TemplateFREE⏱️ 2-4 hours
CCPA Compliance Checklist Template
A structured CCPA and CPRA compliance checklist for product teams covering consumer rights, data inventory, opt-out mechanisms, privacy notices, and...
Updated 2026-03-05
CCPA Compliance Checklist
| # | Area | Criteria | Score (1-5) | Findings | Action Required | Status | |
|---|---|---|---|---|---|---|---|
| 1 | |||||||
| 2 | |||||||
| 3 | |||||||
| 4 | |||||||
| 5 |
#1
#2
#3
#4
#5
Edit the values above to try it with your own data. Your changes are saved locally.
Get this template
Choose your preferred format. Google Sheets and Notion are free, no account needed.
Frequently Asked Questions
What is the difference between CCPA and CPRA?+
CPRA is an amendment to CCPA that took effect January 1, 2023. It created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, added the right to correct inaccurate information, introduced data minimization requirements, created the sensitive personal information category with the right to limit its use, and removed the 30-day cure period for violations. When people say "CCPA compliance" today, they mean compliance with CCPA as amended by CPRA.
Does CCPA apply to B2B data?+
Yes, as of January 1, 2023. The B2B and employee data exemptions expired. If your product collects personal information from California-based business contacts (names, emails, phone numbers in CRM systems), that data is now subject to CCPA. This is a common gap for B2B SaaS products that assumed exemption.
What counts as "selling" personal information under CCPA?+
CCPA defines "sale" broadly: any disclosure of personal information for monetary or other valuable consideration. This includes sharing data with ad networks for targeted advertising, even if no direct payment occurs. Cross-context behavioral advertising (using data collected on your site to target ads on other sites) is classified as "sharing" under CPRA and triggers the same opt-out rights. For a deeper understanding of data processing categories, see the [glossary entry on data classification](/glossary/prioritization).
How do we handle Global Privacy Control (GPC)?+
GPC is a browser-level signal that consumers set once. Under CCPA regulations, you must treat GPC as a valid opt-out request. When your site detects a GPC signal, automatically opt the user out of sale and sharing. Do not require the user to also click your "Do Not Sell" link. Do not pop up a dialog asking the user to confirm. The California AG has explicitly stated that ignoring GPC signals is a violation.
What are CCPA penalties?+
The CPPA can impose fines of $2,500 per unintentional violation and $7,500 per intentional violation. Violations involving minors under 16 carry the $7,500 penalty per instance. Consumers also have a private right of action for data breaches resulting from failure to implement reasonable security, with statutory damages of $100-$750 per consumer per incident. With 100,000+ consumers, class action exposure can reach tens of millions. ---
Related Tools
Explore More Templates
Browse our full library of PM templates, or generate a custom version with AI.