Compliance Blog

CCPA Compliance Checklist: What Your Website and Business Actually Need

Q: Is CCPA the same as GDPR?

No. GDPR requires an opt-in model with a legal basis before collecting data. CCPA uses an opt-out model where consumers have the right to opt out of data sale or sharing. GDPR carries higher maximum penalties.

The California Consumer Privacy Act gives California residents specific rights over how businesses collect and use their personal data. If your business meets certain thresholds and collects data from California residents, CCPA applies to you regardless of where your company is based. This checklist covers everything your website and business need to comply with CCPA. Each item is explained in plain English so you know not just what to do, but why it matters.

Check your CCPA compliance freearrow_forward

Does CCPA Apply to Your Business?

Before working through the checklist, confirm whether CCPA actually applies to you. CCPA covers for-profit businesses that collect personal information from California residents and meet at least one of these thresholds: annual gross revenue over $25 million, buying or selling the personal information of 100,000 or more California residents or households per year, or deriving 50% or more of annual revenue from selling or sharing California residents' personal data.

If you are a nonprofit, government agency, or do not meet any of these thresholds, CCPA does not apply. However, if you have any California users and are growing, it is worth understanding these requirements early so you are not scrambling later.

CCPA Compliance Checklist

1. Know what personal information you collect

CCPA defines personal information broadly. It includes names, email addresses, IP addresses, browsing history, purchase history, location data, and inferences drawn about a person based on their behavior.

You need to know exactly what data your website and business collect, why you collect it, how it is stored, how long you keep it, and which third parties you share it with. This is called a data inventory and it is the foundation of CCPA compliance.

2. Update your privacy policy

Your privacy policy must disclose the categories of personal information you collect, the purposes for collecting it, whether you sell or share personal information, the categories of third parties you share data with, and the rights California residents have under CCPA.

The policy must be available at or before the point where you collect personal information, meaning it needs to be linked clearly from your website, not buried.

3. Add a "Do Not Sell or Share My Personal Information" link

If your business sells or shares personal information with third parties, you are required to provide a clear link on your homepage and privacy policy that says "Do Not Sell or Share My Personal Information." This link must be easy to find and must lead to a mechanism that lets users opt out.

Note that running Google Analytics, Facebook Pixel, or most ad networks may count as "sharing" personal information under CCPA's updated definition. This is one of the most commonly missed requirements.

4. Honor consumer rights requests

California residents have the right to know what personal information you have collected about them, the right to delete their personal information, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of their data, and the right to limit the use of sensitive personal information.

You must have a process for receiving and responding to these requests. Requests must be responded to within 45 days, with one optional 45-day extension if you notify the consumer.

5. Set up at least two methods for submitting requests

CCPA requires you to provide at least two ways for consumers to submit rights requests. At minimum, a dedicated email address for these requests. If your business operates primarily online, you also need a web form. Many businesses also include a toll-free phone number.

6. Do not discriminate against consumers who exercise their rights

You cannot charge a different price, deny service, or provide a lower quality of service to consumers who opt out of data sales or make a rights request. There is a narrow exception for loyalty programs where data sharing is a genuine part of the value exchange, but general users cannot be penalized for exercising their rights.

7. Handle sensitive personal information separately

CCPA gives consumers the right to limit how you use sensitive personal information. This includes Social Security numbers, financial account details, precise geolocation, health information, racial or ethnic origin, and the contents of messages.

If you collect any of this data, you need to give consumers the ability to limit its use to what is strictly necessary to provide the service.

8. Have contracts with your service providers

If you share personal information with third-party service providers, such as cloud hosting, email platforms, analytics tools, or CRMs, you need written contracts that restrict those providers from using the data for their own purposes. Under CCPA, passing data to a service provider without a proper contract can turn that transfer into a "sale," which triggers additional obligations.

9. Train your staff

Anyone who handles consumer rights requests or has access to personal data needs to understand CCPA basics. This does not need to be a formal training program. It can be a simple internal document covering what requests may come in, how to respond, and who is responsible.

10. Be prepared for data breaches

CCPA gives consumers a private right of action for data breaches involving certain types of personal information, including names combined with Social Security numbers, financial account details, or medical information. Damages range from $100 to $750 per consumer per incident. Having basic security controls in place and a clear breach response process reduces your exposure significantly.

What Changed Under CPRA

The California Privacy Rights Act (CPRA), which took effect in 2023, updated and expanded CCPA. The main additions are: the right to correct inaccurate data was added, the definition of "sharing" was expanded to include cross-context behavioral advertising, the sensitive personal information category was created with its own separate right, and enforcement moved to a dedicated agency called the California Privacy Protection Agency.

If you became CCPA compliant before 2023, it is worth reviewing your setup against the CPRA updates.

How Long Does CCPA Compliance Take?

For a small business or startup that does not sell data, the core requirements, namely updating your privacy policy, adding the opt-out mechanism, and setting up a request process, can typically be completed in one to two weeks. The more complex work is the data inventory, especially if you use many third-party tools.

For a business that actively monetizes data or has complex data flows, a proper compliance project usually takes four to eight weeks.

Where to Start

The fastest way to see where you stand is to work through a structured checklist. Our free CCPA compliance checklist walks you through every requirement so you can see exactly what you have covered and what still needs attention.

Frequently Asked Questions

Does CCPA apply to businesses outside California?

Yes. CCPA applies to any for-profit business that meets the thresholds and collects personal information from California residents, regardless of where the business is located. A company based in New York or Amsterdam still has to comply if it has California customers and meets the size criteria.

Does CCPA apply to B2B data?

The CPRA 2023 update reinstated limited B2B exemptions, but these are narrow. If you collect personal information from California-based business contacts, CCPA obligations may still apply depending on how that data is used.

Is CCPA the same as GDPR?

No. GDPR is a European regulation that requires an opt-in model: you need a legal basis before collecting data. CCPA uses an opt-out model: you can collect data but consumers have the right to opt out of its sale or sharing. GDPR also covers a broader set of rights and carries higher maximum penalties.

What is the penalty for violating CCPA?

The California Attorney General can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. More significantly, CCPA gives consumers a private right of action for data breaches, with statutory damages of $100 to $750 per consumer per incident. A breach affecting 10,000 California residents could mean up to $7.5 million in exposure.

Does a privacy policy alone make you CCPA compliant?

No. A privacy policy is one requirement but not the whole picture. You also need a working opt-out mechanism, a process for handling consumer rights requests, contracts with your service providers, and basic data security. A privacy policy that lists rights without the infrastructure to honor them does not constitute compliance.