providers and third parties include CCPA-required data processing terms, including restrictions on use and obligations to comply with consumer requests.
8. Train Your Team
All employees who handle consumer inquiries or personal information must be trained on CCPA requirements, consumer rights, and your internal processes for handling requests.
9. Implement Reasonable Security Measures
CCPA gives consumers a private right of action for data breaches caused by inadequate security. Implement encryption, access controls, regular audits, and an incident response plan.
10. Document Everything and Maintain Records
Keep records of all consumer requests and your responses for at least 24 months. This documentation is critical in the event of a regulatory audit or enforcement action.
What Happens If You Don't Comply?
Non-compliance with CCPA can result in fines of $2,500 per unintentional violation and $7,500 per intentional violation. Additionally, consumers can sue for $100–$750 per incident in the case of data breaches. For more details, see our guide on CCPA fines and penalties.
Automate Compliance with OptOutWidget
OptOutWidget handles several checklist items automatically—including the opt-out mechanism, consumer request tracking, and response deadline management. Add our embeddable widget to your site and manage everything from a single dashboard.