11-step CPRA compliance checklist

California has the fifth-largest economy in the world. The state also has among the most stringent data privacy regulations in the United States. This 11-step CPRA compliance checklist will help you achieve and maintain compliance. Protect consumer rights and data and meet the security standards of the California Privacy Rights Act.
Resources / Checklists / 11-step CPRA compliance checklist
Published by Usercentrics
7 mins to read
May 20, 2024

User data helps companies better target marketing campaigns, learn more about their website visitors, and optimize online properties. However, if your organization operates in the state of California, you need to collect and process user data in a way that complies with the state’s data privacy laws, or risk fines, legal action, and loss of customer trust and brand reputation.

The California Privacy Rights Act (CPRA) amends and expands the prior California Consumer Privacy Act (CCPA), setting data privacy rights and processing requirements for commercial entities.

We’ve outlined key elements you need to know about the CPRA and created a CPRA compliance checklist to help you achieve and remain compliant, and build trust with your customers.

What is the difference between the CCPA and CPRA?

The California Consumer Privacy Act (CCPA), sometimes also known as “the California GDPR”, is a state-wide data privacy law that regulates how organizations handle the personal information of California residents.

The CCPA was passed in 2018 and went into effect on January 1, 2020. It was the first of the modern, comprehensive data privacy laws to enter into force in the United States. The Act outlines six consumer rights for California residents:

  • to learn whether and what data is collected about them
  • to know if their information is being sold to or shared with other individuals or companies
  • to view the data collected about them at any time
  • to prohibit the sale of their personal data
  • to request the deletion of the personal data collected from them
  • to not be discriminated against for exercising their rights
  • to initiate a private right of action against a violator in the event of a data breach

The CPRA took effect on January 1st, 2023, and expands and amends the CCPA. The CPRA added additional consumer privacy rights:

  • to request and have inaccurate information collected about them corrected
  • to limit the use of their personal information that is categorized as sensitive 
  • to request information about automated decision-making and the likely outcomes of using such processes, specifically regarding profiling
  • to opt out of the use of automated decision-making technology regarding personal information

The CPRA also introduced the California Privacy Protection Agency (CPPA), which is the enforcement agency for the regulations, taking over for the Office of the Attorney General. In addition, the CPRA expanded the scope of the law’s applicability.

What data is protected under the CPRA?

The CCPA and CPRA do take some influence from the EU’s General Data Protection Regulation (GDPR). Both have strict requirements for data processing and privacy rights. However, the biggest difference is that the GDPR emphasizes legal bases for data processing, often requiring user consent prior to any data collection or processing, whereas the CPRA uses an opt-out model. Individuals do not have to give their consent for their data to be collected and processed, but they do have to be able to opt out of it being shared, sold, or used for targeted advertising or profiling.

The CPRA defines personal data as, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes identifiers like: 

  • names 
  • addresses
  • email addresses
  • Social Security numbers
  • account numbers
  • internet activity
  • professional or employment-related information

The CPRA also introduces a new category of “sensitive personal information” which includes more sensitive data (which could cause greater harm if misused), like: 

  • passport numbers
  • financial account numbers
  • precise geolocation
  • racial or ethnic origin
  • religious beliefs
  • contents of emails/text messages
  • genetic data
  • biometric information
  • health data
  • information about a consumer’s sex life or sexual orientation

Who does the CPRA apply to?

CPRA compliance is mandatory for any for-profit company that collects, shares, or sells the personal information of California residents and meets at least one of three compliance thresholds. It doesn’t matter if a company is based in California or operates outside of the state.

The CPRA’s compliance thresholds are:

The CPRA does not apply to government entities and most nonprofit organizations.

What are the fines and penalties for CPRA noncompliance?

The California Privacy Protection Agency can pursue civil penalties of up to $2,500 per unintentional violation, or up to $7,500 per intentional violation or violation involving minors.

Consumers also have the right to action if their personal information is exposed to a data breach due to a company’s lack of reasonable security measures. Individuals can sue companies for violations that affected them and seek statutory damages between $100 and $750 per incident. To date, California is the only US state with privacy laws allowing this.

Ensure your business is CPRA-compliant with a free CPRA compliance checklist

CPRA compliance can be complex, and in some areas, the law outlines requirements, but not clear steps to achieve compliance with them. 

Usercentrics has compiled a free and detailed CPRA compliance checklist for the steps companies need to complete, along with best practices, when working toward achieving and maintaining CPRA compliance.

This CPRA compliance checklist covers key areas to address, from data collection and storage to individual rights and breach reporting.

Your CPRA compliance checklist

These steps will help you achieve compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), which apply to and protect residents of California. The checklist also includes recommended best practices for data privacy-related user experience.

Step 1: Determine if your company is required to comply

If your for-profit organization: 

  • has gross annual revenue that exceeds US $25 million for the preceding year, or 
  • buys, sells or shares personal data from 100,000+ California consumers or households annually, or 
  • derives at least 50% of annual revenue from selling or sharing the personal data of California consumers

Important to know: The CCPA was expanded and amended by the CPRA, which came into effect January 1, 2023. From July 1, 2023, it applies retroactively to the processing of personal data back to January 1, 2022.

Step 2: Create a comprehensive Privacy Policy

  • Purpose: Inform consumers at or before the point of data collection:
    • how data is collected 
    • how long collected data is retained 
    • categories of personal data collected 
    • purposes for which data is collected 
    • whether data collected is sold to or shared with third parties 
    • the third parties with which data is shared 
  • Rights: Inform website visitors of their privacy rights and how to exercise them. 
  • Language: Ensure the Privacy Policy is clear and easy to understand, which includes availability in the languages in which your business provides information in California.
  • Implementation: Implement a privacy notice with information about data use, consumers’ rights and user options, like consent opt out. Enable consumers to exercise rights, like opting out, via a banner or pop-up when users visit your site, e.g. with a Consent Management Platform.

Step 3: Inform users about their rights

Consumers’ rights under the CCPA: 

  • Right to Know: what personal data is collected and how it is used or shared 
  • Right to Delete: personal data that has been collected about them (with exceptions) 
  • Right to Data Portability: copy of personal data must be provided in a portable and readily useable format 
  • Right to Non-discrimination: for exercising privacy rights 
  • Right to Opt Out: of the sale or sharing of their personal data 
  • Right of Minors: consent must be obtained from a parent/guardian before children’s personal data is collected 

Additional rights under the CPRA: 

  • Right to Correction: updates or corrections to inaccuracies in personal data collected 
  • Right to Know about Automated Decision-making: request information about automated decision-making and likely outcomes of using it, specifically with regards to profiling 
  • Right to Opt Out of Automated Decision-making: refuse use of automated decision-making technology with regards to personal data 
  • Right to Restrict Use of Sensitive Personal Information: limit the collection or use of personal data the law classifies as sensitive

Step 4: Review and update your Privacy Policy every 12 months

  • Review your operations and potential changes in the law every 12 months. Update your Privacy Policy information and its effective date. Effective date should be updated even if you don’t make any other changes to the Policy. 
  • Transparency: Ensure that the information that users must be notified about is clear, comprehensive and up to date. Ensure that the date of the last update is clearly visible. 
  • Data sold: List all the categories of personal information that your business has sold in the past 12 months.
  • If the consumer has opted out, you can present the option to opt in again after 12 months.

Sign up for your 30-day free trial today

Start trial
  • Availability: Easily accessible on your website homepage. 
  • Method: Via the use of a Consent Management Platform (CMP).
  • ​​Sensitive Personal Data: Provide a clear “Limit The Use of My Sensitive Personal Information” link to enable opt out. 
  • Minors’ Consent: Obtain explicit consent (opt-in) from the data subject before processing the personal data if the data subject is between the ages of 13 and 16. 
  • Parents/Guardians: Obtain consent from a parent or legal guardian for collection of personal data if the data subject is 13 or younger.

Step 8: Enable consumers to make Data Subject Access Requests (DSARs)

  • Provide at least 2 contact options, e.g. toll-free phone number, web form, email. 
  • Set up a system to enable submission of DSARs.

Step 9:  Set up a system to verify Data Subject Access Requests (DSARs)

  • Enable consumers to attach documentation when submitting a request, to enable secure verification of their identity and residency. 
  • Set up a system to enable submissions for verification requests. 
  • If your business cannot reasonably verify the consumer’s identity to the appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified, and enable the consumer to rectify.

Step 10: Keep track of Data Subject Access Requests (DSARs)

  • Set up a system to track all requests. 
  • Time period: keep records of all requests and your business responses for 2 years

Step 11: Fulfill Data Subject Access Requests (DSARs)

  • Standard time period: within 45 days. 
  • Extended time period: up to 90 days.
Download Checklist

Frequently asked questions

What is the CPRA?

The California Privacy Rights Act (CPRA) is an American state-level data privacy law. It amends and expands on the earlier California Consumer Privacy Act (CCPA). The CPRA establishes new consumer rights, creates a dedicated privacy protection agency, and imposes stricter requirements on businesses around data collection, use, and retention to enhance privacy protections for Californians.

What is CPRA compliance?

To comply with CPRA, businesses must adopt strong data protection measures, respect consumer rights like limiting sensitive personal information usage, and establish suitable contractual terms with service providers and third parties handling personal data for them.

What are the retention requirements for the CPRA?

The CPRA mandates that businesses must establish both minimum and maximum retention periods for personal information. They must disclose these or the criteria for determining them. Additionally, businesses are prohibited from retaining personal or sensitive information beyond what’s reasonably necessary for the stated processing purpose.

What are the key components of CPRA?

The key components of CPRA are expanded consumer privacy rights, such as the right to correct inaccurate personal information and limit the use of sensitive data, as well as stricter compliance requirements for businesses, including data minimization, purpose limitation, and enhanced protection of sensitive personal information.

What is the threshold for CPRA in California?

Companies that have to comply with the CPRA need to meet at least one of the following thresholds:

  • annual gross revenues of USD 25 million or more in the preceding calendar year
  • buy, sell, or receive the personal information of 100,000 or more California consumers or households in a calendar year
  • generate at least 50 percent of gross annual revenue from selling or sharing personal information of California residents
Colorado Compliance Checklist
Jul 22, 2024
Our CPA compliance checklist will help you achieve and maintain privacy compliance. Build user trust and achieve high opt-in rates.
Utah Consumer Privacy Act (UCPA)
Jul 22, 2024
Our UCPA compliance checklist helps you achieve and maintain privacy compliance. Build user trust and achieve high opt-in rates.
Checklist for the General Data Protection Law (LGPD) for Brazil
Jul 22, 2024
Cookies and web tracking technologies are crucial for online businesses, but aligning data strategies with regulations like Brazil’s LGPD can be challenging.