CCPA Compliance Checklist for Small Businesses: 17 Steps to Get Compliant in 2026
The California Consumer Privacy Act is the most-enforced state privacy law in the US — and the most searched. This guide answers the first question every small business needs to ask (do I even need to comply?) and then walks you through every concrete step if the answer is yes. No legal jargon. No vague guidance. Seventeen specific, actionable items your team can actually execute.
🔍 Not sure if your site is CCPA compliant? Precept scans your website against CCPA, CPRA, and 20+ other state privacy laws in 60 seconds.
Scan my site free →Part 1: Do You Actually Need to Comply with CCPA?
CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of the following three thresholds:
| Threshold | Criteria | Applies to You? |
|---|---|---|
| Annual Revenue | Gross annual revenues exceeding $25 million | Check your revenue |
| Consumer Volume | Buys, receives, sells, or shares the personal information of 100,000 or more consumers or households annually | Check your analytics |
| Revenue from Data | Derives 50% or more of annual revenues from selling or sharing consumers' personal information | Check your revenue mix |
If your business does not meet any of these thresholds, CCPA technically does not apply — but read on before you close this tab. First: the 100,000-consumer threshold is lower than most small businesses realize. If your website serves any California residents (and nearly any consumer-facing business does), you can hit 100,000 consumer records within a year or two simply through standard analytics tracking, email lists, and purchase history. Second: even if you're exempt today, building privacy-compliant practices now costs far less than retrofitting a non-compliant system later.
Note on CPRA: The California Privacy Rights Act (effective January 1, 2023) enhanced CCPA with new rights (correction, sensitive data limits), stricter rules, and created the California Privacy Protection Agency (CPPA). Throughout this guide, "CCPA" refers to the current law including all CPRA amendments.
Exemptions that may apply to small businesses
Even if you technically meet a threshold, certain exemptions may reduce your compliance burden:
- Employee exemption: Employment-related personal information is partially exempt through 2026, though this exemption has limits under CPRA.
- B2B exemption: Personal information collected from employees of other businesses in a purely B2B context has a partial exemption.
- Nonprofit exemption: CCPA applies only to for-profit entities. Nonprofits are exempt.
- HIPAA-covered entities: If your business is already subject to HIPAA and maintains the data as protected health information, CCPA's health data provisions largely do not stack.
Part 2: The CCPA Compliance Checklist — 17 Actionable Steps
If you meet the threshold, here is every concrete action you need to take. This checklist maps directly to the CCPA/CPRA statutory requirements and the documented violation patterns in California AG enforcement actions.
📄 1. Privacy Policy Requirements
-
Publish a CCPA-compliant privacy policy Must be available at a conspicuous link (e.g., "Privacy Policy") from every page. Not login-gated. Not buried in a footer dropdown.
-
Disclose all categories of personal information collected CCPA requires you to list categories using its defined taxonomy: identifiers, commercial information, internet activity, geolocation, biometric data, inferences, sensitive personal information, etc.
-
Disclose the business purpose for collecting each category For each data category, state why you collect it. "To improve services" is not sufficient — be specific about the operational purpose.
-
Disclose all third parties that receive personal data Every ad platform, analytics tool, CRM, and data processor that receives personal information must be disclosed by category (you don't have to name each vendor individually, but categories must be specific).
-
List all consumer rights and how to exercise them Access, deletion, correction, portability, opt-out of sale/sharing, opt-out of sensitive data use, and non-discrimination — all must be described with the method for submitting requests (email, web form, toll-free number).
-
Include data retention schedules by category CPRA requires you to disclose how long each category of personal information will be retained. This is a new requirement many privacy policies still miss.
🚫 2. Opt-Out of Sale / Do Not Sell
-
Add "Do Not Sell or Share My Personal Information" link This link must appear in your homepage footer and privacy policy. It cannot be hidden, require login, or be presented in a confusing way. Sephora's 2022 enforcement action — the first CCPA case ever — started here.
-
Honor Global Privacy Control (GPC) browser signals California and several other states legally require you to treat a GPC browser signal as a valid opt-out request. This requires a technical implementation: your site must detect the GPC header and stop data sharing for that user. CPPA has issued enforcement guidance making this non-negotiable.
-
Ensure opt-out flows require no more than two steps Honda paid $632,000 in 2024 specifically for making privacy opt-out flows "unnecessarily difficult." The AG called these "dark patterns." Maximum two steps, no excessive identity verification.
👥 3. Consumer Rights Implementation
-
Build or deploy a Data Subject Access Request (DSAR) form Consumers must be able to request access to, deletion of, correction of, or a copy of their personal data. A web form and a toll-free phone number are required if you collect data online. Email alone is not sufficient.
-
Establish a 45-day DSAR response process CCPA requires a response within 45 calendar days. You can extend by another 45 days with notice if needed. Track requests, assign ownership, and document your responses — regulators will ask for this in an investigation.
-
Implement identity verification that is proportional You must verify requestors are who they claim to be — but verification cannot be so burdensome that it effectively denies the right. No government ID required for standard requests. Two-factor confirmation via email or account credentials is the benchmark.
-
Extend rights to authorized agents Consumers can designate an authorized agent to submit requests on their behalf. You must honor these requests with appropriate verification of the agent relationship.
📊 4. Data Inventory and Mapping
-
Build a complete data inventory across all systems Document every system that stores or processes personal information: CRM, email platform, analytics, support tickets, payment processors, databases, file storage. You cannot write an accurate privacy policy or fulfill deletion requests without knowing where your data lives.
-
Map data flows to identify all selling and sharing Any personal information passed to a third party for cross-context behavioral advertising — including via standard ad pixels like Meta Pixel and Google Ads tags — is legally a "sale or share" under CCPA even if no money changes hands. DoorDash and GoodRx were fined for exactly this. Map every pixel on every page.
📋 5. Service Provider and Vendor Agreements
-
Execute CCPA-compliant contracts with all service providers Any vendor that processes personal information on your behalf must have a written contract that restricts how they can use the data, prohibits them from selling it, and requires them to delete data upon your request. Standard vendor agreements typically do not include these terms — check and update them.
-
Require deletion propagation in vendor contracts When a consumer submits a deletion request, you must delete their data — and your vendor contracts must require your service providers to delete it too. This is a frequently overlooked gap.
🛠️ 6. Technical and Operational Controls
-
Implement reasonable security measures for personal data CCPA/CPRA requires "reasonable security procedures and practices" for personal information. Minimum standard includes encryption at rest and in transit, access controls, and documented security practices. A data breach can trigger both CPPA investigation and private class action suits ($100–$750 per consumer).
-
Establish a data breach notification procedure California law (and CPRA) requires notification to affected consumers without unreasonable delay when unencrypted personal information is breached. Internal escalation procedures, draft notification templates, and regulator notification processes should be documented before you need them.
-
Train employees who handle personal data All staff with access to consumer data must understand CCPA rights, how to route consumer requests, and what not to do (e.g., never share personal data with a third party without checking your data sharing agreements). Training records should be maintained for audit purposes.
-
Conduct a Data Protection Assessment for high-risk processing CPRA requires privacy risk assessments for processing activities that present significant risk to consumers — specifically targeted advertising, sale of personal data, profiling, and processing sensitive personal information. Document the assessment, the risks identified, and the safeguards applied.
✅ See exactly which checklist items you're failing. Precept automatically detects missing opt-out links, GPC non-compliance, tracker disclosure gaps, and more — in 60 seconds.
Check my site now →Part 3: Common CCPA Compliance Mistakes (With Real Enforcement Consequences)
The following mistakes aren't theoretical. Each maps to an actual California enforcement action. If any of these describe your current setup, you have documented, fined-level violations.
⚠️ Sephora — $1.2M Settlement (2022)
California AG • First CCPA enforcement action ever
Mistake: Sephora was sharing customer data with advertising networks through standard ad pixels — a practice they did not disclose as a "sale" in their privacy policy and for which they provided no opt-out mechanism. The AG determined that passing data to advertising platforms for cross-context behavioral advertising is legally a "sale" even when no money is exchanged. Lesson: If Meta Pixel, Google Ads, or any advertising tag is on your site, you are almost certainly "selling" personal data under CCPA. Disclose it and provide opt-out. Non-disclosure is the violation, not the tracking itself.
⚠️ DoorDash — $375,000 Settlement (2024)
California AG • CCPA • Marketing cooperative data sharing
Mistake: DoorDash participated in a marketing cooperative — essentially a data-sharing arrangement where customer information is pooled with other businesses for mutual advertising purposes. This was not adequately disclosed in their privacy policy as a sale or sharing of personal data, and there was no opt-out mechanism specific to this cooperative sharing. Lesson: Any arrangement where customer data is used by or shared with parties outside your direct service relationship — co-marketing, affiliate programs, data cooperatives — must be disclosed and offer an opt-out path.
⚠️ Honda — $632,000 Settlement (2024)
California AG • CCPA/CPRA • Dark patterns in opt-out flow
Mistake: Honda made its privacy rights request process unnecessarily difficult. The AG found "dark patterns" in the opt-out flow — confusing UI, excessive steps, disproportionate identity verification requirements — that effectively prevented consumers from exercising their rights even when they tried to. The violation wasn't that Honda lacked an opt-out mechanism; it was that the mechanism was designed to fail. Lesson: Having an opt-out form is not enough. Test it. Submit a real request. If it takes more than two steps or asks for your driver's license, you have a problem.
⚠️ Tractor Supply — $1.35M Settlement (2024)
California AG • CCPA/CPRA • Missing opt-out mechanism
Mistake: Tractor Supply was selling personal data — specifically consumer purchase and behavioral data — to third parties without the required disclosures in their privacy policy and without a visible "Do Not Sell or Share" link. The AG's office identified the violation by reviewing the company's public-facing website. No subpoena required. Lesson: California AG enforcement frequently starts with a surface-level website review. If the "Do Not Sell" link isn't in your footer today, you are already discoverable. Add it now.
⚠️ GoodRx — $100M+ Settlement (2023)
FTC + California AG • Health data shared with advertisers without consent
Mistake: GoodRx collected health-related data from its platform (prescription information, health conditions) and shared it with Facebook, Google, and Criteo for advertising purposes without user consent. The company's privacy policy did not disclose this. Health data received by advertising platforms via standard tracking pixels is still health data — and its disclosure to ad platforms is among the most aggressively enforced violations. Lesson: If you run any health-adjacent service and use standard advertising pixels, audit what data those pixels are receiving on each page. Prescription lookup pages, symptom checkers, and appointment booking flows have cost companies hundreds of millions.
Part 4: How Long Does CCPA Compliance Take?
The honest answer depends heavily on your starting point and technical infrastructure. Here is a realistic timeline for a small to mid-size business building CCPA compliance from scratch:
Week 1–2
Scoping and data inventory
Determine if CCPA applies. Run a technical scan of your website to identify all third-party trackers, pixels, and scripts (Precept can do this in 60 seconds for the surface-layer audit). Audit internal systems for where personal data is stored: CRM, database, email platform, support tickets, analytics.
Week 3–4
Privacy policy and notices
Draft or update your privacy policy to include all CCPA-required disclosures. This typically requires legal review — template policies from the internet are frequently non-compliant. Add the "Do Not Sell or Share" footer link. Update your website's cookie consent mechanism if you have one.
Week 5–6
Consumer rights infrastructure
Build or deploy a DSAR intake form. Set up a response workflow: who receives requests, who has access to pull data, who approves deletions. Document the process. Test it end-to-end with a real request before launch.
Week 7–8
Vendor contracts and technical controls
Review and update service provider agreements with CCPA-compliant terms. Implement GPC browser signal detection (a developer task, typically 2–4 hours). Set up a basic breach response plan and notification template.
Month 3+
Ongoing maintenance
CCPA compliance is not a one-time project. New vendors get added. New data categories get collected. The CPPA issues new guidance. Build a quarterly review process: re-scan your website, audit new vendor relationships, update the privacy policy, test the DSAR flow. Document everything — documentation is your defense if you receive a regulatory inquiry.
Realistic total: For a lean small business with a single website, basic compliance is achievable in 6–8 weeks with focused effort and some legal help on the privacy policy. The ongoing maintenance burden is roughly 4–8 hours per quarter once the foundation is in place.
Sensitive Personal Information: The CPRA Enhancement You Can't Miss
The 2023 CPRA amendments added a new category — Sensitive Personal Information (SPI) — that carries stricter rules than standard personal information. If you collect any of the following, you have additional compliance obligations:
- Social Security numbers, passports, driver's licenses
- Precise geolocation data (within 1,850 feet of a person's location)
- Racial or ethnic origin, religious beliefs, or union membership
- Contents of email or text messages (unless you are the intended recipient)
- Genetic or biometric data processed for identification purposes
- Health or medical information
- Sexual orientation or sex life
- Financial account credentials (login details, not just account numbers)
For SPI, consumers have the right to limit use and disclosure — meaning you can only use it for the specific purposes they consented to or that are necessary for the service. You must disclose that you collect SPI, provide a separate "Limit the Use of My Sensitive Personal Information" link (separate from the Do Not Sell link), and honor requests to limit processing within 15 business days.
How Precept Accelerates Your CCPA Compliance Audit
The fastest way to identify CCPA gaps is a technical scan of your public-facing website. Most of the violations in the enforcement cases above — missing opt-out links, undisclosed third-party trackers, dark patterns in consent flows, GPC non-compliance — are detectable automatically from the outside. That's how California's AG found them. You can find them first.
Precept scans your website against CCPA, CPRA, and all 20 active US state privacy laws simultaneously. In under 60 seconds, you'll see:
- Every third-party tracker and pixel loading on your site, cross-referenced against your privacy policy disclosures
- Whether your "Do Not Sell or Share" link is present, accessible, and not using dark patterns
- GPC browser signal detection status
- Cookie consent banner completeness and structure
- Privacy policy reachability and keyword completeness
- Severity ratings for each finding, mapped to the relevant law and enforcement precedent
Find your CCPA compliance gaps in 60 seconds
Precept runs the same surface-layer audit California's AG uses to identify violations — before they do. Free, no account required, instant report with fix recommendations.
Scan my site now — it's free →