Compliance Resources

CCPA Compliance Checklist 2026: 12 Required Steps

A practical, developer-friendly guide to California privacy compliance. Track, verify, and resolve all 12 key CPRA requirements with links to the authoritative statutes.

Showing 12 CCPA requirements
Updated for 2026 enforcement
1

Post a compliant privacy policy

Businesses must publish a comprehensive, up-to-date online privacy policy. It must detail collected personal information categories, processing purposes, third-party disclosures, and the consumer's right to know, delete, correct, and opt-out of sale/sharing.

Legal Citation:§ 7011
2

Provide notice at collection

A business must provide a Notice at Collection to consumers at or before the point of gathering personal information. This notice must list the categories of personal info collected, their purposes, whether they are sold or shared, and link to the privacy policy.

Legal Citation:§ 7012
5

Honor Global Privacy Control as a valid opt-out

Businesses must detect and process opt-out preference signals sent by user agents, such as the Global Privacy Control (GPC). This signal must be treated as a valid consumer request to opt-out of the sale or sharing of their personal information.

Legal Citation:§ 7025§ 7025(c)(3)
6

Treat GPC without forcing logins or extra steps

The processing of Global Privacy Control (GPC) signals must be frictionless. Businesses cannot require consumers to log in, provide additional information, or navigate through multiple confirmation screens to honor the signal.

7

Eliminate dark patterns; consent choices must be symmetrical

Consent choices and user interfaces must not utilize dark patterns that subvert or impair user autonomy, decision-making, or choice. A double-opt-out design or asymmetrical button weights (such as a prominent accept and hidden reject button) are prohibited.

Legal Citation:§ 7004
8

Support right to know / access

Consumers have the right to request that a business disclose the categories and specific pieces of personal information collected, the sources of collection, the business purpose for collecting or selling, and the categories of third parties shared with.

Legal Citation:§ 1798.100
9

Support right to delete and pass deletions to service providers

Businesses must delete a consumer's personal information upon receiving a verifiable request, subject to specific statutory exceptions. The business must also instruct all service providers, contractors, and relevant third parties to delete the consumer's information.

Legal Citation:§ 1798.105
10

Support right to correct

Upon receiving a verifiable request, a business must use commercially reasonable efforts to correct inaccurate personal information maintained about the consumer, taking into account the nature of the information and the purposes of processing.

Legal Citation:§ 1798.106
11

No discrimination against consumers who exercise rights

Businesses are prohibited from discriminating against consumers for exercising their CCPA/CPRA rights. This includes denying goods or services, charging different prices, or providing a different level or quality of goods or services.

Legal Citation:§ 1798.125
12

Verify you're not missing trackers your CMP can't see

Consent Management Platforms (CMPs) can sometimes fail to load, misclassify trackers, or allow network requests before the user makes a choice. Regularly scan your public-facing site to verify all tracking technologies are properly controlled and align with GPC signals.

Legal Citation:§ 7013§ 7025

Verify Your CCPA Compliance

Run a free, instant network-layer audit to check for unauthorized trackers, dark patterns, and GPC signals on your website.

Run a Free Scan