CCPA Compliance Checklist for Small Businesses and Startups
Does the CCPA Apply to Your Business?
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to for-profit businesses that collect personal information from California residents and meet at least one of these criteria: annual gross revenue exceeding $25 million, buying, selling, or sharing the personal information of 100,000 or more California consumers, households, or devices per year, or deriving 50% or more of annual revenue from selling or sharing consumers' personal information.
If you do not meet any of these thresholds, the CCPA does not apply to you directly. However, many businesses voluntarily comply because they anticipate growth past the thresholds, because other states are adopting similar laws, or because customers increasingly expect transparency regardless of legal requirements.
Keep in mind that "personal information" under the CCPA is defined broadly. It includes names, addresses, email addresses, IP addresses, browsing history, purchase records, geolocation data, and even inferences drawn from this data to create consumer profiles. If you use Google Analytics on your website, you are likely collecting personal information from California consumers.
The CCPA Compliance Checklist
1. Map Your Data
Start by identifying all the personal information your business collects, uses, and shares. For each category, document what information is collected, the sources (directly from consumers, from third parties, or automatically through cookies and tracking), the business purpose for collection, whether it is sold or shared with third parties, and how long it is retained. This data map is the foundation for your privacy disclosures and for responding to consumer requests.
2. Update Your Privacy Policy
The CCPA requires specific disclosures in your privacy policy. Your CCPA-compliant privacy policy must list the categories of personal information collected in the past 12 months, the categories of sources from which information is collected, the business or commercial purpose for collection, the categories of third parties with whom information is shared, and for each category of personal information sold or shared, the categories of third parties to whom it was sold or shared.
The CPRA added requirements to disclose retention periods for each category and to describe the right to correct inaccurate information. Your privacy policy must be updated at least once every 12 months.
3. Implement Consumer Rights
California consumers have several rights under the CCPA/CPRA:
- Right to Know: Consumers can request the specific pieces of personal information you have collected about them, as well as the categories, sources, purposes, and third-party sharing.
- Right to Delete: Consumers can request that you delete their personal information, with certain exceptions (completing transactions, security, legal compliance, certain internal uses).
- Right to Correct: Under the CPRA, consumers can request correction of inaccurate personal information.
- Right to Opt Out: Consumers can opt out of the sale or sharing of their personal information.
- Right to Limit Use of Sensitive Personal Information: Consumers can direct you to limit the use of sensitive categories like Social Security numbers, financial data, precise geolocation, and health information.
- Right to Non-Discrimination: You cannot charge different prices, provide different quality of service, or deny service to consumers who exercise their rights.
You must provide at least two methods for submitting requests (a toll-free number and a website address). You must verify the identity of the requester and respond within 45 days (extendable by another 45 days with notice).
4. Add the "Do Not Sell or Share" Link
If your business sells or shares personal information, you must provide a clear, conspicuous link on your homepage titled "Do Not Sell or Share My Personal Information." "Sharing" under the CPRA includes providing personal information to third parties for cross-context behavioral advertising, which covers most advertising cookies and tracking pixels. If you use Facebook Pixel, Google Ads remarketing, or similar tools, you are likely "sharing" personal information and need this link.
5. Handle Service Provider Agreements
When you share personal information with service providers (hosting companies, email platforms, analytics tools, payment processors), you need written agreements that restrict how they can use the data. These agreements must specify that the service provider only processes data according to your instructions, does not sell or share the data, implements appropriate security measures, notifies you of any data breaches, and cooperates with consumer rights requests.
6. Implement Data Security
While the CCPA does not prescribe specific security measures, it gives consumers a private right of action for data breaches resulting from a business's failure to implement "reasonable security procedures." California courts look to industry standards when evaluating what is "reasonable." At minimum, consider encryption of personal information, access controls, regular security assessments, employee training on data handling, and incident response procedures.
7. Train Your Team
All employees who handle consumer inquiries about privacy must be trained on CCPA requirements. This includes customer service staff, marketing teams that handle data, developers who build data collection features, and management responsible for compliance decisions.
Penalties for Non-Compliance
The California Privacy Protection Agency (CPPA) and the California Attorney General can impose fines of $2,500 per unintentional violation and $7,500 per intentional violation. "Per violation" can mean per affected consumer per instance, which adds up fast. For startups handling significant user data, non-compliance is a real financial risk.
Additionally, if a data breach occurs due to your failure to maintain reasonable security, affected consumers can sue for statutory damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. A breach affecting 100,000 consumers could result in damages between $10 million and $75 million.
CCPA vs. Other State Privacy Laws
California was first, but other states have followed. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and others have enacted similar privacy laws. While details differ, the core principles are converging: transparency about data practices, consumer rights over personal data, and accountability for data protection. If you comply with the CCPA, you are well-positioned to meet the requirements of most other state privacy laws.
This article is for informational purposes only and does not constitute legal advice.