US CCPA Deadlines and Compliance Calendar

Track the deadlines that the CCPA actually sets: give notice at or before the point of collection, respond to verifiable consumer requests within 45 days, allow one 45-day extension when reasonably necessary and the consumer is told within the first 45 days, respond to opt-out requests as soon as feasibly possible and no later than 15 business days, and wait at least 12 months before asking a consumer to opt back in after an opt-out.

Also keep the annual update deadline in view: privacy-policy disclosures must be updated at least once every 12 months, and the required disclosures must cover the 12-month period preceding the request unless a longer period is required under the statute.

Ownership should sit with the team that can change notices, request intake, ad-tech settings, vendor contracts, data retention, or consumer-facing controls, with privacy/legal review for ambiguous cases.

Evidence should show threshold calculations, notice-at-collection placement, privacy-policy disclosures, rights request logs, opt-out/GPC handling, vendor restrictions, and enforcement-response readiness.

Most CCPA mistakes happen at the boundary between a business, service provider, contractor and third party, or between selling, sharing, financial incentives, minors, GPC, and data-broker obligations.

Apply this section before launching a collection point, ad-tech flow, rights workflow, vendor onboarding, financial incentive, minor-focused journey, or data-broker process.

Use a CCPA workflow that captures threshold status, data category, collection point, consumer right, opt-out or GPC trigger, vendor role, evidence, owner, and review date.

The output should be a threshold note, notice update, DSAR decision, opt-out/GPC record, vendor clause map, dark-pattern review, or enforcement evidence pack.