---
title: "CCPA Checklist"
canonical_url: "https://www.sorena.io/artifacts/us/ccpa/checklist"
source_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/checklist"
author: "Sorena AI"
description: "Track the California controls that must actually exist in policy, product, and vendor operations."
published_at: "2026-02-21"
updated_at: "2026-02-21"
keywords:
  - "CCPA checklist"
  - "California privacy checklist"
  - "do not sell or share checklist"
  - "CCPA compliance checklist"
  - "CCPA"
  - "Checklist"
  - "California privacy"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# CCPA Checklist

Track the California controls that must actually exist in policy, product, and vendor operations.

*Checklist* *CCPA*

## California CCPA Checklist

Grounded in the California statute, CPPA regulations, and current California enforcement themes.

California compliance breaks when notices, request handling, opt out logic, and vendor contracts evolve separately. Use one checklist with owners and proof.

## Scope and notice controls

Start with a threshold decision, then make sure every consumer facing disclosure reflects the real data map and the current California rules effective January 1, 2026.

- Confirm in scope status and record the threshold calculation
- Publish notice at collection where information is collected
- Update the privacy policy with categories, purposes, rights, and sales or sharing disclosures
- Review financial incentive disclosures if loyalty or data value exchange programmes exist

## Rights and opt out controls

Rights handling and opt out controls should be tested together because California consumers move between those pathways and the regulations expect consistency.

- Provide designated methods for requests and track the 45 day response clock
- Honor GPC as a valid request to opt out of sale or sharing
- Ensure the do not sell or share interface is symmetrical and not manipulative
- Keep request records and response metrics for at least 24 months

## Contracts and evidence

Contract terms, due diligence, and audit rights matter because California rules look beyond the paper and ask whether the business had reason to believe a vendor was misusing information.

- Re paper service provider, contractor, and third party agreements
- Track vendor due diligence and remediation rights exercised in practice
- Retain training, request logs, policy versions, and testing results
- Prepare an enforcement pack for agency requests or sweeps

*Recommended next step*

*Placement: after the checklist block*

## Turn California CCPA Checklist into an operational assessment

Assessment Autopilot can take California CCPA Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on California CCPA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Assessment Autopilot for California CCPA Checklist](/solutions/assessment.md): Start from California CCPA Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.
- [Talk through California CCPA](/contact.md): Review your current process, evidence gaps, and next steps for California CCPA Checklist.

## Primary sources

- [CPPA regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - Official California regulations hub.
- [California privacy statute effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_2026.pdf?ref=sorena.io) - Current statutory text as reflected in CPPA materials.
- [CPPA FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official California FAQ.
- [CPPA CCPA updates](https://cppa.ca.gov/ccpa_updates.html?ref=sorena.io) - Rulemaking and effective date updates.

## Related Topic Guides

- [CCPA Applicability Test | California Scope Test](/artifacts/us/california-consumer-privacy-act/applicability-test.md): Test whether a business is in scope under the current California threshold model.
- [CCPA Compliance Program | California Operating Model](/artifacts/us/california-consumer-privacy-act/compliance.md): Build a California privacy programme that survives regulator questions and product change.
- [CCPA Consumer Rights Workflow | 45 Day Request Handling](/artifacts/us/california-consumer-privacy-act/consumer-rights-workflow.md): Run California rights operations with clear timing, verification, and downstream instructions.
- [CCPA Deadlines and Compliance Calendar](/artifacts/us/california-consumer-privacy-act/deadlines-and-compliance-calendar.md): Use the dates that actually shape California privacy work.
- [CCPA Enforcement and Penalties | CPPA and AG Exposure Guide](/artifacts/us/california-consumer-privacy-act/enforcement-and-penalties.md): Understand how California enforcement usually starts and what evidence the agency will ask for.
- [CCPA FAQ | Practical California Privacy Answers](/artifacts/us/california-consumer-privacy-act/faq.md): Answer the California privacy questions that usually stall implementation.
- [CCPA Penalties and Fines | California Exposure Summary](/artifacts/us/california-consumer-privacy-act/penalties-and-fines.md): Know the penalty ranges, then work backward to the controls that reduce them.
- [CCPA Privacy Notices and Disclosures | California Notice Architecture](/artifacts/us/california-consumer-privacy-act/privacy-notices-and-disclosures.md): Design the California notice stack so each disclosure appears in the right place and says the right thing.
- [CCPA Privacy Policy Template | Required California Disclosures](/artifacts/us/california-consumer-privacy-act/ccpa-privacy-policy-template.md): Write a California privacy policy that actually matches the statute and regulations.
- [CCPA Requirements | California Control Requirements](/artifacts/us/california-consumer-privacy-act/requirements.md): Translate California law into control statements that can be implemented, tested, and audited.
- [CCPA Scope and Thresholds | California Business Threshold Guide](/artifacts/us/california-consumer-privacy-act/scope-and-thresholds.md): Use the real California threshold tests instead of rough privacy folklore.
- [CCPA Service Provider and Contractor Contracts](/artifacts/us/california-consumer-privacy-act/service-provider-contractor-contracts.md): Draft California vendor contracts that work in practice, not only on paper.
- [CCPA vs CPRA | What Actually Changed in California Privacy](/artifacts/us/california-consumer-privacy-act/ccpa-vs-cpra.md): A practical CCPA vs CPRA delta guide grounded in the current California statute, CPPA regulations, and official agency guidance.
- [CCPA vs GDPR | California and EU Privacy Comparison](/artifacts/us/california-consumer-privacy-act/ccpa-vs-gdpr.md): Compare California CCPA obligations with the GDPR without assuming the two models are interchangeable.
- [Do Not Sell or Share Implementation | CCPA and GPC Guide](/artifacts/us/california-consumer-privacy-act/do-not-sell-share-implementation.md): Implement California opt out controls that actually work across websites, apps, and partner pipelines.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/us/california-consumer-privacy-act/checklist