CPRA Compliance Checklist: 7 Key Steps

Any business interested in serving the fifth largest economy in the world needs to become compliant with the California Privacy Rights Act (CPRA). But that’s easier said than done. 

The law has so many individual requirements that step one is pretty unclear—worse, many of these requirements can’t be effectively met until you’ve established a foundation for compliance first. 

One way to establish a foundation is to follow a CPRA compliance checklist. In this article, we will delve into the basics of CPRA, explore its key principles, and outline the essential steps to achieve compliance. 

What Is the California Privacy Rights Act (CPRA)? 

The California Privacy Rights Act (CPRA) gives California residents control and protection over their personal information by providing them with rights and assigning the businesses that process their data certain responsibilities. Its predecessor was the California Consumer Privacy Act, or CCPA—however, the CCPA had a few gaps that the CPRA plugged. 

The act grants consumers:  

• The right to know what personal information is being collected about them. 
• The right to request the deletion of their personal information. 
• The right to opt out of the sale of their personal information. 
• And more. 

Under the CPRA, businesses are required to provide clear and conspicuous notices to consumers about their data collection and sharing practices. They must also implement reasonable security measures to safeguard personal information and obtain explicit consent before collecting or selling sensitive information, such as financial or health data. 

Who Does the CPRA Apply To? 

The CPRA applies to any for-profit business that collects, shares, or sells the personal information of California residents—but only if that business meets certain thresholds first. It doesn't matter if the business is based in California or operates outside the state; as long as it meets the criteria, it must comply with the CPRA. 

Specifically, the CPRA applies to businesses that meet at least one of the following:  

• Have annual gross revenues of $25 million or more and do business in California. 
• Businesses that buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices 
• Businesses that derive 50% or more of their annual revenue from selling California residents' personal information. 

The law applies to a wide range of businesses, including retailers, service providers, online platforms, and even companies that do not have a physical presence in California but conduct business within the state. It covers both online and offline activities, ensuring that all businesses that handle the personal information of California residents are held accountable. 

So, if you’re subject to the CPRA and are found to be noncompliant, what happens? 

Well, the state attorney general and the California Privacy Protection Agency have the right to levy fines against noncompliant businesses, including: 

• Up to $7,500 for each intentional violation. 
• Up to $2,500 for each unintentional violation.  

Each instance of improperly handled personal information counts as a violation, so these fines can quickly balloon to a serious level that has numbered in the millions of dollars in the past. 

CPRA Compliance Checklist 

Now that the key principles of CPRA are clear, let's move on to the steps you need to take to achieve compliance. 

1. Map Your Data 

Start by conducting a comprehensive data inventory and mapping exercise. This involves identifying all the personal information your business collects, where it is stored, how it is used, and who it is shared with. Personal information includes any information that identifies, relates to, describes, or is capable of being associated with a particular individual. 

During the audit, consider all possible sources of personal information, including customer databases, website analytics, and third-party vendors. It is important to document and categorize the types of personal information collected, such as names, email addresses, phone numbers, and financial data. 

Mapping your data flows will help you:  

• Understand the potential risks and the appropriate security measures that need to be implemented.  
• Be effective in implementing the necessary measures to protect personal information and comply with the CPRA. 
• Determine which vendors and partners receive personal information and, consequentially, which contracts need to include data processing addenda (more on that later). 
• Identify where you store sensitive personal information and where you need to apply stronger security. 
• Understand which flows are subject to opt-out requests. 
• Fulfill subject rights requests. 
• And more. 

Ultimately, mapping your data serves as the foundation for all your downstream compliance activities. 

2. Implement Proper Security Measures 

To comply with the CPRA, businesses must implement reasonable security measures to safeguard personal information. Specifically, Section 1798.100 of the law (“General Duties of Businesses that Collect Personal Information”) states that: 

A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.

This doesn’t exactly give specific guidance about what “security procedures and practices” need to be implemented. That’s why it’s important to have a data security expert on your team who can implement security best practices, such as meeting SOC 2 standards. 

One clear requirement in the CPRA is the need to protect personal information at an “appropriate” level based on its nature—that means businesses need to apply a higher standard of security around the sensitive personal information they process. If you effectively mapped your data in step one, then you’ll know where to apply this higher standard. 

3. Develop a Privacy Policy 

A robust privacy policy is essential for CPRA compliance. The policy should clearly and accurately outline how your business collects, uses, and shares personal information as well as the rights of consumers under the CPRA. 

If you’ve just started working toward CPRA compliance, you may not have all of this information at hand yet. For instance, you may not have implemented a means of handling subject rights requests. The reality is that your privacy policy should be a living document; as your compliance operations change in your organization, it will need to change as well. As you further develop your privacy program, remember to update your policy correspondingly. A helpful perspective to adopt is that a compliance activity can’t be considered “done” unless you’ve assessed whether it must be reflected in your privacy policy. 

4. Handle Consumer and Employee Requests 

Under the CPRA, consumers have the right to:  

• Know about the personal information collected and used by a business. 
• Request the deletion of their data. 
• Correct inaccurate information. 
• Opt out from the sharing or sale of their personal information. 
• Request businesses to limit the use and disclosure of sensitive personal information. 
• Not have their personal information sold or shared if they haven’t first opted in if they are a child under the age of 16. 
• Not have their personal information sold or shared if their parent or guardian hasn’t first opted in if they are a child under the age of 13. 
• Avoid discrimination upon exercising the rights granted by the CPRA.  

Businesses need to make it easy for consumers to exercise these rights, such as through a DSAR form, toll-free phone number, and/or an email address. What’s more, requests need to be fulfilled within 45 days. Businesses can request an extension of up to 90 days, but they must prove that the request is of a particularly high volume or complexity first. 

When handling consumer requests, businesses should have a system in place to authenticate and verify the identity of the requester. This is crucial to prevent unauthorized access to personal information—especially if sensitive personal information is involved. 

It is also important to document and track all consumer requests and the actions taken to fulfill them. This can help demonstrate compliance in the event of an audit or regulatory inquiry. 

5. Negotiate Data Processing Addenda and Establish Default Contractual Language 

It’s fairly rare these days for a business to process personal information without sending some of it to another organization, whether that’s a partner, vendor, or another entity. To ensure these other organizations continue to give consumer data the protection it deserves, the CPRA requires businesses to add data processing addenda to their contracts with vendors. 

There are actually three entities under the CPRA we need to be aware of: 

• Service providers, or organizations that process personal information for you. 
• Contractors, or organizations that use personal information to provide a service for you.  
• Third parties, which are defined as any organization that isn’t a service provider or contractor. 

Only service providers and contractors need data processing addenda under the CPRA. The important thing to know is that the personal data you share with service providers and contractors who have these contractual provisions in place is exempt from consumer opt-out requests. The idea here is that service providers and contractors are likely providing critical business functions necessary to your operations, as opposed to, say, targeted advertising delivered by a third party. 

Essentially, the addendum ensures that your service provider or contractor can only use your consumers’ data for a specific purpose, must delete that data once that purpose has been met, must implement certain security measures, and so on. 

Unfortunately, there is no prescribed format for a data processing addendum, so you’ll need to work with legal counsel to determine what your preferred language should be. 

6. Implement and Operationalize Opt-out Mechanisms 

The CPRA requires you to provide consumers with two links: 

1. A “Do Not Sell or Share My Personal Information” link.

2. A “Limit the Use of My Sensitive Personal Information” link. 

These relate to the subject rights listed previously, so you may have handled this requirement already. If not, however, it is absolutely essential that you provide these links and operationalize them. The
"Do Not Sell or Share My Personal Information" link needs to trigger the cessation of any data transfers to third parties (not service providers or contractors, however). 

The “Limit the Use of My Sensitive Personal Information” link functions in a similar way but is stricter. Not only must you cease any transfers of sensitive personal information, but you may only use sensitive personal information if it's necessary for delivering your core product or service and a way that a consumer would reasonably expect. 

Lastly, the California Privacy Protection Agency has clarified that businesses must also accept universal opt-out signals, like the Global Privacy Control. These technologies propagate a visitor’s consent preferences in advance so that they don’t have to interact with a cookie banner or make an opt-out request to communicate their preferences. 

7. Review and Iterate 

It can be tempting to think of data privacy compliance as a one-and-done activity, but the reality is that compliance is an ongoing process. Your organization and the way your organization processes personal data will change over time. It’s essential that you:   

• Keep your data map updated.  
• Improve upon your data protection efforts to plug any gaps, keep up with evolving security practices, and adjust as your systems and processes change over time.  
• Maintain your privacy policies and notices so that they accurately reflect the reality of your organization’s data processing activities.  
• Iterate upon your DSAR workflow to reduce effort, risk, and cost.  
• Manage your contract portfolio to ensure data processing language remains up to date and new contracts successfully incorporate that language. 
• Maintain adequate staff and plan for associated costs.  

 Attending to all of these requirements at once can be exhausting, especially if you rely on manual, time-consuming processes to carry out your compliance activities. Businesses that rely on Osano for their data mapping, consent management, DSAR workflow, and other difficult but highly automatable compliance requirements regain much-needed time to maintain their CPRA compliance status.  

Schedule a demo to find out how Osano can support your compliance with the CPRA and beyond.