CCPA Compliance Checklist 2026
Everything California businesses need to know about CCPA/CPRA compliance, including new requirements effective in 2026.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is now fully in effect. Here's your complete checklist for 2026 compliance.
Does CCPA Apply to Your Business?
CCPA applies if you do business in California AND meet any of these thresholds:
- Annual gross revenue exceeds $25 million
- Buy, sell, or share personal information of 100,000+ California consumers annually
- Derive 50% or more of annual revenue from selling or sharing personal information
Note: "Sharing" now includes providing data to third parties for cross-context behavioral advertising, even without monetary exchange.
Privacy Policy Requirements Checklist
Required Disclosures
Your privacy policy must include:
- Categories of personal information collected in the past 12 months
- Sources of that information
- Business or commercial purposes for collection
- Categories of third parties with whom you share information
- Categories sold or shared in past 12 months (or state if none)
- Categories disclosed for business purposes in past 12 months
- How long you retain each category of information
- Consumer rights and how to exercise them
Consumer Rights Section
Clearly explain these rights:
- Right to Know: Request what information you have
- Right to Delete: Request deletion of their data
- Right to Correct: Request correction of inaccurate data
- Right to Opt-Out: Opt out of sale/sharing
- Right to Limit Use: Limit use of sensitive personal information
- Right to Non-Discrimination: No retaliation for exercising rights
Website Requirements
"Do Not Sell or Share" Link
If you sell or share personal information, you must have a clear link titled "Do Not Sell or Share My Personal Information" on your website. This should lead to an easy opt-out mechanism.
"Limit Use" Link
If you process sensitive personal information, provide a "Limit the Use of My Sensitive Personal Information" link.
Request Submission Methods
Provide at least two methods for consumers to submit requests (e.g., toll-free number and web form). Online-only businesses need only provide an email address.
Operational Requirements
Request Response Times
- Acknowledge receipt within 10 business days
- Respond to request within 45 calendar days
- Extension of up to 45 additional days if necessary (with notice)
Verification
Implement reasonable verification methods to confirm request authenticity. The level of verification should match the sensitivity of the data.
Training
Ensure employees who handle consumer requests understand CCPA requirements.
Record Keeping
Maintain records of consumer requests and responses for at least 24 months. Include metrics in your privacy policy if you receive 10 million+ consumer requests annually.
Contracts with Service Providers
Ensure contracts with service providers and contractors include:
- Specific purposes for data processing
- Prohibition on selling or sharing the data
- Obligation to assist with consumer requests
- Notification requirements for breaches
Generate Your CCPA Privacy Policy
Don't risk non-compliance. Use our CCPA Privacy Policy Generator to create a California-compliant policy in minutes. It covers all the required disclosures and consumer rights automatically.
You Might Also Like
- What Is a Privacy Policy? Everything You Need to KnowLearn what a privacy policy is, why every website needs one, what it should include, and how to create one for your business or website.
- GDPR for Small Business: A Complete GuideEverything small business owners need to know about GDPR compliance. Plain-English guide covering requirements, exemptions, and practical steps.
- Privacy Policy Examples: 10 Templates You Can Learn FromStudy real privacy policy examples from different industries. See what works, what to include, and how to write a clear, compliant policy.