CCPA Compliance Checklist: Step-by-Step Implementation Guide

Key Takeaways

Point	Summary
Scope	Privacy policy, consumer rights, vendor management, security
Ongoing nature	Compliance requires continuous maintenance
Documentation	Records are essential for demonstrating compliance
Training	Staff awareness is critical
Testing	Regular verification ensures mechanisms work

Quick Answer: CCPA compliance involves determining applicability, updating privacy notices, implementing consumer rights processes, managing vendor contracts, establishing opt-out mechanisms, ensuring data security, and maintaining ongoing compliance through training and monitoring.

Phase 1: Assessment and Planning

Step 1: Determine Applicability

For detailed guidance, see who needs CCPA compliance.

• Calculate annual gross revenue against $26.625M threshold
• Count California consumers in your data against 100,000 threshold
• Calculate percentage of revenue from data sales/sharing against 50% threshold
• Document applicability determination
• If applicable, proceed with compliance; if not, document and monitor

Step 2: Data Inventory

• Identify all systems containing personal information
• Map data flows from collection to deletion
• Categorize PI according to CCPA categories
• Identify sensitive personal information (SPI)
• Document data sources (direct, indirect, third-party)
• Identify data recipients and sharing relationships
• Document retention periods for each category
• Map data to business purposes

Step 3: Gap Analysis

• Review current privacy policy against CCPA requirements
• Assess consumer rights handling capabilities
• Evaluate vendor contracts for CCPA compliance
• Review data security measures
• Identify opt-out mechanism gaps
• Assess GPC compliance readiness
• Document gaps and prioritize remediation

Phase 2: Privacy Notices

For detailed requirements, see CCPA privacy policy requirements.

Step 4: Privacy Policy Updates

• Disclose categories of PI collected in last 12 months
• Disclose categories of SPI collected (if any)
• Explain sources of personal information
• Describe business purposes for each category
• Disclose third parties receiving data
• State whether you sell or share PI
• Explain consumer rights under CCPA
• Provide contact methods (email, toll-free number)
• Include retention periods or criteria
• Add "Last Updated" date
• Review for plain language and accessibility

Step 5: At-Collection Notices

• Create web form notices
• Create mobile app collection notices
• Create point-of-sale notices (if applicable)
• Create phone collection scripts (if applicable)
• Link to full privacy policy from each notice
• Ensure notices are provided at or before collection

Step 6: Employee Privacy Notice

• Create employee/applicant at-collection notice
• Update employee handbook with CCPA section
• Provide notice during hiring process
• Ensure existing employees receive notice

Phase 3: Consumer Rights Processes

For detailed guidance on consumer rights, see CCPA consumer rights explained.

Step 7: Request Intake

• Establish email address for privacy requests
• Set up toll-free number for privacy requests
• Create online request form (recommended)
• Create in-app request mechanism (for apps)
• Document intake procedures

Step 8: Verification Procedures

• Develop identity verification procedures
• Create verification requirements for each request type
• Establish authorized agent verification
• Document verification standards

Step 9: Request Fulfillment Workflows

• Create Right to Know workflow
  • Categories request process
  • Specific pieces request process
• Create Right to Delete workflow
  • Identify applicable exceptions
  • Service provider notification process
• Create Right to Correct workflow
• Create Opt-Out processing workflow
• Create Limit SPI Use workflow
• Set up response tracking and deadline monitoring

Step 10: Response Templates

• Confirmation receipt template (10 business days)
• Right to Know response template
• Deletion confirmation template
• Correction confirmation template
• Denial template with explanation
• Extension notice template

Phase 4: Opt-Out Mechanisms

For detailed implementation guidance, see CCPA opt-out requirements.

Step 11: Sale/Sharing Opt-Out

• Add "Do Not Sell or Share My Personal Information" link to homepage
• Add link to footer of all pages
• Add link to privacy policy
• Create opt-out processing mechanism
• Test opt-out functionality
• Ensure opt-out is effective immediately

Step 12: Global Privacy Control (GPC)

• Implement GPC signal detection
• Configure systems to honor GPC as opt-out
• Document GPC handling in privacy policy
• Test GPC detection and response

Step 13: Sensitive Personal Information

For SPI categories and requirements, see sensitive personal information guide.

• Add "Limit the Use of My Sensitive Personal Information" link (if SPI collected)
• Or create combined link with opt-out
• Implement SPI limitation mechanism
• Document permitted uses after limitation

Step 14: Advertising Configuration

• Inventory advertising pixels and SDKs
• Configure consent/opt-out logic
• Implement opt-out for third-party cookies
• Test advertising suppression for opted-out users

Phase 5: Vendor Management

For detailed contract requirements, see CCPA service provider requirements.

Step 15: Vendor Classification

• Classify all vendors as service provider, contractor, or third party
• Document classification rationale
• Prioritize high-risk relationships

Step 16: Contract Updates

• Add CCPA service provider terms to vendor contracts
• Include purpose specification
• Add sale/sharing prohibitions
• Include subcontractor requirements
• Add consumer rights assistance obligations
• Obtain certifications where required

Step 17: Vendor Notification Processes

• Create deletion notification process
• Create correction notification process
• Create opt-out notification process
• Document notification procedures

Phase 6: Data Security

For detailed security guidance, see CCPA data security requirements.

Step 18: Security Assessment

• Assess current security measures
• Compare against CIS Controls v8 or equivalent framework
• Identify security gaps
• Prioritize remediation

Step 19: Security Controls

• Implement encryption for PI at rest
• Implement encryption for PI in transit
• Secure encryption key management
• Implement access controls (least privilege)
• Require multi-factor authentication (MFA) for administrative access
• Deploy endpoint detection and response (EDR)
• Implement network segmentation
• Deploy monitoring and logging
• Implement vulnerability management
• Establish patch management process

Step 20: Incident Response

• Create breach response plan
• Identify response team and roles
• Document notification procedures
• Prepare notification templates
• Plan credit monitoring vendor relationship
• Test incident response procedures

Phase 7: Training and Awareness

Step 21: Staff Training

• Train privacy/compliance team on CCPA requirements
• Train customer service on handling consumer requests
• Train IT/security on technical requirements
• Train marketing on opt-out and advertising compliance
• Train HR on employee data requirements
• Document training completion

Step 22: Ongoing Awareness

• Create CCPA compliance reference materials
• Establish escalation procedures
• Communicate privacy policy updates
• Conduct periodic refresher training

Phase 8: Documentation and Records

Step 23: Compliance Documentation

• Document data inventory
• Document privacy policy versions
• Document consumer request procedures
• Document vendor contracts and classifications
• Document security measures
• Document training records

Step 24: Request Records

• Track consumer requests received
• Record verification activities
• Document response actions and timing
• Retain records for 24 months minimum
• Generate metrics reports (if 10M+ consumers)

Phase 9: Ongoing Compliance

For detailed ongoing requirements, see maintaining CCPA compliance.

Step 25: Annual Review

• Review and update privacy policy at least annually
• Review data inventory for changes
• Assess new products/services for CCPA implications
• Review vendor relationships
• Update training materials
• Check for regulatory updates

Step 26: Monitoring

• Monitor for regulatory guidance updates
• Track enforcement actions for lessons
• Review consumer request trends
• Test opt-out mechanisms periodically
• Verify vendor compliance
• Monitor for 2026 regulation implementation

Step 27: Metrics (For Large Businesses)

Businesses receiving 10M+ consumer requests must publish:

• Number of requests to know received
• Number of requests to delete received
• Number of requests to opt-out received
• Response times for each request type
• Denial rates and reasons

Quick Reference: Key Deadlines

Action	Timeline
Confirmation of request	10 business days
Substantive response	45 calendar days
Extension (if needed)	Additional 45 days
Opt-out processing	Immediate
Re-authorization request	12 months after opt-out
Privacy policy update	At least annual
Record retention	24 months minimum

Common Compliance Mistakes

Mistake	Correction
Generic privacy policy	Customize to actual practices
Hidden opt-out link	Prominent homepage placement
Ignoring GPC	Detect and honor signals
No verification process	Develop appropriate procedures
Outdated vendor contracts	Update with CCPA terms
Missing SPI handling	Implement limit mechanism if SPI collected
No employee notice	Provide at-collection notice to employees

How Bastion Helps

Implementing comprehensive CCPA compliance requires systematic approach and ongoing attention.

Challenge	How We Help
Assessment	Gap analysis and applicability determination
Documentation	Templates and policy drafting
Process design	Consumer rights workflows
Vendor management	Contract templates and review
Technical implementation	Opt-out and GPC guidance
Training	Staff education programs
Monitoring	Ongoing compliance verification

---

Ready to start your CCPA compliance journey? Talk to our team →

---

Sources

• California Consumer Privacy Act (CCPA) - California Attorney General official CCPA page
• CPPA Regulations - Official regulations and guidance
• CCPA Text - California Civil Code