Practical examples of CCPA compliance checklist with examples that actually help

Real-world examples of CCPA compliance checklist with examples

Let’s start where most lawyers don’t: with concrete, real-world tasks. Below are examples of examples of CCPA compliance checklist with examples that privacy teams actually use day to day. Think of these as building blocks you can adapt to your size, industry, and risk profile.

You’ll see examples include:

• Data inventory and mapping tasks
• Privacy notice and cookie banner updates
• Consumer request handling flows
• Vendor and contract controls
• Security and training measures

Each example of a checklist item is written in plain language so you can plug it straight into your own internal tracker or project management tool.

Example of data inventory and classification tasks

Any serious CCPA/CPRA program starts with knowing what data you have. Here are practical examples of CCPA compliance checklist items focused on data inventory:

Data source cataloging
Instead of just writing “do data mapping,” break it down:

• Identify every system that stores personal information: CRM, email marketing, web analytics, customer support, HR tools, data warehouses.
• For each system, document: data categories (e.g., identifiers, geolocation, internet activity), purpose of processing, retention period, and whether data is sold or shared.

Concrete example:
A mid-sized e‑commerce retailer uses Salesforce, Klaviyo, Zendesk, and Google Analytics. Their checklist item reads:

“For Salesforce, Klaviyo, Zendesk, GA4: list all personal information fields, link each field to a CCPA category, flag whether data is used for targeted advertising, and identify if any data is shared with third-party ad networks.”

Data classification for CCPA categories
Another example of a useful checklist item:

“Map each data field to CCPA categories (Cal. Civ. Code § 1798.140): identifiers, commercial information, internet activity, geolocation, etc. Mark ‘sensitive personal information’ under CPRA (e.g., precise location, financial account numbers, log‑in credentials).”

This level of detail matters because the CPRA amendments, now enforced by the California Privacy Protection Agency (CPPA), treat sensitive personal information differently. You can confirm the legal definitions on the California Attorney General’s site: https://oag.ca.gov/privacy/ccpa.

Best examples of CCPA compliance checklist with examples for privacy notices

Privacy policies are where regulators and plaintiffs’ attorneys look first. Here are some of the best examples of CCPA compliance checklist with examples focused on notices and disclosures.

Homepage and app store links
A practical checklist item might say:

“Ensure a clear, labeled ‘Do Not Sell or Share My Personal Information’ link and a ‘Privacy Policy’ link appear on the website footer and within mobile app settings, visible on every page where personal information is collected.”

Real example:
A fintech app adds a “California Privacy Choices” link in its settings menu that opens a webview with the opt‑out form, mirroring the link in the footer of its website. This alignment across web and app is a best practice under current enforcement trends.

CCPA‑specific sections in the privacy policy
Instead of a generic policy, a better checklist item says:

“Add a California‑specific section that: (1) lists categories of personal information collected in the last 12 months; (2) describes sources of data; (3) explains business/commercial purposes; (4) identifies categories of third parties to whom data is disclosed, sold, or shared; and (5) describes consumer rights and how to exercise them.”

For a reference structure, look at how universities and public institutions draft their notices; many follow state privacy guidance very closely. For example, see the University of California’s privacy resources: https://www.ucop.edu/information-technology-services/policies/privacy.html.

CPRA updates for 2024–2025
As of 2024, many organizations are updating checklists to cover:

• The right to correct inaccurate personal information
• The right to limit use of sensitive personal information
• Clarified definitions of “sharing” for cross‑context behavioral advertising

So a modern example of a checklist item:

“Add explanation of the right to correct, right to limit use of sensitive personal information, and how to exercise these rights via web form, email, or toll‑free number.”

Examples of CCPA compliance checklist with examples for consumer rights requests

Handling consumer requests is where theory meets operational reality. These examples of examples of CCPA compliance checklist with examples focus on intake, verification, and fulfillment.

Multiple request channels
Your checklist might say:

“Provide at least two methods for submitting requests (e.g., web form and toll‑free number), clearly linked from the privacy policy and the ‘Do Not Sell or Share’ page.”

Real example:
A SaaS company uses a dedicated privacy request portal plus an email alias (privacy@company.com). Their checklist specifies that both channels must be monitored by the privacy team and logged in a central ticketing system.

Verification procedures
An effective example of a checklist item:

“Document verification steps for password‑protected accounts (log‑in + one additional factor) and for non‑account holders (match at least two data points). Avoid collecting sensitive identifiers like full SSN solely for verification.”

The California Attorney General has issued guidance on verification expectations; see: https://oag.ca.gov/privacy/ccpa/regs.

Response timelines and tracking
To align with statutory deadlines, organizations often add:

“Track each request with timestamps for receipt, verification, and completion; respond within 45 days, with a documented extension process up to 90 days when reasonably necessary.”

Real example:
A health‑adjacent wellness app, which also follows HIPAA‑inspired privacy practices, uses a dashboard that shows open CCPA requests, days remaining, and whether they involve deletion, access, or opt‑out. While CCPA is not a health‑specific law like HIPAA, many organizations borrow operational patterns from health privacy frameworks such as those discussed by the U.S. Department of Health & Human Services: https://www.hhs.gov/hipaa/index.html.

Example of opt‑out, “Do Not Sell or Share,” and preference management tasks

Opt‑outs are where many businesses trip up, especially with ad tech. These examples include practical checklist items that privacy and marketing teams can actually execute.

Opt‑out page and form design
An example of a checklist entry:

“Create a dedicated ‘Do Not Sell or Share My Personal Information’ page explaining what ‘sell’ and ‘share’ mean under CCPA/CPRA, with a simple form to submit opt‑out requests without requiring account creation.”

Cookie and tracking controls
For web and mobile tracking, a modern checklist might say:

“Implement a consent or preference banner that lets California users opt out of cross‑context behavioral advertising and non‑necessary cookies; ensure selections are honored by tag manager configurations.”

Real example:
A media site configures its tag manager so that advertising and social media pixels only fire if the user has not opted out. The checklist includes a quarterly audit item: test the opt‑out flow in major browsers and confirm that ad tags are blocked when the user opts out.

Global Privacy Control (GPC)
Regulators have signaled that Global Privacy Control signals must be treated as valid opt‑outs. So a forward‑looking example of CCPA compliance checklist with examples is:

“Detect and honor Global Privacy Control signals from supported browsers; treat GPC as a valid request to opt out of sale/sharing for that browser, and log the signal as a technical opt‑out event.”

Vendor, contracts, and data sharing: examples of CCPA compliance checklist with examples

Third‑party vendors can quietly undermine your CCPA posture if you ignore them. These examples of examples of CCPA compliance checklist with examples focus on contracts and vendor oversight.

Vendor inventory and classification
A practical checklist entry might say:

“Maintain an up‑to‑date list of service providers, contractors, and third parties with access to personal information. For each, record data categories, purposes, and whether the vendor acts as a service provider, contractor, or third party under CCPA/CPRA.”

Contract language review
An example of a contract‑focused checklist item:

“Review and update contracts to include CCPA/CPRA language: (1) restrict use of personal information to specified business purposes; (2) prohibit selling or sharing; (3) require assistance with consumer requests; (4) require notification of sub‑processors; and (5) require reasonable security measures.”

Real example:
A marketing team wants to onboard a new analytics vendor. The privacy team’s checklist requires:

• Completing a privacy impact assessment
• Confirming the vendor does not use data for its own advertising
• Adding CPRA‑compliant service provider language

If any of those conditions fail, the vendor is reclassified as a third party, and the company updates its privacy notice to reflect “sharing” for cross‑context advertising.

Security, retention, and training: examples include these often‑ignored tasks

CCPA is not a pure security law, but security and retention practices influence risk, especially around data breaches and enforcement actions.

Security controls checklist
Examples include items like:

“Implement role‑based access controls for systems holding personal information; enforce multi‑factor authentication; log access to sensitive personal information; and review access rights at least quarterly.”

These align with widely accepted security frameworks and guidance from organizations such as NIST: https://www.nist.gov/cyberframework.

Data retention and deletion rules
A practical example of a checklist item:

“Define retention periods for each category of personal information; configure systems to flag or delete records once retention periods expire, unless a legal hold applies.”

Real example:
A subscription service sets a policy to delete inactive user accounts after three years, unless there are outstanding billing disputes. The checklist includes a monthly job to export and delete qualifying accounts from production and backups where technically feasible.

Employee training
One more example of CCPA compliance checklist with examples that often gets ignored:

“Provide annual privacy training for employees who handle consumer data or requests, including how to recognize CCPA rights requests, avoid over‑collection, and escalate incidents to the privacy team.”

Sector‑specific examples of CCPA compliance checklist with examples

Different industries face different data realities. Here are some sector‑specific examples of examples of CCPA compliance checklist with examples you can adapt.

Retail and e‑commerce
Examples include:

• Adding CCPA rights explanations to order confirmation emails
• Ensuring loyalty program enrollment clearly explains data uses and opt‑out options
• Building a process to honor opt‑outs across web, mobile app, and in‑store systems

Ad‑supported media and publishers
Examples include:

• Reviewing all ad tech partners to classify them as service providers or third parties
• Implementing GPC and cookie preference management
• Updating the privacy policy to clearly describe “sharing” for cross‑context behavioral advertising

B2B SaaS
Examples include:

• Clarifying in contracts that the SaaS provider is a service provider processing on behalf of its business customers
• Providing admin‑level tools for customers to honor CCPA deletion and access requests
• Documenting data flows between production, staging, and analytics environments

Health and wellness apps
Even when HIPAA doesn’t apply, health‑adjacent apps often handle sensitive data. Examples include:

• Classifying health‑related metrics as sensitive personal information under CPRA
• Limiting internal access to those metrics
• Explaining in clear language how health‑related data is used and whether it is shared with advertisers

For general health privacy context and consumer expectations, see resources from Mayo Clinic: https://www.mayoclinic.org/patient-privacy.

FAQ: examples of CCPA compliance checklist questions

What is a simple example of a CCPA compliance checklist item for a small business?
A simple, high‑impact example of a checklist item for a small online retailer is: “Add a California‑specific section to the privacy policy, with a clear email address and web form where California residents can request access, deletion, or opt‑out of sale/sharing.” This single step addresses notice and rights in one move.

What are the best examples of tasks to prioritize first for CCPA compliance?
The best examples of early tasks are: (1) data inventory and mapping, so you know what you’re dealing with; (2) updating the privacy notice and adding a CCPA/CPRA section; and (3) setting up at least two channels for consumer requests with a basic verification process. Without those, everything else is guesswork.

Can you give examples of CCPA compliance checklist items for marketing teams?
For marketing, examples include: reviewing email and ad platforms to confirm whether they act as service providers; configuring cookie banners and opt‑out mechanisms; documenting how look‑alike audiences and retargeting work; and making sure opt‑outs are honored across all campaigns, not just on one website.

How often should I review my CCPA checklist and examples of tasks on it?
Most organizations revisit their checklist at least annually, and whenever there’s a major product change, acquisition, or new law. Because CPRA enforcement and CPPA rulemaking continue to evolve into 2025, many companies schedule a mid‑year review to update examples of tasks and align with new guidance.

Are templates with examples of CCPA compliance checklists enough to be compliant?
Templates and examples of examples of CCPA compliance checklist with examples are helpful starting points, but they’re not a guarantee of compliance. You still need to tailor each item to your data flows, tech stack, and risk profile, and you should coordinate with legal counsel familiar with California privacy law.