HomeArticles › CCPA Compliance Checklist
Updated March 26, 2026 · 14 min read

CCPA Compliance Checklist for Small Businesses (2026 Guide)

The California Consumer Privacy Act gives consumers powerful rights over their personal data. If your business serves California customers, this practical checklist will walk you through every step you need to take to stay compliant and avoid costly penalties.

Table of Contents
  1. What Is CCPA and Who Does It Apply To?
  2. 12-Point CCPA Compliance Checklist
  3. CCPA vs GDPR: Key Differences
  4. What Data Rights California Consumers Have
  5. Penalties for Non-Compliance
  6. How to Add a "Do Not Sell" Link
  7. Frequently Asked Questions

What Is CCPA and Who Does It Apply To?

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive state-level privacy law in the United States. It gives California residents the right to know what personal information businesses collect about them, to delete that information, and to opt out of its sale or sharing.

The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of the following thresholds:

Important for small businesses: Even if you don't currently meet these thresholds, you may cross them as your business grows. Many small e-commerce stores, SaaS apps, and service businesses that use third-party analytics and advertising inadvertently "share" data with enough consumers to trigger the 100,000 threshold. Proactive compliance is both a legal safeguard and a trust signal to your customers.

The CCPA defines "personal information" broadly. It includes names, email addresses, IP addresses, browsing history, purchase records, geolocation data, and any information that can be linked to a consumer or household. If you use Google Analytics, run Facebook Ads, or collect email signups, you are almost certainly handling personal information under the CCPA.

12-Point CCPA Compliance Checklist

Use this interactive checklist to track your progress. Your status is saved automatically in your browser so you can return and pick up where you left off.

0 of 12 items complete (0%)
1. Map your data collection Audit every piece of personal information your business collects. Document what you collect, where it comes from (directly from consumers, cookies, third parties), and why you collect it. This data inventory is the foundation of everything else.
2. Categorize personal information Organize your data into CCPA categories: identifiers, commercial information, internet activity, geolocation, professional information, education information, inferences, and sensitive personal information. The CCPA requires disclosures by category.
3. Update your privacy policy Your privacy policy must disclose the categories of personal information collected, the purposes for collection, categories of third parties with whom data is shared, consumer rights under the CCPA, and how consumers can submit requests. It must be updated at least every 12 months.
4. Add a "Do Not Sell or Share" link If you sell or share personal information (including for targeted advertising), place a clearly visible "Do Not Sell or Share My Personal Information" link on your homepage. This must lead to a functional opt-out mechanism.
5. Implement consumer request processes Set up at least two methods for consumers to submit requests (e.g., a toll-free number and a web form or email). You must respond within 45 days and can extend by another 45 days with notice.
6. Build a verification process Before fulfilling access or deletion requests, you must verify the consumer's identity. Establish reasonable verification steps that match the sensitivity of the data requested, without collecting more personal information than necessary.
7. Review service provider contracts Ensure all contracts with service providers and third parties include CCPA-required clauses: restrictions on using shared data for unauthorized purposes, obligations to comply with consumer requests, and certification of CCPA understanding.
8. Honor opt-out preference signals Under the CPRA amendments, businesses must recognize and honor Global Privacy Control (GPC) signals sent by a consumer's browser. Treat a GPC signal as a valid opt-out of the sale and sharing of personal information.
9. Protect sensitive personal information Provide consumers with the right to limit how you use their sensitive personal information (Social Security numbers, financial data, precise geolocation, racial/ethnic data, health data). Add a "Limit the Use of My Sensitive Personal Information" link if applicable.
10. Train your team All employees who handle consumer inquiries or manage personal information must understand CCPA requirements, how to identify consumer requests, and how to route them to the right process. Document your training.
11. Implement data security measures The CCPA allows consumers to sue for data breaches resulting from a business's failure to maintain "reasonable" security. Implement encryption, access controls, regular vulnerability scans, and an incident response plan.
12. Keep records and monitor compliance Maintain records of all consumer requests and how you responded for at least 24 months. Conduct annual reviews of your privacy practices and update your data inventory, policies, and processes as your business evolves.

Generate Your CCPA-Compliant Privacy Policy Free

Answer a few simple questions about your business and get a ready-to-publish privacy policy that covers CCPA, CPRA, and GDPR requirements.

Create Privacy Policy
Get the Legal Templates Pack →

CCPA vs GDPR: Key Differences

If your business also serves customers in the EU, you may need to comply with both the CCPA and the GDPR. While both laws protect consumer privacy, they differ significantly in scope, legal basis, and enforcement. Here is how they compare:

Aspect CCPA / CPRA GDPR
Jurisdiction California residents EU/EEA residents (worldwide enforcement)
Who it applies to For-profit businesses meeting revenue, data volume, or revenue-share thresholds Any organization processing EU residents' data, regardless of size
Legal basis for processing Not required; focuses on disclosure and opt-out rights Requires explicit legal basis (consent, contract, legitimate interest, etc.)
Consent model Opt-out: consumers must actively opt out of data sales/sharing Opt-in: businesses need affirmative consent before processing in many cases
Right to delete Yes, with several business-related exceptions Yes (right to erasure), with narrower exceptions
Right to correct Yes (added by CPRA) Yes (right to rectification)
Data portability Limited: right to obtain data in a portable format Broad: right to receive data in a machine-readable format and transmit to another controller
Private right of action Limited to data breaches only Broad: consumers can sue for any GDPR violation
Maximum penalties $2,500 per unintentional violation; $7,500 per intentional violation Up to 4% of global annual revenue or 20 million euros
Enforcement body California AG + California Privacy Protection Agency (CPPA) National Data Protection Authorities in each EU member state

Practical takeaway: If you already comply with the GDPR, you have covered most of what the CCPA requires. The main additions are the "Do Not Sell or Share" opt-out mechanism, honoring Global Privacy Control signals, and providing CCPA-specific disclosures in your privacy policy. If you only need CCPA compliance, the CCPA is less burdensome because it does not require opt-in consent for most data processing.

What Data Rights California Consumers Have

Under the CCPA/CPRA, California residents have the following rights regarding their personal information:

Right to Know

Consumers can request that a business disclose what categories and specific pieces of personal information it has collected, the sources of that information, the business purposes for collection, and the categories of third parties with whom it is shared. Businesses must respond within 45 days and provide data covering the preceding 12 months.

Right to Delete

Consumers can request that a business delete their personal information. The business must also direct its service providers and contractors to delete the data. Exceptions exist for data needed to complete transactions, detect fraud, exercise free speech, comply with legal obligations, or conduct research in the public interest.

Right to Correct

Added by the CPRA, consumers can request that a business correct inaccurate personal information. The business must use commercially reasonable efforts to correct the data and instruct service providers to do the same.

Right to Opt Out of Sale or Sharing

Consumers can direct a business to stop selling or sharing their personal information. "Sharing" includes disclosing data to third parties for cross-context behavioral advertising, which means most businesses using retargeting pixels or third-party ad platforms are "sharing" data under the CCPA.

Right to Limit Use of Sensitive Personal Information

Consumers can instruct a business to limit its use of sensitive personal information (such as precise geolocation, race, health data, or financial account information) to what is necessary to provide the requested service.

Right to Non-Discrimination

A business cannot discriminate against a consumer for exercising their CCPA rights. This means you cannot deny services, charge different prices, or provide a different quality of service to consumers who opt out or submit deletion requests.

Penalties for Non-Compliance

CCPA enforcement has become increasingly aggressive. The California Privacy Protection Agency (CPPA) began independent enforcement in 2024, and the California Attorney General continues to pursue violations. Here is what non-compliance can cost:

Sephora (2022)

$1.2 million settlement

The California AG found that Sephora failed to disclose the sale of consumer data, did not process opt-out requests via user-enabled Global Privacy Control signals, and did not cure violations within the 30-day notice period. This was the first public CCPA enforcement action and put businesses on notice that GPC signals must be honored.

DoorDash (2024)

$375,000 fine

The CPPA fined DoorDash for sharing consumer personal information with a marketing cooperative without obtaining opt-in consent, marking one of the first enforcement actions by the newly established agency.

Statutory per-violation penalties

$2,500 - $7,500 per violation

Each affected consumer record counts as a separate violation. A breach or non-compliance incident affecting 10,000 consumers at $7,500 per intentional violation could result in $75 million in penalties, a ruinous sum for any small business.

Private lawsuits for data breaches: The CCPA also grants consumers a private right of action for data breaches resulting from a business's failure to implement reasonable security. Statutory damages range from $100 to $750 per consumer per incident. Class action lawsuits under this provision have already resulted in multi-million dollar settlements.

How to Add a "Do Not Sell My Personal Information" Link

If your business sells or shares personal information, the CCPA requires you to provide a clear, conspicuous link titled "Do Not Sell or Share My Personal Information" on your website's homepage (and in your mobile app, if applicable). Here is how to implement it correctly:

Step 1: Add the link to your website footer

Place the link in your site footer so it appears on every page. The link text must match the CCPA wording or use the approved alternative "Your Privacy Choices" with the opt-out preference signal icon.

<!-- Option A: Standard CCPA link --> <a href="/privacy-choices"> Do Not Sell or Share My Personal Information </a> <!-- Option B: Simplified link with toggle icon --> <a href="/privacy-choices"> <span class="privacy-icon"></span> Your Privacy Choices </a>

Step 2: Create an opt-out mechanism

The link should lead to a page or form where consumers can opt out without needing to create an account. Common approaches include:

Step 3: Honor Global Privacy Control (GPC)

Under CPRA regulations, you must treat a browser-level GPC signal as a valid opt-out request. To detect GPC in JavaScript:

if (navigator.globalPrivacyControl) { // User has GPC enabled // Treat as opt-out of sale/sharing disableThirdPartyTracking(); setOptOutCookie(); }

Step 4: Update your privacy policy

Your privacy policy must explain the opt-out process, state that you honor GPC signals, and disclose whether you sell or share personal information and with which categories of third parties.

Common mistake: Many small businesses assume they do not "sell" data because no money changes hands. Under the CCPA, "sharing" data with third-party ad networks for targeted advertising counts as a sale or share, even when the data exchange is for a service rather than cash. If you use Facebook Pixel, Google Ads remarketing, or similar tracking tools, you likely need a "Do Not Sell or Share" link.

Get CCPA-Compliant in Minutes

Our free privacy policy generator creates a policy that covers all CCPA disclosure requirements, including opt-out instructions and consumer rights notices.

Generate Your Privacy Policy Free
Or get the full Legal Templates Pack →

Frequently Asked Questions

Does the CCPA apply to my small business?

The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of three thresholds: annual gross revenue over $25 million, buying/selling/sharing the personal information of 100,000 or more consumers or households per year, or deriving 50% or more of revenue from selling or sharing personal information.

Even if you fall below these thresholds today, proactively complying is wise. Many small businesses are surprised to learn that website analytics and advertising pixels push them past the 100,000-consumer mark. And voluntary compliance demonstrates trustworthiness to customers and investors.

What is the penalty for violating the CCPA?

Civil penalties are up to $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Attorney General and the California Privacy Protection Agency. Each affected consumer record counts as a separate violation, so penalties can add up quickly.

Additionally, consumers have a private right of action for data breaches caused by a business's failure to maintain reasonable security, with statutory damages of $100 to $750 per consumer per incident.

What is the difference between CCPA and CPRA?

The CPRA (California Privacy Rights Act) amended and expanded the CCPA. It took full effect on January 1, 2023. Key additions include the right to correct inaccurate data, the concept of "sensitive personal information" with additional protections, creation of the California Privacy Protection Agency for enforcement, stronger data minimization requirements, and the obligation to honor Global Privacy Control signals.

When people refer to "CCPA compliance" today, they generally mean compliance with the CCPA as amended by the CPRA.

Do I need a "Do Not Sell My Personal Information" link on my website?

Yes, if your business sells or shares personal information. Under the CCPA, "sharing" includes disclosing data to third-party ad networks for cross-context behavioral advertising. If you use Facebook Pixel, Google Ads remarketing tags, or share email lists with marketing partners, you likely need this link.

You may use the alternative wording "Your Privacy Choices" with the opt-out preference signal icon instead, as long as the link leads to a functional opt-out mechanism.

Can I use a privacy policy generator to comply with the CCPA?

A privacy policy generator is an excellent starting point. A good generator will ask you targeted questions about your data practices and produce a policy covering the required CCPA disclosures: categories of data collected, purposes, third-party sharing, consumer rights, and opt-out instructions.

However, the policy is just one part of CCPA compliance. You also need functional consumer request processes, proper opt-out mechanisms, service provider agreements, and security measures. Use ToolKit.dev's free privacy policy generator to handle the policy, then work through the rest of this checklist for full compliance.