CCPA / CPRA Compliance Checker
Scan your website for CCPA and CPRA compliance issues. Verify your Do Not Sell link, data categories disclosure, consumer rights portal, and more. Essential for businesses with California customers.
What We Check for CCPA/CPRA
Beyond Website Scanning
CCPA/CPRA compliance extends well beyond your website. These organizational steps are critical to reducing regulatory risk and building consumer trust.
Data Inventory & Mapping
CCPA § 1798.100 requires disclosure of all categories of personal information collected in the preceding 12 months. A comprehensive data inventory maps every data element — where it's collected, stored, shared, and deleted. Without it, you cannot accurately respond to consumer requests or disclose data practices.
Vendor Risk Assessment
Under CPRA, businesses must ensure that service providers and contractors comply with data handling requirements. Conduct regular vendor assessments covering data access, security controls, sub-processor relationships, and contractual obligations. A single non-compliant vendor can expose your entire data supply chain.
Employee & HR Data Compliance
With the expiration of CPRA's B2B and employee exemptions on January 1, 2023, personal information collected from employees, contractors, and business contacts is now fully covered. This means HR systems, payroll providers, and recruitment platforms all need CCPA-compliant notices and data handling processes.
Privacy Impact Assessment
While not explicitly mandated by CCPA, Privacy Impact Assessments are best practice and increasingly expected by the California Privacy Protection Agency (CPPA). PIAs evaluate new products, features, or processing activities for privacy risks before launch, helping prevent violations before they occur.
Incident Response Plan
California's data breach notification law (Civil Code § 1798.82) requires prompt notification to affected residents. A documented incident response plan with clear roles, forensic investigation procedures, notification templates, and regulatory communication protocols is essential to minimize liability and reputational damage.
Annual Policy Review
CCPA requires that privacy policies be updated at least once every 12 months to reflect current data practices. Establish a formal annual review process that covers new data collection practices, vendor changes, regulatory updates, and consumer request metrics.
What is CCPA/CPRA?
The California Consumer Privacy Act (CCPA) is a landmark state privacy law that took effect on January 1, 2020, giving California residents unprecedented control over their personal information. The California Privacy Rights Act (CPRA), effective January 1, 2023, significantly expanded CCPA — adding new rights, stricter requirements, and creating the California Privacy Protection Agency (CPPA) as a dedicated enforcement body.
CCPA/CPRA applies to for-profit businesses that collect California consumers' personal information and meet certain revenue or data volume thresholds. Penalties can reach $7,500 per intentional violation. With over 39 million residents and the world's 5th-largest economy, California's privacy laws effectively set the standard for US data protection.
Frequently Asked Questions
Who does CCPA apply to?
CCPA applies to for-profit businesses that collect California consumers' personal information AND meet one of: annual gross revenues over $25 million, buys/sells/shares personal info of 100,000+ consumers, or derives 50%+ of annual revenues from selling personal info.
What is the 'Do Not Sell' requirement?
Under CCPA/CPRA, you must provide a clear 'Do Not Sell or Share My Personal Information' link on your homepage. This allows California consumers to opt out of the sale or sharing of their personal information.
What are CCPA violation penalties?
Intentional violations: up to $7,500 per violation. Unintentional violations: up to $2,500 per violation. The California Attorney General can bring enforcement actions. Additionally, CPRA created the California Privacy Protection Agency (CPPA).
Does CCPA apply to B2B data?
Under CPRA (effective Jan 1, 2023), the B2B and employee exemptions expired. CCPA/CPRA now applies to personal information collected from employees, contractors, and business contacts.
What changed with CPRA in 2023?
CPRA introduced several major changes: a new right to correct inaccurate personal information, a right to limit use of sensitive personal information, expanded opt-out rights covering cross-context behavioral advertising, mandatory data minimization requirements, and the creation of the CPPA as a new enforcement agency. B2B and employee data exemptions also expired.
Do I need a comprehensive Data Inventory?
While CCPA doesn't explicitly mandate a data inventory, it's practically impossible to comply without one. You need to know what personal information you collect, from whom, for what purposes, and with whom it's shared — all required disclosures under CCPA § 1798.100 and § 1798.110. A data inventory is the foundation of every compliant privacy program.
Ready to fix your compliance gaps?
Book a free 30-minute consultation with our privacy lawyers and compliance tech experts. Get a personalized remediation plan for your business.
Book a Compliance ConsultationConnect on WeChat
Scan to connect with our team