CCPA Compliance Checklist for Small Business

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most significant state privacy law in the United States. Many small business owners assume it does not apply to them because they are not a large corporation. That assumption is wrong more often than you would expect. If you collect personal information from California residents and meet any one of three revenue or data thresholds, you are subject to CCPA. This guide provides a practical 12-point compliance checklist designed specifically for small businesses, without the legal jargon that makes most compliance guides useless.

Does CCPA Apply to Your Business

CCPA applies to any for-profit entity that does business in California and meets any one of these three thresholds:

1. Annual gross revenue exceeding $25 million (adjusted for inflation — as of 2026, the threshold remains at $25 million but check the California Attorney General's website for updates)
2. Annually buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices (reduced from 50,000 under the original CCPA)
3. Derives 50% or more of annual revenue from selling or sharing consumers' personal information

The second threshold catches more small businesses than you might think. If your website receives 100,000 unique visitors from California per year and you use analytics cookies, advertising pixels, or any tracking technology, you may be collecting personal information from 100,000+ consumers. A website receiving around 275 California visitors per day hits this threshold.

CCPA's definition of "personal information" is extremely broad. It includes IP addresses, browsing history, device identifiers, geolocation data, and inferences drawn from any of these. If you use Google Analytics, Facebook Pixel, or any advertising platform on your website, you are collecting personal information under CCPA.

What Counts as "Doing Business in California"

You do not need a physical presence in California. If you have a website accessible to California residents and you sell products or services to them, you are doing business in California. This includes e-commerce businesses located in other states that ship to California, SaaS companies with California customers, and service businesses that accept clients from California.

Key Consumer Rights Under CCPA

CCPA grants California consumers specific rights regarding their personal information. Your compliance program must enable the exercise of each right within mandated timeframes.

Right to Know

Consumers can request disclosure of the categories and specific pieces of personal information your business has collected about them, the sources of that information, the business purpose for collection, and the categories of third parties with whom you share it. You must respond within 45 calendar days.

Right to Delete

Consumers can request deletion of personal information you have collected from them. You must comply and direct your service providers to delete as well, with limited exceptions (completing transactions, security, legal obligations, internal analytics on expected use, free speech).

Right to Opt Out of Sale/Sharing

Consumers can opt out of the sale or sharing of their personal information. Under CPRA, "sharing" includes cross-context behavioral advertising. If you use third-party advertising cookies, you are "sharing" personal information and must provide an opt-out mechanism.

Right to Correct

Added by CPRA, consumers can request correction of inaccurate personal information. You must use commercially reasonable efforts to correct the information upon verified request.

Right to Limit Use of Sensitive Personal Information

Also added by CPRA, consumers can limit your use of sensitive personal information (SSN, financial account numbers, precise geolocation, race, health data, and others) to what is necessary for providing the service they requested.

Right to Non-Discrimination

You cannot discriminate against consumers who exercise their CCPA rights by denying services, charging different prices, or providing a different quality of service.

12-Point CCPA Compliance Checklist

Work through each of these items systematically. The first six are foundational — you cannot meaningfully comply without them. Items 7 through 12 address operational compliance and ongoing maintenance.

1. Determine Applicability

Before investing in compliance infrastructure, confirm whether CCPA applies to your business. Review your annual revenue, count California consumers whose data you process, and assess whether you sell or share personal information. Document your analysis even if you conclude CCPA does not currently apply — this demonstrates good faith if your business grows into applicability.

2. Conduct a Data Inventory

Map every category of personal information your business collects, where it is stored, how long it is retained, who has access, and which third parties receive it. This inventory is the foundation of every other compliance activity. Include data from:

• Your website (analytics, forms, cookies, pixels)
• Your CRM and customer database
• Email marketing platforms
• Payment processors
• Customer support systems
• HR systems (employee data is partially covered by CCPA)
• Any third-party SaaS tools that process customer data

3. Update Your Privacy Policy

CCPA requires specific disclosures in your privacy policy. It must include: categories of personal information collected in the past 12 months, the sources of that information, the business purposes for collection, categories of third parties with whom you share it, and a description of each consumer right. The policy must be updated at least annually. See detailed requirements in the Privacy Policy Requirements section below.

4. Implement "Do Not Sell or Share" Functionality

If you sell or share personal information (including through advertising cookies), add a "Do Not Sell or Share My Personal Information" link to your website. This link must be clearly visible on your homepage. When a consumer exercises this right, you must cease selling or sharing their data within 15 business days and notify all third parties who received the data in the preceding 90 days.

5. Set Up Consumer Request Intake

Provide at least two methods for consumers to submit requests: a toll-free telephone number and a web-based form or email address. The intake process must be able to handle all five consumer rights (know, delete, correct, opt-out, limit sensitive data use). Each request must be acknowledged within 10 business days and fulfilled within 45 calendar days.

6. Establish Identity Verification Procedures

Before fulfilling a "right to know" or "right to delete" request, you must verify the consumer's identity. The verification level should be proportional to the sensitivity of the data and the risk of the request. For standard requests, match two data points the consumer provides against information you already have. For requests to disclose specific pieces of personal information, use three data points plus a signed declaration under penalty of perjury.

7. Review Service Provider Contracts

Every third party that processes personal information on your behalf must have a CCPA-compliant contract. The contract must prohibit the service provider from selling or sharing the data, retaining it for any purpose other than performing the services specified, and combining it with data from other sources. Review all existing vendor contracts and add CCPA data processing addendums where missing.

8. Implement Data Retention Limits

CPRA requires businesses to disclose retention periods for each category of personal information and to not retain data longer than reasonably necessary for the disclosed purpose. Define retention periods for each data category in your inventory. Common standards:

• Customer transaction data: 7 years (aligns with tax and accounting requirements)
• Website analytics data: 26 months (Google Analytics default)
• Marketing contact data: Until opt-out, then delete within 30 days
• Customer support records: 3 years from last interaction
• Employee data: Duration of employment plus 4 years

9. Train Your Team

CCPA requires that all employees who handle consumer inquiries or have access to personal information receive training on CCPA requirements. Training should cover: how to recognize a consumer rights request (even informal ones like "delete my data" in a support email), how to route requests to the right person, response timeframes, and prohibited practices (discrimination, requiring unnecessary verification).

10. Conduct a Security Assessment

CCPA allows consumers to sue for statutory damages of $100-$750 per consumer per incident if a data breach occurs as a result of the business's failure to implement reasonable security measures. This private right of action makes security the highest-risk area under CCPA. At minimum, implement:

• Encryption of personal information at rest and in transit
• Access controls limiting who can view personal information
• Multi-factor authentication for systems containing personal information
• Regular vulnerability scanning and patching
• Incident response plan tested at least annually

11. Set Up Cookie Consent Management

While CCPA does not require opt-in consent for cookies (unlike GDPR), you must provide a mechanism for consumers to opt out of cookies that "sell" or "share" personal information. This effectively means you need a cookie consent banner with at least an opt-out option for advertising and analytics cookies. The Global Privacy Control (GPC) browser signal must also be honored as a valid opt-out request.

12. Document Everything

Maintain records of all consumer requests received, your response and timeline, the identity verification steps performed, and the outcome. CCPA requires you to maintain these records for at least 24 months. Also document your compliance program itself: your data inventory, privacy impact assessments, training records, vendor reviews, and policy update history. This documentation is your primary defense if the California Privacy Protection Agency (CPPA) investigates a complaint.

Data Mapping and Inventory

The data inventory is worth discussing in detail because it is the single most time-consuming compliance task and the one most businesses skip or do poorly. A compliant data inventory must answer these questions for each data category:

• What: What categories of personal information do you collect? (Names, emails, IP addresses, purchase history, device IDs, etc.)
• Why: What is the business purpose for collecting each category?
• Where: In which systems is this data stored? (Database, CRM, analytics platform, email system)
• Who: Which employees and third parties have access?
• How long: What is the retention period?
• To whom: Which third parties receive this data, and under what contractual terms?

Start with your customer-facing systems and work inward. Map your website forms first, then your CRM, then your marketing stack, then internal systems. Do not try to boil the ocean — get an 80% complete inventory first and refine it over time.

Privacy Policy Requirements

CCPA mandates specific disclosures that go beyond a typical generic privacy policy. Your policy must include:

1. A list of the categories of personal information collected in the preceding 12 months
2. For each category, the source and the business purpose for collection
3. The categories of third parties with whom you share personal information
4. Whether you sell or share personal information, and if so, which categories
5. A description of each consumer right and how to exercise it
6. Contact information for submitting requests (toll-free number and web-based method)
7. The date the policy was last updated
8. Retention periods for each category of personal information (added by CPRA)

The policy must be accessible via a clear "Privacy Policy" link on your homepage. It must be available in the languages you provide your services in. For a comprehensive example, see SecureBin's privacy policy. For guidance on overlapping requirements with European law, see our GDPR data sharing compliance guide.

Handling Consumer Data Requests

When a consumer submits a request, your response process should follow this workflow:

1. Acknowledge the request within 10 business days, confirming receipt and explaining the verification process
2. Verify identity using the appropriate level of verification based on the request type
3. Locate the data across all systems identified in your data inventory
4. Fulfill the request within 45 calendar days (you can extend by an additional 45 days if necessary, with notice to the consumer)
5. Respond in writing with the results, using a format the consumer can easily understand
6. Document the entire process, including the request, verification steps, actions taken, and response

For deletion requests, remember to notify your service providers and direct them to delete as well. For opt-out requests, implement the change within 15 business days and notify any third parties who received the data in the past 90 days.

CCPA Penalties and Enforcement

CCPA enforcement is handled by two entities: the California Attorney General (AG) and the California Privacy Protection Agency (CPPA), which became fully operational in 2024.

Administrative Fines

The CPPA can impose administrative fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. These fines are assessed per violation, per consumer. A single data practice affecting 10,000 consumers could theoretically result in $25 million to $75 million in fines. In practice, the CPPA has focused enforcement on companies that demonstrate willful disregard for consumer rights rather than those making good-faith compliance efforts.

Private Right of Action

Consumers can sue directly for data breaches resulting from a business's failure to implement reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. Class action lawsuits under this provision have resulted in multi-million-dollar settlements. This is why item 10 (security assessment) in the checklist is critical — it is your primary defense against the most financially devastating CCPA enforcement mechanism.

Recent Enforcement Actions

The CPPA has been increasingly active since 2024. Notable enforcement patterns include targeting companies that:

• Failed to honor opt-out requests or Global Privacy Control signals
• Made it unreasonably difficult for consumers to submit data requests
• Collected data from minors without appropriate consent
• Failed to provide adequate notice about data collection at the point of collection
• Did not maintain CCPA-compliant service provider contracts

Frequently Asked Questions

Does CCPA apply to small businesses?

CCPA applies to any for-profit business that does business in California and meets any one of three thresholds: $25 million+ in annual gross revenue, buying/selling/sharing personal information of 100,000+ California consumers, or deriving 50%+ of revenue from selling/sharing personal information. There is no exemption for small businesses based on employee count or business size. The 100,000-consumer threshold is the one that most commonly brings small businesses into scope, particularly if they operate a website with meaningful California traffic and use advertising or analytics cookies.

What is the fine for CCPA non-compliance?

Administrative fines are up to $2,500 per unintentional violation and $7,500 per intentional violation, assessed per consumer per incident. Additionally, consumers have a private right of action for data breaches, with statutory damages of $100 to $750 per consumer per incident. Because fines are calculated per consumer, a systematic violation affecting thousands of consumers can result in penalties in the millions. The California Privacy Protection Agency initially focused on education and warnings, but has shifted to active enforcement with increasing penalty amounts since 2025.

How is CCPA different from GDPR?

While both laws protect consumer privacy, they differ in several important ways. Consent model: GDPR requires opt-in consent before collecting personal data; CCPA operates primarily on an opt-out model (you can collect data and consumers can opt out of its sale/sharing). Scope: GDPR applies to any organization processing EU residents' data regardless of size; CCPA has revenue and data volume thresholds. Definition of personal data: Both are broad, but CCPA explicitly includes household and device-level data. Right to delete: Both include this right, but CCPA has more explicit exceptions. Penalties: GDPR fines can reach 4% of global annual revenue; CCPA fines are calculated per violation. Private right of action: CCPA allows consumers to sue for breaches; GDPR does not have a direct equivalent (though data subjects can seek compensation). If your business serves both California and EU consumers, you will need to comply with both frameworks, and GDPR's stricter consent requirements generally subsume CCPA's opt-out model.

Related Articles

Continue reading: GDPR Data Sharing Compliance, SOC 2 Secret Management Requirements, Enterprise Password Sharing Solutions.