What This Template Is For
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents specific rights over their personal information. If your business collects personal information from California consumers and meets any of the three thresholds (annual gross revenue over $25 million, buys/sells/shares personal information of 100,000+ consumers or households, or derives 50%+ of revenue from selling personal information), compliance is mandatory.
This template provides a structured checklist for product teams to assess CCPA/CPRA compliance across consumer rights implementation, data inventory, opt-out mechanisms, privacy notices, data minimization, and service provider agreements. It is designed for PMs building or maintaining products that serve California consumers.
CCPA differs from GDPR in meaningful ways. CCPA uses an opt-out model for data sales and sharing (rather than GDPR's opt-in consent model). It defines "personal information" more broadly than GDPR's "personal data." It also creates a unique right to opt out of the sale or sharing of personal information, which has no direct GDPR equivalent. If your product serves both California and EU users, you need separate compliance programs for each regulation.
For guidance on how privacy compliance fits into product strategy, the Product Strategy Handbook covers regulatory constraints as strategic inputs. The privacy impact assessment template helps map data flows before running this checklist. For technical implementation planning, the Technical PM Handbook addresses infrastructure decisions that affect compliance architecture.
How to Use This Template
- Confirm applicability. Verify your business meets at least one of the three CCPA thresholds. If you are unsure, consult legal counsel.
- Complete the data inventory section first. You cannot assess compliance without knowing what personal information you collect, where it goes, and who has access.
- Walk through each section with your privacy lead. Mark items as complete, partial, or not started.
- Prioritize gaps by risk. Consumer-facing gaps (missing "Do Not Sell" link, broken DSAR process) are higher risk than internal documentation gaps because they are visible to regulators and consumers.
- Review semi-annually. CPRA regulations continue to evolve as the California Privacy Protection Agency (CPPA) issues new rules.
The Template
Section 1: Data Inventory and Mapping
- ☐ Complete inventory of all personal information categories collected (identifiers, commercial info, internet activity, geolocation, biometric, professional, education, inferences)
- ☐ For each category, documented: sources of collection, purposes, third parties receiving the data, retention period
- ☐ Data flow diagrams show how personal information moves through internal systems and to third parties
- ☐ Identified which data categories are "sold" or "shared" under CCPA definitions (including cross-context behavioral advertising)
- ☐ Sensitive personal information categories identified separately (SSN, financial account, precise geolocation, racial/ethnic origin, health data, sexual orientation, contents of communications)
- ☐ Data retention schedule defined for each category with justification for retention period
- ☐ Automated deletion or anonymization processes in place for data past retention period
Section 2: Consumer Rights Implementation
- ☐ Right to know: consumers can request categories and specific pieces of personal information collected (12-month lookback)
- ☐ Right to delete: consumers can request deletion of their personal information
- ☐ Right to correct: consumers can request correction of inaccurate personal information
- ☐ Right to opt out of sale/sharing: consumers can stop the sale or cross-context behavioral advertising use of their data
- ☐ Right to limit sensitive personal information: consumers can restrict processing of sensitive categories to necessary purposes only
- ☐ Right to non-discrimination: consumers who exercise rights receive the same service and pricing
- ☐ At least two methods provided for submitting requests (toll-free number and web form, or email and web form)
- ☐ Identity verification process for consumer requests (reasonable security without being burdensome)
- ☐ Requests fulfilled within 45 days (with option to extend by 45 additional days with notice)
- ☐ Authorized agent requests accepted with proper verification (signed permission, power of attorney)
Section 3: Opt-Out Mechanisms
- ☐ "Do Not Sell or Share My Personal Information" link on homepage and in privacy policy
- ☐ "Limit the Use of My Sensitive Personal Information" link provided (if sensitive data is processed beyond necessary purposes)
- ☐ Opt-out preference signals (Global Privacy Control / GPC) honored automatically
- ☐ Opt-out mechanism does not require account creation or login
- ☐ Opt-out requests processed within 15 business days
- ☐ Opt-out status persists across sessions and devices (where technically feasible)
- ☐ No dark patterns used to subvert opt-out (no confusing language, no extra steps, no guilt-tripping)
- ☐ Re-consent allowed only after 12 months from opt-out (not sooner)
Section 4: Privacy Notices
- ☐ Privacy policy updated to include all CCPA-required disclosures
- ☐ Privacy policy lists categories of personal information collected in the past 12 months
- ☐ Privacy policy lists categories sold or shared and the categories of third-party recipients
- ☐ Privacy policy discloses business or commercial purposes for collection
- ☐ Privacy policy describes consumer rights and how to exercise them
- ☐ Privacy policy discloses retention periods for each category of personal information
- ☐ Notice at collection provided at or before the point of data collection
- ☐ Notice at collection identifies categories of personal information collected and purposes
- ☐ Financial incentive notices provided for any loyalty or rewards programs that use personal information
- ☐ Privacy policy reviewed and updated at least annually
Section 5: Data Minimization and Purpose Limitation (CPRA Addition)
- ☐ Personal information collection limited to what is reasonably necessary for disclosed purposes
- ☐ Processing of personal information limited to purposes disclosed at collection
- ☐ New processing purposes require updated notice to consumers before proceeding
- ☐ Sensitive personal information processing limited to purposes allowed without consumer opt-in (service provision, security, quality control)
- ☐ Regular reviews conducted to identify and eliminate unnecessary data collection points
- ☐ Dark patterns audit completed for all consent and opt-out flows
Section 6: Service Provider and Contractor Agreements
- ☐ Written contracts with all service providers include CCPA-required terms
- ☐ Contracts prohibit service providers from selling or sharing personal information received
- ☐ Contracts require service providers to comply with CCPA and assist with consumer requests
- ☐ Contracts grant right to audit service providers' CCPA compliance
- ☐ Third parties receiving personal information for cross-context behavioral advertising classified as "recipients" with appropriate contracts
- ☐ Contractor agreements include CCPA-required terms (similar to service provider requirements)
- ☐ Due diligence process for evaluating new service providers' privacy practices
- ☐ Annual review of service provider and contractor compliance
Filled Example: B2C SaaS Marketplace
Product: ShopLocal, a marketplace connecting 120,000 California consumers with local businesses. Collects browsing behavior, purchase history, precise geolocation, and payment information. Shares anonymized browsing data with ad partners for cross-context behavioral advertising. Annual revenue: $32M.
Audit Summary
| Area | Status | Score | Notes |
|---|---|---|---|
| Data Inventory | Partial | 5/7 | Data flow diagrams outdated. Sensitive data categories not separately identified |
| Consumer Rights | Partial | 7/10 | Right to correct not yet implemented. Authorized agent process missing |
| Opt-Out Mechanisms | Partial | 5/8 | GPC signals not honored. Opt-out does not persist cross-device |
| Privacy Notices | Partial | 7/10 | Retention periods not disclosed. Financial incentive notices missing for rewards program |
| Data Minimization | Partial | 3/6 | No dark patterns audit completed. Collecting unnecessary device telemetry |
| Service Providers | Partial | 5/8 | Two ad partners missing updated CCPA contract terms |
Key Gaps and Remediation Plan
| # | Gap | Action | Owner | Due Date |
|---|---|---|---|---|
| 1 | GPC signals not honored | Implement GPC detection and auto-opt-out in ad SDK | Frontend Eng | March 21 |
| 2 | Right to correct not implemented | Build correction request flow in account settings | Product | April 4 |
| 3 | Sensitive data categories not mapped | Complete sensitive PI inventory with legal | Privacy Lead | March 14 |
| 4 | Ad partner contracts missing CCPA terms | Execute updated contracts with AdPartner and TrackCo | Legal | March 28 |
| 5 | Dark patterns audit not done | Engage UX researcher to audit all consent and opt-out flows | Design Lead | April 11 |
| 6 | Financial incentive notice missing | Draft and publish notice for loyalty rewards program | Legal + PM | March 21 |
Key Takeaways
- CCPA/CPRA applies to businesses meeting revenue, data volume, or data sales thresholds. The B2B exemption no longer exists
- Complete your data inventory before assessing compliance. You cannot build proper opt-out mechanisms without knowing what data goes where
- Honor Global Privacy Control (GPC) signals automatically. The California AG considers ignoring GPC a violation
- The "Do Not Sell or Share" link must be prominently placed on your homepage. Do not bury it in a privacy policy sub-page
- Data minimization is now a legal requirement, not a best practice. Audit your data collection points and eliminate unnecessary fields
- Review service provider contracts annually. CCPA liability can flow through to your business if a service provider mishandles data
About This Template
Created by: Tim Adair
Last Updated: 3/5/2026
Version: 1.0.0
License: Free for personal and commercial use