---
title: "CPRA Checklist"
canonical_url: "https://www.sorena.io/artifacts/us/cpra/checklist"
source_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/checklist"
author: "Sorena AI"
description: "Track the California privacy workstreams that changed under CPRA and the 2026 rules."
published_at: "2026-02-22"
updated_at: "2026-02-22"
keywords:
  - "CPRA checklist"
  - "CPRA compliance checklist"
  - "California SPI checklist"
  - "CPRA risk assessment checklist"
  - "CPRA"
  - "Checklist"
  - "California privacy"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# CPRA Checklist

Track the California privacy workstreams that changed under CPRA and the 2026 rules.

*Checklist* *CPRA*

## California CPRA Checklist

Grounded in the California statute, CPPA regulations, and the 2026 California rule changes.

The CPRA checklist should tell the team which tasks belong to every in scope business and which tasks depend on sale, sharing, SPI, or high risk processing triggers.

## Baseline California controls

Every in scope business still needs current notices, request methods, request logging, and vendor paper that matches California categories and rights.

- Confirm threshold status and update notices to the current California rules
- Operate delete, correct, know, and opt out workflows within the required timelines
- Honor GPC and keep 24 month records of requests and responses
- Maintain service provider, contractor, and third party agreements

## CPRA specific controls

The next layer covers sensitive personal information, right to limit, sharing, and the newer contract and due diligence expectations.

- Classify SPI and decide whether right to limit notices are required
- Treat sharing for cross context advertising as its own governed activity
- Review contract and audit rights for all major recipients
- Make sure rights portals and notices reflect correction and limitation rights

## Forward looking 2026 controls

The final layer is the California rules effective January 1, 2026. Not every business will trigger them immediately, but the programme should know whether the business is on that path.

- Assess whether risk assessment triggers apply to current processing
- Assess whether cybersecurity audit thresholds will apply
- Track any data broker registration or DROP related obligations
- Monitor CPPA rule updates and add implementation dates to the control calendar

*Recommended next step*

*Placement: after the checklist block*

## Turn California CPRA Checklist into an operational assessment

Assessment Autopilot can take California CPRA Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on California CPRA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Assessment Autopilot for California CPRA Checklist](/solutions/assessment.md): Start from California CPRA Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.
- [Talk through California CPRA](/contact.md): Review your current process, evidence gaps, and next steps for California CPRA Checklist.

## Primary sources

- [CPPA regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - Official California regulations hub.
- [California privacy statute effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_2026.pdf?ref=sorena.io) - Current statutory text as reflected in CPPA materials.
- [CPPA FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official California FAQ.
- [CPPA CCPA updates](https://cppa.ca.gov/ccpa_updates.html?ref=sorena.io) - Rulemaking and effective date updates.

## Related Topic Guides

- [CPPA Regulations Tracker | California Rulemaking Tracker](/artifacts/us/california-privacy-rights-act/cppa-regulations-tracker.md): Track the California rules that changed the operating baseline in 2026 and the related regulator outputs.
- [CPRA Applicability Test | California Scope and Trigger Guide](/artifacts/us/california-privacy-rights-act/applicability-test.md): Confirm California scope and then identify which CPRA specific obligations activate.
- [CPRA Compliance Program | California Operating Model](/artifacts/us/california-privacy-rights-act/compliance.md): Run a California programme that can absorb ongoing CPPA rules without constant redesign.
- [CPRA Consumer Rights Workflow | California Rights Operations](/artifacts/us/california-privacy-rights-act/consumer-rights-workflow.md): Run California rights operations across delete, correct, know, opt out, and limit.
- [CPRA Contracts, Contractors, and Service Providers](/artifacts/us/california-privacy-rights-act/contracts-contractors-and-service-providers.md): Draft California recipient contracts that support both baseline CPRA compliance and the newer assurance obligations.
- [CPRA Deadlines and Compliance Calendar | California Privacy Calendar](/artifacts/us/california-privacy-rights-act/deadlines-and-compliance-calendar.md): Use the dates that matter for the current California privacy regime.
- [CPRA FAQ | Practical California Privacy Rights Answers](/artifacts/us/california-privacy-rights-act/faq.md): Answer the California questions that stall CPRA implementation decisions.
- [CPRA Penalties and Fines | California Enforcement Exposure](/artifacts/us/california-privacy-rights-act/penalties-and-fines.md): Understand what makes California exposure larger, faster, and harder to defend.
- [CPRA Requirements | California Control Requirements](/artifacts/us/california-privacy-rights-act/requirements.md): Translate the current California regime into control statements that teams can build and test.
- [CPRA Risk Assessment Template | California Risk Assessment Guide](/artifacts/us/california-privacy-rights-act/cpra-risk-assessment-template.md): Use a California specific template that matches the current rule structure instead of a generic DPIA form.
- [CPRA Risk Assessments and Cybersecurity Audits | California Assurance Guide](/artifacts/us/california-privacy-rights-act/risk-assessments-and-cybersecurity-audits.md): Prepare for the California assurance duties that now have real structure, timing, and evidence requirements.
- [CPRA Sensitive Personal Information | California SPI Guide](/artifacts/us/california-privacy-rights-act/sensitive-personal-information.md): Handle SPI with the level of design and evidence the California rules now expect.
- [CPRA vs CCPA | What Actually Changed in California Privacy](/artifacts/us/california-privacy-rights-act/ccpa-vs-cpra.md): A practical CPRA vs CCPA delta guide grounded in the current California statute, CPPA regulations, Proposition 24, and official agency guidance.
- [CPRA vs Colorado Privacy Act | State Privacy Comparison](/artifacts/us/california-privacy-rights-act/cpra-vs-colorado-privacy-act.md): Compare the California and Colorado models before reusing a state privacy template across both.
- [CPRA vs Virginia VCDPA | State Privacy Comparison](/artifacts/us/california-privacy-rights-act/cpra-vs-virginia-vcdpa.md): Compare California and Virginia privacy models before reusing contracts or request flows across both.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/us/california-privacy-rights-act/checklist