Skip to main content

CCPA/CPRAPrivacy Laws

19 min read

CPRA Compliance Checklist: 10 Steps to Meet Requirements

By Safna November 4, 2024

Expert reviewed

CPRA Compliance Checklist: 10 Steps to Meet Requirements

The privacy era in California commenced with the California Consumer Privacy Act (CCPA), which was subsequently modified by the California Privacy Rights Act (CPRA). It grants significant rights to individuals and enhances consumer autonomy over their data. If you are a business serving Californians, CPRA compliance is non-negotiable. Our extensive CPRA compliance checklist ensures that you meet all the requirements.

What is CPRA?

The California Privacy Rights Act (CPRA) is Californiaā€™s prominent data protection law. It regulates the use of consumerā€™s personal information, empowers consumers with privacy rights and requires businesses to honor these rights. Unlike the General Data Protection Regulation (GDPR), CPRA adopts an opt-out model. Therefore the law allows businesses to engage in reasonable data processing activities without obtaining prior consent. 

CPRA amendments came into effect in 2023, bringing in new rights such as the right to correct.

Unlike many recent US data privacy laws like the New Jersey Data Privacy Act, CPRA applies on a monetary threshold basis. If your business offers products or services to Californians and meets any of the following requirements, you must comply with this privacy law.

  • Has an annual gross revenue of more than $25 million
  • Buys/sells/shares the personal information of more than 100,000 consumers
  • Derives 50% or more of annual revenue from the sale/share of personal information

Discover more about CPRA

Download your essential CPRA checklist

The California Privacy Protection Agency (CPPA) and the California Attorney General have been given enforcement powers by the law. Fines for non-compliance could be as high as $7500 per violation, with a minimum fine of $2500. Additionally, consumers have a limited private right to take legal action, enabling them to sue businesses in the event of security breaches involving personal information, such as unauthorised access to email addresses and passwords.

What are the CPRA requirements?

Now let us discover the key CPRA requirements.

Minimisation requirements

CPRA limits the scope of data collection and requires businesses to minimise the personal data they collect from California residents.

The collection, use, sharing and retention of personal data must align with the purpose that was communicated to the consumer at the time of collection. This means you should set clear objectives for data collection and adhere to them.

Avoid all kinds of secondary usage of collected data. For instance, Look at these examples:

  • A game application collecting geo-location or tracking user activities may not be within the scope of the specific purpose for which the application is installed.
  • An online shopping business collecting addresses and phone numbers from customers is not expected to sell the data to third parties.

Transparency requirements

Businesses must inform their customers about how they handle user data. To meet this requirement, you must provide easy-to-understand notices, such as a privacy policy and notice at collection.

All the CPRA documents must be written in plain language and be accessible and clear to the audience.

A privacy policy/ privacy notice must contain information that gives the users an idea of an organisationā€™s data practices such as the categories of data they collect, specific purposes for which they use it, how long it will be stored, and whether they engage in the sale of personal information. This is an absolute must for covered businesses serving Californians.

What must my CPRA privacy policy contain?

Apart from a privacy policy, you should also provide a notice at collection at the time of collecting personal data or before it. This message helps consumers determine whether to proceed with your organisation based on what data you collect and how you process them.

A notice at collection must contain the following:

  • Categories of personal information including sensitive personal information (sensitive data)
  • The purposes for which they will be used
  • Whether each type of personal data will be shared or sold
  • How long the business will retain the personal data for
  • Links to opt out of sale and limit sensitive data processing
  • Link to privacy policy

Consumer requests requirements

CPRA empowers consumers with the following data privacy rights:

  • The right to know about personal information that a business collects, processes and shares/sells.
  • The right to correct any inaccuracies in their personal data
  • The right to opt out from the sale or sharing of personal information
  • The right to limit the use and disclosure of sensitive data
  • The right to not be discriminated against for exercising consumer rights
  • Right to delete any personal data about the consumer that the business has collected from the consumer

To ensure that the consumers get to exercise their rights, the CPRA also requires businesses to provide two or more convenient consumer request mechanisms. This could include an active email address, a toll-free number, or a web form. 

Respond to consumer requests such as deletion or correction requests within 45 days of the receipt. This period can be extended to another 45 days if necessary. You must inform the consumer of such an extension. Do not levy any charges for fulfilling consumer requests unless it is excessive and manifestly unfounded.

Consent requirements

Though CPRA generally follows an opt-out structure, there are some exceptions. 

You cannot sell personal data of children under 16 years of age without opt-in consent. For children between 13-16 years of age, they can consent whereas for children below 13, consent must be obtained from their parents or guardians.

Consent under CPRA must be a freely given, informed, specific, and unambiguous indication of a personā€™s agreement to process their personal data.

CPRA prohibits the use of dark patterns that influence a userā€™s decision or do not offer them a real choice. This also applies to implying consent from inaction, hovering over, or closing the consent message.

Opt-out requirements

The California Privacy Rights Act (CPRA) gives consumers the right to direct businesses not to sell their personal information and the right to limit the use of their sensitive data by businesses. 

Sensitive data are the types of personal data that if disclosed result in harm, discrimination or violation of oneā€™s rights or freedom. It includes racial/ethnic origin, biometric data, precise geo-location, social security number etc.

Businesses collecting sensitive data must offer users an option to restrict its use. Similarly, if you sell or share personal information with third parties, you must provide consumers with an opt-out banner informing them of such sale and give opt-out options.

Honor the rights by offering consumers the choice to opt-out by displaying clear “Do not sell my personal information” and “Limit the use of sensitive personal information” links on your website. The link can work in two ways: it can either take consumers to a page with details on their rights and how to opt out, or it can instantly opt them out.

The law also requires businesses to recognise global opt-out signals. These are signals that indicate a consumerā€™s preset preference to opt out.

Security requirements

CPRA requires businesses to establish reasonable data security measures proportional to the data handled by them. 

The following measures can be chosen to ensure the integrity and confidentiality of consumer data:

  • Implement data encryption to avoid unauthorised access
  • Password protection and enable two-factor authentication
  • Streamline processing activities in a secure manner
  • Ensure that access controls are in place to limit access to employees whose job roles necessitate it
  • Conduct cybersecurity audits, risk assessments and chart regulatory measures
  • Have a response plan to data breaches
  • Perform timely back-ups 

Contractual requirements

Ensuring your service providers’ and third parties’ compliance with CPRA is just as crucial as your compliance. All covered businesses must comply with this requirement by having a contractual relationship with them.

Such a contract must determine the rights and duties of each party, the retention period, and the nature of the processing. It must also require all parties to implement CPRA-compliant measures and restrict the use of personal data for specific purposes.

These steps will create a binding agreement between your business and third parties with who you share personal information.

CPRA compliance checklist

If you are a business serving Californians, introspect whether to comply with CPRA regulations. Here is a checklist to make things simpler.

Conduct data mapping

Regularly monitor the types of personal information you collect and their purpose of collection. Conduct data auditing, streamline the collection process, and determine data retention periods.  

Take steps to ensure that you do not collect information that is more than what is required for the disclosed purpose. Furthermore, you cannot use the collected data for secondary purposes. Remember to update your privacy policy whenever there is a change in the data collection practice.

Provide a privacy policy

CPRA is committed to enhancing the transparency of data processing activities and imposes exacting standards. It requires businesses to provide a detailed and easy-to-understand privacy policy to consumers. 

A privacy policy must contain the following:

  • Types of personal data collected and their purposes
  • Categories of personal data shared/sold to third parties
  • Categories of third parties with who the data is shared/sold
  • Purpose of the sale/share
  • Whether you sell/share childrenā€™s personal data (below 13)
  • Whether you process sensitive data
  • Consumer rights and methods to exercise them
  • Opt-out links
  • How your business verifies consumer requests
  • How universal opt-out signals can be implemented and how it is processed
  • Describe the opt-in process for minors
  • Businesses contact information
  • Date of last policy update

In addition to the privacy policy, you must provide other CPRA notices such as notice at collection, notice of right to opt-out, and notice of right to limit.

If your website deploys third-party cookies on user devices, which it does in most cases, you may also provide a cookie notice/cookie policy. A cookie notice contains information about the categories of cookies, their purposes, retention period, etc.

Update privacy policy

Keep your privacy policy updated with any changes in data collection and processing activities.

Notice at collection and opt-out banners  

Provide a notice at collection informing consumers of how an organisation collects and uses personal information. Also, offer opt-out banners/options to inform consumers of their ability to opt out of the sale of personal information and control the use of sensitive information. 

Businesses should have systems in place to accurately target Californian consumers, provide them with opt-out options and also acknowledge global opt-out signals from consumers. This can also extend to non-essential cookies such as third-party cookies deployed on user devices when visiting a website. 

While implementing these requirements may be challenging, there are software solutions such as consent management platforms to automate the process and achieve compliance effortlessly.

CookieYes is a dedicated consent management platform that helps your business stay compliant. We are an IAB-certified platform trusted by over 1.5 million businesses worldwide. CookieYes is also a recognised GCM gold partner.

No better time than now

Start your CPRA compliance with CookieYes

Try for free

14-day free trialCancel anytime

Provide consumer request mechanisms

Provide at least two or more methods by which consumers can exercise their rights, for example, submit a deletion request. Ensure that these methods are conspicuously available to consumers. The process must be simple and convenient.

Respond to requests

Prompt response is significant under CPRA. Confirm the receipt of the request within 10 days and try to respond to requests within the initial 45 days. 

Consent management

Streamline the consent management process to collect, store, and manage consent and opt-out preferences including cookie consent. 

Establish a proper system to monitor and update the preferences as required by consumers. Record user consent to prove compliance.  

Stay ahead at
CPRA consent management

Automate the process like industry leaders with CookieYes

Sign up for free

14-day free trialCancel anytime

Provide opt-out links

CPRA mandates businesses to provide a ā€œDo not sell my personal informationā€ and ā€œLimit the use of my sensitive informationā€ link to consumers. Place it conspicuously on your website. 

After a consumer opts out, data sales must stop. Similarly, strictly limit the sensitive data usage to what is necessary for the specific purpose.

Security measures

CPRA does not specify the necessary security measures that a business must adopt. However, you should consider implementing adequate and proportional safeguards to protect the confidentiality and integrity of personal information handled by your business. 

You may conduct regular cybersecurity audits, analyse privacy risks, and formulate risk management measures. It is equally important to implement encryptions including password protection, and two-factor authentication.

Educate your workforce on data security. Consider hosting webinars and training sessions for your employees.

Contract

Have a contractual agreement with service providers and third parties to ensure their CPRA compliance along with yours. Verify that the agreement reflects your privacy interests and that the processing activities do not exceed the agreement terms.

Assess your compliance with our free CPRA compliance checker

FAQ on CPRA compliance

How to be compliant with CPRA?

CPRA compliance is mandatory if your business caters to Californians and meets any of the required thresholds.

Assess whether the law applies to you and understand the legal requirements. Limit collection and use of personal information to the disclosed purpose. You must also honor consumer rights and set up convenient methods to exercise them such as correction or access requests. Furthermore, enhances transparency by providing updated privacy policies, notice at collection, notice of right to opt-out, and notice of right to limit the use of sensitive personal information.

It is equally important to implement cybersecurity measures, train your employees, conduct risk assessments, etc to achieve CPRA compliance.

Does CPRA apply to the outside of California?

Yes, CCPA has an extraterritorial jurisdiction and applies to businesses processing Californian personal data regardless of their location.

Does CPRA replace CCPA?

CCPA, the Californian privacy law came into effect in 2020 and was amended later in 2023 by CPRA. This does not mean that the CPRA replaced the CCPA, rather it only expanded it with new provisions.

Photo of Safna

Safna

Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.

Keep reading

Featured image of Server-Side Tracking: A Beginner’s Guide

Cookies

Server-Side Tracking: A Beginner’s Guide

Server-side tracking enhances data accuracy, security, and privacy by routing analytics through your server, overcoming the limitations of traditional client-side tracking.

Read more
Featured image of How to Create a Privacy Policy for Woocommerce: Step-By-Step Guide

Legal policies

How to Create a Privacy Policy for Woocommerce: Step-By-Step Guide

A must-read guide to setting up a privacy policy for your WooCommerce store.

Read more
Featured image of Navigating CPRA Enforcement: Guide for a Data-Driven Company

CCPA/CPRA

Navigating CPRA Enforcement: Guide for a Data-Driven Company

CPRA enforcement is ramping upā€”stricter rules, higher fines, and new consumer rights. Stay compliant, build trust, and avoid penalties with this guide.

Read more

Show all articles