Artifact GuideUSChecklist

California CPRA Checklist

This checklist verifies required notices, controls, workflows, records, and escalation points under the California CPRA before launch or review.

This page offers practical steps for implementation planning. Confirm legal and policy assumptions before implementation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
3

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This checklist breaks the California CPRA into the obligations a team actually has to meet, and ties each one to its trigger, the responsible role, the deadline, the evidence to keep, and the review path. It is built so product, legal, privacy, security, and compliance teams can work from the same record.

Section 1

How should a Checklist workflow run under the California CPRA?

Run the workflow as California privacy triage: threshold, data category, consumer right, opt-out/sensitive-data status, vendor role, required action, evidence, and review.

  • Capture the request, product, role, data flow, jurisdiction, and deadline.
  • Check the source-linked rule and route exceptions before implementation.
  • Record the action taken, owner, reviewer, evidence location, and next review date.
  • Keep a plain-language output that support, product, legal, security, and compliance teams can all understand.
Sources for this answer
California Consumer Privacy Act Regulations (March 2023)
The CPPA regulations source supports the checklist workflow because it is the official rulemaking hub for operational CCPA/CPRA obligations.
California Privacy Protection Agency FAQ
The CPPA FAQ supports checklist triage by confirming that CPRA amended the CCPA with additional consumer privacy rights and business obligations.
California legislative bill text
This California legislative source supports opt-out workflow review because it preserves the no-dark-pattern requirement for consumer choice mechanisms.
Section 2

What fields should the California CPRA checklist template capture?

A useful template captures business threshold, consumer/data category, request or signal type, vendor role, response deadline, notice/control evidence, and escalation reason.

  • Source URL and source quote.
  • Entity, product, service, system, data category, and user group.
  • Decision result, control action, owner, reviewer, due date, and escalation reason.
  • Evidence attachment, approval note, exception note, and review cadence.
Sources for this answer
California Privacy Protection Agency FAQ
The CPPA FAQ supports checklist fields for consumer rights and business obligations that teams must route to owners and evidence.
California legislative bill text
This California legislative source supports checklist fields for opt-out design and consent-flow review.
Privacy Framework
The NIST Privacy Framework source is non-binding support for structuring privacy-control evidence alongside California CPRA requirements.
Section 3

How should teams review and improve the California CPRA checklist workflow?

Review the workflow after CPPA rulemaking updates, ad-tech changes, vendor changes, new data categories, consumer complaints, enforcement advisories, or material product changes.

  • Track recurring exception categories and update intake questions.
  • Remove fields that never affect the decision.
  • Add fields when reviews show missing source evidence or unclear ownership.
  • Confirm generated markdown and page content include the same visible source-linked guidance.
Sources for this answer
California Consumer Privacy Act Regulations (March 2023)
The CPPA regulations source supports review cadence because rulemaking updates can change operational checklist requirements.
California Privacy Protection Agency FAQ
The CPPA FAQ supports review triggers by summarizing added consumer rights and business obligations under CPRA.
California legislative bill text
This California legislative source supports review of opt-out interfaces and dark-pattern risk.
Privacy Framework
The NIST Privacy Framework source is non-binding support for reviewing privacy controls, evidence quality, and improvement actions.
Recommended next step

Turn California CPRA Checklist into assigned work

This California CPRA guide turns the checklist into assigned owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.

Assessment workflow
Open Assessment Autopilot for California CPRA

Turn Checklist into scoped questions, evidence fields, and review tasks.

Explore next step
Research workflow
Review California CPRA source evidence

Use Research Copilot to answer follow-up questions with cited source material.

Explore next step
Talk to Sorena
Talk through California CPRA implementation

Review scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step
Primary sources

References and citations

California Civil Code section 1798.100
leginfo.legislature.ca.gov
Referenced sections
  • This statutory source supports checklist fields for notice, purpose, retention, vendor contracts, and reasonable security controls.
"at or before the point of collection"
California Consumer Privacy Act Regulations (March 2023)
cppa.ca.gov
Referenced sections
  • The CPPA regulations source supports review cadence because rulemaking updates can change operational checklist requirements.
"On March 29, 2023, the Office of Administrative Law approved the California Privacy Protection Agency's regulations and filed"
California legislative bill text
leginfo.legislature.ca.gov
Referenced sections
  • This California legislative source supports review of opt-out interfaces and dark-pattern risk.
"(ii) Does not make use of any dark patterns"
California Privacy Protection Agency FAQ
cppa.ca.gov
Referenced sections
  • The CPPA FAQ supports review triggers by summarizing added consumer rights and business obligations under CPRA.
"The CPRA amended the CCPA by adding additional consumer privacy rights and obligations for businesses"
Privacy Framework
nist.gov
Referenced sections
  • The NIST Privacy Framework source is non-binding support for reviewing privacy controls, evidence quality, and improvement actions.
"Organizations should not assume implementation of these Privacy Framework activities or outcomes means that they have met the"
Related guides

Explore more topics

California CPRA FAQ
Practical California CPRA FAQ guidance with implementation decisions, evidence, edge cases, and official California source citations.
California CPRA penalties and fines Guide
US CPRA guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations.
California CPRA Requirements Guide
Practical guidance for California CPRA requirements, with practical decisions, evidence, edge cases, and external source citations.
California CPRA Risk Assessments, Cybersecurity Audits, and ADMT Guide
California CPRA guidance for risk assessments, cybersecurity audits, and ADMT, with practical decisions, evidence, edge cases, and external source citations.
California Data Broker Deletion Workflow Guide
California Delete Act and CPRA-adjacent guidance for data broker deletion workflows, with practical decisions, evidence, edge cases, and official citations.
California Data Broker Registry and DROP Guide
California Delete Act guide to the Data Broker Registry and DROP, with practical decisions, evidence, edge cases, and official source citations.
California Delete Act data broker registry and DROP guide
California Delete Act guidance for the data broker registry and Delete Request and Opt-Out Platform (DROP), with owners, evidence, and official sources.
CPRA enforcement advisories: CPPA investigations, fines, and risk mitigation
US CPRA guidance for Enforcement Advisories, with practical decisions, evidence, edge cases, and external source citations.
CPRA Global Privacy Control (GPC): opt-out requirements and enforcement FAQ
US CPRA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Applicability Test Guide
Practical guidance for the US CPRA applicability test, with practical decisions, evidence, edge cases, and external source citations.
US CPRA CCPA vs CPRA Guide
US CPRA guidance for CCPA vs CPRA, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Compliance Guide
Practical guidance for the US CPRA compliance, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Consumer Rights Workflow Guide
US CPRA guidance for Consumer Rights Workflow, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Contract Terms Guide
US CPRA guidance for Contract Terms, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Contracts Contractors And Service Providers Guide
US CPRA guidance for Contracts Contractors And Service Providers, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Correction Rights Guide
US CPRA guidance for Correction Rights, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Cppa Regulations Tracker Guide
US CPRA guidance for Cppa Regulations Tracker, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Cyber Audit Readiness Workflow Guide
US CPRA guidance for Cyber Audit Readiness Workflow, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Deadlines and Compliance Calendar Guide
US CPRA guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations.
US CPRA DSAR And Correction Workflow Guide
US CPRA guidance for DSAR And Correction Workflow, with practical decisions, evidence, edge cases, and external source citations.
US CPRA GPC Handling Guide
US CPRA guidance for GPC Handling, with practical decisions, evidence, edge cases, and external source citations.
US CPRA GPC Handling Workflow Guide
US CPRA guidance for GPC Handling Workflow, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Retention Guide
US CPRA guidance for Retention, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Risk Assessment Intake Workflow Guide
US CPRA guidance for Risk Assessment Intake Workflow, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Risk Assessment Template Guide
US CPRA guidance for CPRA Risk Assessment Template, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Risk Assessments And Cybersecurity Audits Guide
US CPRA guidance for Risk Assessments And Cybersecurity Audits, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Sensitive Personal Information Guide
US CPRA guidance for Sensitive Personal Information, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Sensitive Personal Information Limits Guide
US CPRA guidance for Sensitive Personal Information Limits, with practical decisions, evidence, edge cases, and external source citations.
US CPRA Sharing and Cross-Context Behavioral Advertising Guide
US CPRA guidance for Sharing and Cross-Context Behavioral Advertising, with practical decisions, evidence, edge cases, and external source citations.
US CPRA vs Colorado Privacy Act Guide
US CPRA guidance for CPRA vs Colorado Privacy Act, with practical decisions, evidence, edge cases, and external source citations.
US CPRA vs Virginia Vcdpa Guide
US CPRA guidance for CPRA vs Virginia Vcdpa, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about ADMT under the US CPRA?
US CPRA guidance for ADMT, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Contract Terms under the US CPRA?
US CPRA guidance for Contract Terms, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Correction Rights under the US CPRA?
US CPRA guidance for Correction Rights, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Cybersecurity Audits under the US CPRA?
US CPRA guidance for Cybersecurity Audits, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about retention under the California CPRA?
California CPRA guidance for retention, including data minimization, privacy policy disclosures, evidence records, and official source citations.
What should teams do about Risk Assessments under the US CPRA?
US CPRA guidance for Risk Assessments, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Sensitive Personal Information Limits under the US CPRA?
US CPRA guidance for Sensitive Personal Information Limits, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Sharing and Cross-Context Behavioral Advertising under the California CPRA?
California CPRA guidance for Sharing and Cross-Context Behavioral Advertising, with practical decisions, evidence, edge cases, and external source citations.