CCPA Compliance Checklist: How to Achieve Full Compliance for Your Website

The California Consumer Privacy Act (CCPA) isn’t just an evolving legal obligation. Vigilance and compliance operations are key to safeguarding your business and securing long-term success when operating in the state.

Under the CCPA and its expansion and amendment in the California Privacy Rights Act (CPRA), consumers have more control over their personal information and how it’s handled by businesses. Failing to comply with these regulatory requirements can result in significant fines and penalties, along with loss of brand reputation and partnership revenue opportunities.

To achieve and maintain compliance, businesses need a thorough understanding of the regulation and careful attention to implementation, along with review of regulatory requirements, business operations, and technologies in use as they all evolve.

We’ve compiled this compliance checklist to support CCPA and CPRA requirements for your business. Check it our below or download the CCPA compliance checklist (PDF) align your business with CCPA/CPRA privacy laws.

Who Needs to Comply with the CCPA?

The CCPA applies to all for-profit organizations that do business in California, and that meet any of the following criteria:

• They receive, process, or transfer data from 100,000 or more consumers or households in California every year.
• Their annual gross revenue from the preceding calendar year exceeds USD 25 million (periodically adjusted to the Consumer Price Index).
• At least 50 percent of their annual revenue comes from selling or sharing California residents’ personal information.

If any of these criteria apply to your business, failure to comply with the CCPA can lead to fines of up to USD 7,500 per willful violation (periodically adjusted to the Consumer Price Index).

How Does the CCPA Define Personal Information?

Understanding what counts as personal information under the CCPA is foundational to meeting your compliance obligations. The law casts a deliberately wide net, covering not just obvious identifiers like names and email addresses, but any information that identifies, relates to, describes, or could reasonably be linked to a specific individual or household.

That breadth is intentional. Regulators designed the definition to keep pace with the range of ways businesses collect and use data in practice. The CCPA draws a further distinction between general personal information and a more sensitive category of data that carries stricter handling requirements. Both are covered by the law, but they are treated differently.

Personal Information

Personal information (PI), also referred to under other laws as personal data, includes data that identifies, relates to, describes or can be associated with an individual or their household, including:

• Name
• Social Security number
• Email address
• Records of products purchased
• Internet browsing history
• Geolocation data
• Fingerprints
• Any other information reflecting an individual’s preferences and characteristics

Sensitive Personal Information

Sensitive personal information includes data that, if stolen or misused, can seriously harm an individual. Examples include:

• Account login details
• Financial accounts
• Debit or credit card numbers and security codes
• Passwords and credentials allowing access to an account
• Precise geolocation
• Content of private mail, email, and text messages
• Biometric information that can identify a consumer
• A consumer’s health information
• Information about racial or ethnic origin, religious or philosophical beliefs, or union membership

CCPA and CPRA Compliance Checklist

What do you need to do to support your business’s compliance with the CCPA and CPRA? Follow our checklist to kickstart the process.

1. Develop a Comprehensive Data Privacy Policy

A privacy policy details how your company collects, uses, shares and safeguards the personal information of customers or prospects who interact with your website. It informs customers of their data privacy rights and enables you to build trust by demonstrating your adherence to data privacy laws.

Use the Usercentrics Privacy Policy Generator and get a customized privacy policy for your business and regulatory needs in minutes.

The CCPA requires you to be transparent about the type of data you collect from customers. As such, a CCPA-compliant privacy policy must include the following:

• Type(s) of personal information collected and processed
• Purpose(s) for collecting and processing personal information
• How you’re collecting and processing personal information, e.g., use of cookies and other tracking technologies
• How personal information is used, e.g., advertising or analytics
• How you share personal information with third parties
• How individuals can request to have access to their data or have it corrected, deleted, or provided in a portable format
• Identity verification procedure for submitting a data subject access request (DSAR)

With CPRA amendments, your privacy policy should also include:

• A clause listing which personal information collected is categorized as sensitive, if applicable
• A statement advising that your customers have the right to have the information they have shared with you corrected or updated
• How individuals can opt out of their data being sold or shared; your website is required to have a clear “Do Not Sell or Share My Personal Information” link

2. Disclose How Your Customers’ Data Is Used

If you sell or share information about California consumers protected by the CCPA or CPRA, you must inform them before their data is sold or shared with third parties. You can achieve this using a consent management banner that appears when they visit your site.

The consent management banner should be easily noticeable and accessible on your website. Suitable locations or points in the user flow include:

• First point of contact, such as your landing pages and/or home page
• As part of a registration or signup process
• During the checkout process
• In the site’s header or footer

When informing users how their data is being used in a consent banner, follow these guidelines:

• Clearly explain what they are consenting to regarding the data collected, purposes for its use, who it may be shared with, etc.
• Provide the purposes for why you’re collecting their data, whether to improve the user experience, personalize content, target advertising, or other business interests.
• Specify the types of data being collected, which can include personal information (e.g. name, email, IP address) or for functions like browsing behavior via use of cookies or other tracking technologies.
• Provide equally accessible options for individuals to accept or decline the consent request, where relevant, or to opt out.
• Include a link to your privacy policy where they can find more detailed information.

3. Collect and Store Consent

The CCPA and CPRA do not require businesses to obtain consent from consumers before selling or sharing their personal information unless the information is that of minors. But they must enable people to opt out of the sale or sharing at any time.

Companies must also limit their use of sensitive personal information to what’s necessary to perform or provide goods or services reasonably expected by the average consumer requesting them.

Here are some best practices to collect and store consent data securely:

• Implement user-friendly mechanisms to collect consent, like a consent banner on your website.
• Collect consent directly from any visitor that’s over the age of 13 (including minors 13 to 16 years old), or from parents or legal guardians if they are under 13.
• Give users granular information and consent options to choose which types of data they’re willing to share, if they choose to.
• Make sure that visitors can revisit their consent preferences and update or withdraw consent at any time.
• Be sure to understand the difference between personal information and “sensitive” personal information, what the consent requirements are for each, and how each must be handled.

To comply with CCPA requirements, websites must also honor the universal opt-out signal/mechanism. California is one state that explicitly references and requires recognizing the Global Privacy Control (GPC).

However, there are now 12 states requiring recognition of the GPC or other Universal Opt-Out Mechanism (UOOM). This enables website visitors to set their privacy and consent preferences just once in their browser, and then have those preferences applied on all sites they visit.

4. Securely Maintain Customer Records

Regulatory requirements dictate that securely storing consent records is as important as securely storing the personal information that you collect from users. Consent records must also be accessible to users if they want to change or revoke them, and to data protection authorities in the case of an investigation or audit.

A consent management platform (CMP) enables businesses to compliantly inform visitors and obtain their consent for data access and use. It also enables transparency about data handling practices and provides functionality for users to update preferences over time.

5. Include a Clear “Do Not Sell Or Share My Personal Information” Link on Your Website Home Page

A key requirement of the CCPA involves enabling website visitors to opt out of the sale of their data to, or sharing with, third-party vendors if they wish to.

California’s privacy laws use an opt-out consent model, so in most cases, you won’t need to explicitly ask for prior consent for data use, unless you’re knowingly collecting sensitive data or children’s data. You will, however, always need to provide an opt-out option.

That’s what a “Do Not Sell Or Share My Personal Information” link does, or a “Limit the Use of My Sensitive Personal Information” link for sensitive information. It directs individuals to a page, form, or other mechanism where they can exercise their rights to opt out or access additional privacy information or controls.

Consider using a CMP to add this link and other required privacy information to the following parts of your website, like the footer, privacy policy, and consent banner.

With Usercentrics CMP, you can fully customize the consent banner’s appearance to match your corporate branding, or get up and running fast with one of our high-quality templates. Design the colors, fonts, logos, links, buttons, relevant regulatory information, and more.

Monitor your banner’s performance and visitor’s consent actions via the Analytics Dashboard and use A/B Testing to optimize visitor experience and consent rates over time.

6. Make Sure That Visitors Can Contact You

The CCPA/CPRA requires you to enable visitors to easily contact you regarding data requests or privacy concerns. Make this information easily accessible on your website. Doing so also helps build trust, which supports long-term customer relationships.

Businesses are also required to have a system to receive and respond to user requests, and retain request information for two years. For some businesses, the system will need to be automated if there is a lot of data involved and/or a large volume of user requests.

The CCPA/CPRA grants California users the right to:

• Access the personal information you’ve collected about them, ask questions, and exercise their rights
• Request changes or corrections to their data
• Request a copy of their data and have it moved somewhere else (data portability)
• Opt out of the sharing or sale of their data, or its use for targeted advertising, profiling, or with automated decision-making technologies
• Limit the use and disclosure of sensitive personal information
• Have their data deleted
• Experience no discrimination if they choose to opt out or otherwise exercise their rights

Companies are required to respond to reasonably verifiable user requests within 45 days, though that can be extended under certain circumstances for an additional 45 days.

7. Set Up an Identity Verification System for Visitors Submitting Requests

If your business cannot reasonably verify the consumer’s identity, you can refuse to answer questions about personal information or to fulfil rights requests. However, you must inform the consumer and explain why the request could not reasonably be verified or fulfilled.

Consumers need to be provided with reasonable means of verifying their identities, e.g., being able to attach documents to the contact form or other contact mechanism. You cannot, however, require individuals to create an account just to make a verified request.

Make sure your website has a comprehensive and transparent privacy policy that informs users about all identity verification requirements and ways to submit, in addition to information on the collection of their personal information and their right to opt out of its sharing, sale, and other uses.

8. Make Data Privacy an Ongoing and Company-Wide Operation

In addition to the necessary website functions and documentation to comply with the CCPA/CPRA, and the people responsible for implementing and managing them, data privacy should be something everyone in the company is involved with.

Employees in many departments — from marketing and customer support to IT and legal — need to access and use various kinds of personal information collected from individuals, and should be trained to do so on an ongoing basis, using security and privacy best practices.

Information about data privacy regulations’ requirements and how they specifically affect your business should be easily available, and it’s recommended to appoint a data privacy or protection officer to oversee privacy operations, enforce best practices, and oversee any issues, like in the case of a complaint or data breach.

Non-compliance with an expanding number of data privacy regulations can result in violations with financial losses from fines and other penalties. Compliance failures can also result in operational disruptions and loss of data, leading to downtime, loss of productivity, and damage to your reputation and your customers’ and partners’ trust, affecting sustainability and growth long term.

Escalating CCPA Enforcement

CCPA/CPRA enforcement has entered a more active phase. California’s dedicated privacy regulator, the California Privacy Protection Agency (now publicly known as CalPrivacy), in conjunction with the Attorney General’s Office, has ramped up operations, and has been issuing significant fines.

Additionally, a new coalition of state regulators has formalized cross-state coordination, which has raised the stakes for businesses operating anywhere in the U.S.

The Consortium of Privacy Regulators

CCPA and CPRA compliance does not exist in isolation, and cross-state enforcement is now coordinated. In April 2025, eight state privacy regulators announced the formation of the Consortium of Privacy Regulators. This is a bipartisan coalition that formalizes coordination on enforcement priorities, information sharing, and consumer protection across jurisdictions.

The Consortium brings together the California Privacy Protection Agency and the attorneys general of California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, with the shared objective of bolstering the implementation and enforcement of their respective state privacy laws.

For businesses operating across multiple states, the practical implications are significant. Recognizing that many data practices and potential violations cross state borders, these regulators are collaborating to address multi-jurisdictional issues more efficiently and consistently.

This signals a more unified approach to privacy enforcement across participating states, and the Consortium is open to additional state regulators joining over time. To date over 20 U.S. states have passed privacy legislation.

Enforcement priorities are already emerging. California issued an enforcement advisory emphasizing that opting out of the sale or sharing of personal information must be as easy as opting in, and cautioned against the use of dark patterns and misleading design that could frustrate consumer choice.

Connecticut’s most recent enforcement report flagged “Problematic Opt-Out Mechanisms / Dark Patterns” as a key area of focus, while Oregon’s enforcement report noted a high volume of alleged violations related to inadequate or missing disclosures and overly burdensome opt-out mechanisms.

In short, businesses that meet CCPA requirements are increasingly likely to find those practices scrutinized not just by California, but by a coordinated group of regulators with shared resources and aligned priorities.

CPPA Enforcement and Landmark Fines

CalPrivacy enforcement has accelerated markedly since 2024. In May 2026, California Attorney General Rob Bonta and CalPrivacy announced a USD 12.75 million settlement with General Motors — the largest CCPA penalty in California history to date.

This settlement resolved allegations that GM sold the location and driving data of hundreds of thousands of Californians to data brokers without their knowledge or consent, and retained that data beyond its original purpose in violation of the CCPA’s data minimization requirements.

Before that, in September 2025, CalPrivacy issued a USD 1.35 million fine against Tractor Supply Company for multiple CCPA violations, including failure to honor opt-out requests and failure to process the Global Privacy Control signal.

Earlier that year, the CPPA also brought an enforcement action against Florida-based data broker National Public Data for failing to meet Delete Act registration requirements. So the enforcement spotlight is not just falling on retailers or on businesses headquartered in California.

Recurring themes across these cases include non-functional opt-out mechanisms, dark patterns in consent interfaces, inadequate GPC support, and failure to limit data collection to stated purposes. These are areas covered in our checklist.

Use a Consent Management Platform to Maintain Compliance

A CMP supports your ongoing CCPA compliance by collecting, storing, managing, and signaling your user consent data. With a comprehensive CMP like Usercentrics, you can:

• Customize the design and layout of consent banners to match your website’s look and feel
• Present users with clear and granular consent and opt-out options, including the freedom to revoke consent or adjust their privacy settings
• Access integrations with third-party services, such as analytics platforms or advertising networks, to consolidate user consent data across tools and platforms

This analytics dashboard from the Usercentrics Consent Management Platform shows user interactions and consent decisions.

Meet CCPA Compliance Requirements with Usercentrics

California’s privacy enforcement is only becoming more coordinated and more consequential. Usercentrics Web CMP, Usercentrics App CMP, and Cookiebot™ CMP are built to help businesses meet CCPA and CPRA requirements, honor the GPC signal, and stay ahead as the regulatory picture continues to develop.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

William Newmark

Read bio

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Notify

Email address

Subscribe

By subscribing to the Usercentrics Newsletter, you agree that your data may be used for information related to the products and services offered by Usercentrics. You can revoke your consent by using the unsubscribe link in a newsletter email or by sending your request to unsubscribe@usercentrics.com. See Privacy Policy