Select regional store:

California Privacy Rights Act (CPRA) Compliance Checklist

The CPRA (California Privacy Rights Act) takes effect on January 1, 2023, enhancing California residents’ existing privacy rights enshrined in the CPRA, and providing protection to consumers concerning how their personal information is used.

The CPRA applies to legal entities that do business in California and collect Californian consumers’ personal information (irrespective of where those entities are based), and that fulfill certain criteria. It gives rights to the consumer, who now have a say in how and with which third parties their data can be shared.

Learn more about the CPRA’s requirements and how they could affect your organization

Free PDF: CPRA Compliance Checklist

To help organizations comply with the CPRA, we’ve created this simple compliance checklist to help you determine whether the CPRA applies to your organization and, if it does, provide an overview of what you need to do to comply with the law. Download your free copy of the CPRA compliance checklist today.

Download now

Before you get started: does the CPRA apply to your business?

The CPRA applies to any for-profit organization that does business in California and collects or determines the purposes and means of processing consumers’ personal information. In addition, it only applies to businesses that:

  • Have an annual gross revenue in excess of $25 million;
  • Annually buy, sell or share the personal information of 100,000 or more consumers or households; or
  • Derive 50% or more of their annual revenue from selling or sharing consumers’ personal information.

It is important to be aware that the CPRA applies not only to your organization but also to all organizations you do business with, and there are important requirements that you should familiarize yourself with.

Step 1: Obtain board-level support and establish accountability

Complying with the CPRA – and maintaining compliance – requires top-level support. It is essential that your organization’s board, executive directors, or senior management understand the law and its implications so that your compliance project receives the resources it needs in order to achieve long-term results.

What you should do:

  • Advise the board about privacy risks and the benefits of CPRA compliance. Download our free CPRA guide for further support.
  • Obtain management support for your CPRA compliance efforts. This will require securing the necessary resource and budget for your CPRA project.
  • Assign accountability (key roles and responsibilities) for CPRA compliance.

Further information:

The California Consumer Privacy Act (CCPA): An implementation guide

This book is the ideal resource for organizations that want to understand privacy regulations in California and how to comply with them. It provides the reader with a comprehensive understanding of the CPRA and explains how businesses can implement strategies to comply. The guide covers the territorial and material jurisdiction of the CPRA, key definitions, roles, rights of the consumer, obligations of the business, security requirements, penalties, breach notifications, related laws, and future developments. It also includes the full text of the Act.

Buy now

Step 2: Identify your CPRA compliance gaps by conducting a detailed gap analysis

A CPRA gap analysis will help you understand how your current practices meet the CPRA's requirements, as well as where they fall short. You can then prioritize the areas that must be addressed to comply with the law. Your gap analysis should cover governance, risk management, CPRA project  management, information security responsibility , roles and responsibilities, scope of compliance, process analysis, the PIMS (personal information management system), the ISMS (information security management system),  and the rights of consumers .

What you should do:

  • Review the CPRA to understand its requirements.
  • Audit your privacy and security programs against the CPRA's requirements.
  • Determine which compliance gaps require remediation.

Further information:

California Privacy Rights Act (CPRA) Gap Analysis

This service assesses your organization’s current level of compliance with the CPRA  and helps identify and prioritize the key work areas that your organization must address to be compliant.

Inquire about this service

Step 3: Create a personal information inventory and map data flows

The CPRA grants California consumers the right to know what personal information is being collected, processed, and sold, as well as the source of that information. Identifying data collection points and documenting these in data maps enables timely, complete, and compliant responses to data access requests.

There are 11 categories of consumer information, ranging from name, address, and email address, to biometric information, geolocation data, audio-visual information, and employment information, to inferences that can be drawn from any information to create a profile about a consumer that reflects their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. There is also an additional category of “sensitive personal information,” which can include a consumer's precise geolocation, racial or ethnic origin, religious or philosophical beliefs, the contents of a mall, email and text messages, genetic data and health data. 

Data maps can facilitate more robust and accurate privacy notices, resulting in a higher degree of compliance. This is because they can reveal downstream processing activities that may not be obvious to data collectors, but of which data subjects must be informed at the time of collection.

What you should do:

  • Assess the categories of personal information your organization holds, where the personal information comes from, and the business or commercial purpose for processing it.
  • Document how personal information flows to, through, and from your organization.

Further support:

Data Flow Mapping Tool

The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organization processes and why, where it is held, and how it is transferred. The tool is a Cloud-based application, licensed for up to five users and accessible via any compatible browser.

Buy now

Step 4: Develop operational policies, procedures, and processes

Once you have identified your compliance gaps and mapped your personal data flows, you should bring the way you process personal information in line with the CPRA’s requirements. This will include reviewing your existing policies, procedures, and contracts, and implementing new ones as necessary. You will also need to update your website to ensure the appropriate messages are visible to consumers.

What you should do:

  • Implement a process to delete consumer data to comply with the CPRA’s right to be forgotten.
  • Ensure your personal information protection policies and privacy notices are in line with the CPRA. Provide required CPRA notices including opt-out and opt-in rights.
  • If you sell or share personal information, ensure your website contains a “Do Not Sell or Share My Personal Information” option that allows consumers to opt-out of the sale or sharing of the their personal Information.
  • Ensure your privacy policy includes a link to the “Do Not Sell My Personal Information” page.
  • Provide a link titled "Limit the Use of My Sensitive Personal Information" which enables a consumer to limit the use or disclosure of their sensitive personal Information to only those authorized uses.
  • Review employee, customer, and supplier contracts, and update them if necessary to cover personal information processing.
  • Plan how to recognize, verify, and respond to verifiable consumer requests to access or delete personal information. Ensure that you are in a position to respond to data subject access requests by consumers (free of charge) within 45 days, by phone or electronically. You will also need to provide consumer data upon request in a “readily useable format.” This process should be documented, and should include a toll-free number and website address.

Further support:

GDPR Toolkit

The EU’s GDPR (General Data Protection Regulation) and the CPRA share many requirements, and many processes designed for GDPR compliance are applicable to the CPRA. Our GDPR Toolkit contains more than 80 document templates – including policies, procedures, and checklists – designed to aid GDPR compliance, which you can adapt to streamline your CPRA compliance program.

Buy now

Step 5: Implement processes and technical measures to secure personal information

Implementing appropriate measures to secure the personal information your organization processes is paramount to your compliance.

What you should do:

  • Have an information security policy in place.
  • Implement basic technical controls, such as those specified by established cybersecurity frameworks like the NIST CSF (Cybersecurity Framework), the 20 CIS Controls™, or the information security standard ISO/IEC 27001:2013.
  • Use encryption and/or deidentification where appropriate.
  • Create and maintain a robust incident response plan, and ensure policies and procedures are in place to detect, report, and investigate breaches of personal information.

Further information:

ISO 27001 implementation

Implementing an ISMS in accordance with global best practice as outlined by ISO 27001 and its control framework ISO 27002 can provide significant benefits in protecting your data and minimizing your risk of a data breach. We offer a wide range of solutions to help you, including free guides and books, training courses, documentation templates, software, and consultancy.

Learn more

Step 6: Ensure employees are trained and competent

You need to ensure that your employees who are responsible for handling consumer inquiries regarding their privacy rights are informed of the CPRA requirements and know how to maintain good data hygiene.

What you should do:

  • Ensure internal communications with stakeholders and staff are effective.
  • Train your employees to understand the importance of personal information protection, basic CPRA principles, and the procedures you have implemented to ensure compliance.

How we can help:

California Consumer Privacy Act Foundation Training Course

Delivered by an experienced privacy consultant, this one-day, online training course will give you a clear understanding of the main elements of the CPRA. It is suitable for anyone involved in information management, data protection compliance, or data privacy compliance, or as part of implementation programs for organizations located or doing business in the state of California. Participants who pass the included exam are awarded the California Consumer Privacy Act Foundation (CPRA F) qualification by IBITGQ.

Buy now

Step 7: Monitor and audit compliance

Complying with the CPRA is an ongoing process, not a one-off project. Periodic internal audits will ensure your activities remain up to date and that you will not fall out of compliance. An audit should review relevant policies to ensure that they are current, compliant, and accessible.

What you should do:

  • Schedule regular audits of personal information processing activities and security controls.
  • Keep records of personal information processing up to date.

Further support:

Compliance with the CPRA can be complex and unfamiliar to many organizations.  Relying on the audit experience of trained privacy and cybersecurity professionals can minimize your organization’s risk of non-compliance and ensure that you are ready to respond to consumer requests promptly and in accordance with the law.

Contact us now to find out how we can help you improve your CPRA compliance.

Contact us
This website uses cookies. View our cookie policy