The California Privacy Protection Agency (CPPA) has the authority to hold businesses accountable for data privacy gaps, and it’s using that authority. The CPPA has moved beyond advisory guidance and now actively conducts investigations, with the authority to issue administrative fines when violations are substantiated.
That means if your company collects personal information from California residents, you must be operationally ready when regulators come knocking, with documented processes, technical controls, and audit-ready systems that actually work.
This checklist gives IT directors, security leaders, legal teams, and operations managers a practical roadmap for CPRA compliance. We’ll walk through who must comply, what changed from CCPA, and how to build a compliance program that holds up under scrutiny.
Whether you operate in financial services, healthcare, law, or life sciences, you’ll get step-by-step guidance that moves beyond legal theory to address the real technical and operational work your team needs to complete.
What Is CPRA Compliance and Who Must Comply?
CPRA compliance means meeting California’s expanded data privacy requirements for how businesses collect, use, share, and protect personal information belonging to California residents. As of January 1, 2025, your business must comply if you meet one or more of these thresholds:
- Annual gross revenues exceeding $26.625 million
- Buy, sell, or share personal information of 100,000 or more California consumers or households annually
- Derive 50% or more of annual revenue from selling or sharing consumers’ personal information
CPRA covers both consumer and employee data. If your business collects information about California residents, including customers, job applicants, contractors, or employees, you likely need to comply with at least some CPRA requirements. Employee data is subject to certain exemptions, but businesses must still comply with many protections and disclosure requirements.
The CPPA enforces CPRA and has independent rulemaking authority. Unlike CCPA, which relied primarily on the California Attorney General, CPRA created a dedicated agency with resources and expertise focused solely on privacy enforcement. They mean business.
CPRA vs. CCPA: What Changed and Why It Matters
CPRA significantly expanded California’s privacy framework. That means if your organization built a CCPA program years ago and hasn’t revisited it, you’re likely non-compliant today. Here’s what’s changed:
New sensitive personal information category:
CPRA introduced a distinct category called sensitive personal information (SPI), granting consumers expanded rights to limit its use and disclosure. These rights require new disclosure language, request workflows, and system-level controls that did not exist under CCPA.
Data minimization and retention requirements:
Businesses must now limit collection to what’s “reasonably necessary and proportionate” to achieve disclosed purposes. You can’t collect data “just in case” or stockpile information without documented business justification. CPRA also requires that privacy notices disclose retention periods and the criteria used to determine them.
Expanded consumer rights:
CPRA added the right to correction, allowing consumers to request corrections to inaccurate personal information, and strengthened the right to limit the use and disclosure of SPI. These changes require businesses to support new request workflows, verification steps, and downstream data updates across systems.
Creation of the CPPA and stronger enforcement:
The California Privacy Protection Agency provides dedicated resources, expertise, and a focused enforcement approach to privacy violations. The agency can initiate investigations, conduct audits, issue fines, and pursue ongoing non-compliance more aggressively than was possible under the CCPA’s enforcement model.
Programs built solely around the CCPA miss critical technical controls, documentation requirements, and consumer rights that the CPRA now mandates. To stay compliant, you must update your organization’s policies, workflows, technical safeguards, and vendor agreements to reflect these expanded obligations.
CPRA Compliance Checklist (Step-by-Step Action Plan)
Building CPRA compliance requires coordinated effort across legal, IT, security, and operations teams. The following CPRA compliance checklist outlines implementation steps to help you move from assessment to operational compliance. Each step builds on previous work, so resist the temptation to skip ahead or implement steps out of order.
STEP 1: Confirm CPRA applicability and data scope
Owner: Legal/compliance
Start by validating whether your business meets CPRA thresholds; you need to know if you’re subject to the law before investing in compliance infrastructure. Beyond the threshold analysis, you must identify all data subjects with whom your business interacts and clearly articulate why you collect specific data types.
CPRA requires businesses to limit collection to what’s necessary for disclosed purposes, so documenting your business purposes now provides the foundation for data minimization and retention work later.
- Calculate annual gross revenues
- Estimate the number of CA consumers/households processed annually
- Determine the percentage of revenue from selling/sharing personal information
- Identify all data subjects (customers, visitors, employees, contractors)
- Confirm which subjects are CA residents
- Define and document business purposes for data collection
STEP 2: Map personal and sensitive data flows
Owner: IT/security
Inventory data across all systems, applications, endpoints, cloud services, and third-party vendors. Document what personal information you collect, where you store it, who can access it, how you use it, and where you share or disclose it. Pay special attention to identifying which data elements qualify as SPI under the CPRA.
This category includes government identifiers, financial information, precise geolocation, health data, biometric data, and information about race, religion, or sexual orientation.
- Inventory data across systems, applications, endpoints, vendors, and cloud services
- Document what personal information you collect
- Map where data is stored and who has access
- Identify how you use data and where you share it
- Flag which elements qualify as SPI
- Document sharing arrangements with third parties
- Identify over-collection, duplicates, and unnecessary access
Note: Data mapping often reveals compliance and security gaps, including unnecessary data collection, duplicate records, or overly broad access permissions. Address these issues as you discover them, as they represent compliance gaps and security vulnerabilities.
STEP 3: Apply data minimization and retention controls
Owner: IT/Legal
CPRA requires businesses to collect only what’s “reasonably necessary and proportionate” to achieve disclosed purposes. Review your data inventory against documented business purposes and stop collecting personal information that does not serve a necessary, disclosed purpose.
You cannot collect data “just in case” or stockpile information without a documented business justification. Additionally, define retention periods for each category of personal information based on business necessity, legal requirements, and regulatory obligations.
- Review inventory against documented business purposes
- Eliminate the collection of unnecessary personal information
- Configure systems to collect only required data
- Define retention periods for each data category
- Document criteria for retention decisions
- Implement automated deletion workflows
- Create archival processes
- Schedule regular audits for expired data
STEP 4: Update privacy notices and consumer disclosures
Owner: Legal/marketing
Update your privacy policy to reflect all CPRA requirements. Create specific disclosures for SPI. Consumers must receive notice at or before SPI collection, and you must provide clear mechanisms to limit the use and disclosure of SPI.
Pay attention to timing and placement. CPRA requires certain notices at or before collection, meaning consumers must receive information before you collect their data, rather than later in buried policies.
- Update privacy policy with all CPRA requirements
- Include categories of personal information collected
- List sources of information and business purposes
- Identify third parties who receive data
- Add retention periods or criteria
- Describe consumer rights
- Create SPI-specific disclosures
- Implement “Do Not Sell or Share” links on homepage
- Add opt-out mechanisms that don’t require account creation
- Ensure notices appear at or before collection
STEP 5: Build and document consumer request workflows
Owner: Operations/legal
Create processes for receiving, verifying, and responding to consumer requests. Build separate handling procedures for different request types. Access, deletion, correction, and limitation each involve different technical steps and downstream impacts.
Document every request: when received, how you verified the consumer’s identity, what actions you took, when you responded, and whether you notified third parties. Track these notifications and maintain records of third-party compliance.
- Create an intake process for consumer requests
- Establish identity verification procedures
- Build separate workflows for access requests
- Build separate workflows for deletion requests
- Build separate workflows for correction requests
- Build separate workflows for limitation requests
- Define response timelines
- Assign clear ownership for request handling
- Create third-party notification procedures
- Implement a request tracking system
- Document every request detail
STEP 6: Review and update vendor contracts
Owner: Legal/procurement
CPRA imposes contract requirements when you share personal information with vendors. Contracts must restrict vendors from retaining, using, or disclosing personal information except as necessary to perform services. They must also prohibit combining data with information from other sources and require compliance with CPRA obligations.
Understand the distinction between contractors and service providers under CPRA. Service providers perform services on your behalf under contract, while contractors use personal information for their own business purposes.
- Review all vendor and service provider agreements
- Identify contracts lacking required CPRA clauses
- Prioritize vendors receiving SPI or high volumes of data
- Update contracts to restrict unauthorized use
- Add prohibitions on combining data from other sources
- Require vendor CPRA compliance
- Clarify contractor vs. service provider relationships
- Request evidence of vendor compliance programs
- Verify vendor security controls
- Document subprocessor management practices
Note: Don’t assume vendors are CPRA-compliant just because they claim to be. Request evidence of their compliance programs, security controls, and subprocessor management practices. Your compliance depends on their compliance.
STEP 7: Implement security safeguards and controls
Owner: IT/security
Implement administrative, technical, and physical safeguards to prevent unauthorized access, misuse, and disclosure of personal information. These controls are especially critical in scenarios involving credential compromise, insider misuse, or third-party access failures.
Ensure technical controls include encryption for data at rest and in transit. Implement identity and access management (IAM) controls to restrict access to and modification of personal information. Use data loss prevention (DLP) tools to prevent unauthorized exfiltration. Include threat and vulnerability management (TVM). Maintain logging and monitoring to detect suspicious activity.
Align your security program with established frameworks; they provide structured approaches to implementing and maturing security controls, and give you a defensible position if regulators question your security measures.
- Implement encryption for data at rest
- Implement encryption for data in transit
- Configure access controls for personal information
- Deploy IAM, DLP, and TVM tools
- Enable logging and monitoring for suspicious activity
- Align the security program with the NIST CSF or CIS Controls
- Automate encryption processes
- Automate access reviews
- Automate vulnerability scanning
- Document administrative, technical, and physical safeguards
STEP 8: Train employees and assign ownership
Owner: HR/all teams
Develop role-based training programs. General staff must understand what personal information is, why protecting it is important, and what to do if they receive a consumer request or notice a potential data incident. Assign clear ownership for CPRA compliance.
Designate who maintains the data inventory, processes consumer requests, monitors regulatory updates, and coordinates with vendors.
- Develop general staff awareness training
- Create detailed training for request handlers
- Cover what personal information is
- Explain why protection matters
- Train on verification procedures
- Train on response timelines
- Train on documentation requirements
- Assign data inventory maintenance owner
- Assign the consumer request processing owner
- Assign the regulatory monitoring owner
- Assign the vendor coordination owner
STEP 9: Prepare for audits and regulatory scrutiny
Owner: Compliance/all teams
Conduct internal assessments regularly to identify gaps before regulators do. Review your data inventory, test consumer request workflows, verify vendor compliance, and audit security controls. Document findings and track remediation. Gather the documentation regulators typically require (e.g., privacy policies, training records) and organize it so you can quickly produce it during an investigation.
Consider third-party assessments for higher-risk areas such as security controls or vendor management. External validation provides additional assurance and can help identify blind spots that internal teams may miss.
- Conduct internal compliance assessments
- Review data inventory completeness
- Test consumer request workflows
- Verify vendor compliance
- Audit security controls
- Document all findings and remediation
- Organize privacy policies for quick access
- Organize data flow diagrams
- Organize vendor contracts
- Organize request logs
- Organize training records
- Organize security policies
- Consider third-party assessments for high-risk areas
Note: CCPA enforcement actions frequently cite inadequate consumer request processes, non-compliant opt-out mechanisms, and incomplete privacy policies. Ensure your request submission methods work properly, opt-out processes are clear and functional, and privacy policies include all required disclosures about consumer rights and data handling practices.
Maintaining CPRA Compliance Over Time
CPRA compliance isn’t a one-time project you check off and forget about. Regulations keep changing, business practices evolve, and new vendors enter your ecosystem.
Establish a governance model with regular review cycles. Quarterly reviews should assess new data-processing activities, vendor changes, consumer-request trends, and security incidents. During annual reviews, reevaluate your entire program against current regulatory guidance and enforcement priorities.
Additionally, monitor CPPA announcements, proposed regulations, and enforcement actions. The agency continues to issue guidance clarifying requirements and enforcement expectations. Staying current helps you proactively address issues rather than scrambling to react when problems arise.
Remember to update controls when data practices change. New products, services, marketing campaigns, or business partnerships often introduce new data collection or sharing. Evaluate these changes against CPRA requirements before implementation, not after you’ve already created non-compliance.
And finally, integrate CPRA into your broader cybersecurity compliance program. Don’t treat privacy as isolated from information security, vendor risk management, or other regulatory obligations. Shared documentation, unified controls, and coordinated governance create more efficient, effective programs.
CPRA Compliance Tools, Templates, and Operational Aids
The most successful compliance programs combine technology with documented processes, trained personnel, and executive commitment. Useful tools include:
- Consumer request management platforms that track requests, manage verification, enforce timelines, and generate documentation
- Data discovery and classification tools that automate inventory creation and identify sensitive information across environments
- Privacy management platforms that centralize policy management, consent tracking, and vendor assessments
- Security tools like DLP, encryption, and access management that enforce technical controls
When evaluating compliance technology, look for solutions that integrate with your existing systems, provide compliance and cybersecurity audit trails, support your specific data environment, and offer reasonable total cost of ownership. Avoid platforms that require extensive customization or create new data silos that complicate your infrastructure.
Managed IT consulting and managed cybersecurity services help organizations that lack internal resources or expertise to implement and maintain comprehensive compliance programs. Xantrion provides specialized cybersecurity and IT services tailored to CPRA and CCPA requirements, including security framework implementation and risk assessments.
For businesses in regulated industries such as finance, healthcare, law, and life sciences, working with compliance-focused service providers can help ensure your technical controls align with CPRA and industry-specific regulations.
Beware of “tool-only” compliance approaches. Software can’t define your business purposes, make retention decisions, train employees, or respond appropriately to complex consumer requests. Technology supports compliance, but it shouldn’t replace strategic thinking and operational execution.
Need help with CPRA compliance? Xantrion provides specialized cybersecurity and IT services to help businesses meet CPRA requirements. Contact our teams in San Francisco, San Jose, Los Angeles, Sacramento, or San Diego for more information.
CPRA Compliance Checklist Summary
It isn’t enough to have good privacy policies on paper; you must follow them and be able to prove you followed them. You have to implement controls, not just write policies about them. You must treat compliance as ongoing work, not a one-time project you complete and forget.
The businesses that successfully manage CPRA integrate privacy into operations, provide teams with the resources and authority they need, and continually improve their programs as regulations and business practices evolve.
Use this quick-reference CPRA compliance checklist to verify you’ve covered the essential compliance steps:
- Confirm CPRA applies to your business and define data scope
- Map personal and sensitive information across all systems and vendors
- Apply data minimization and document retention schedules
- Update privacy notices with required CPRA disclosures
- Build documented workflows for consumer requests (access, deletion, correction, limitation)
- Update vendor contracts with required CPRA clauses
- Implement security safeguards appropriate to data sensitivity
- Train employees and assign clear compliance ownership
- Prepare documentation and processes for audit readiness
- Establish ongoing governance and monitoring
Frequently Asked Questions About CPRA Compliance
What Are the Penalties for Non-Compliance With CPRA?
The CPPA can impose administrative fines up to $2,663 per violation or $7,988 per intentional violation. Consumers also have a private right of action for certain data breaches, with statutory damages ranging from $107 to $799 per consumer per incident. Beyond financial penalties, enforcement actions create reputational damage, customer loss, and increased regulatory scrutiny for future activities.
Does CPRA Apply to Employee Data?
Yes. The blanket employee exemption expired on January 1, 2023. Businesses must provide privacy notices, honor access and deletion requests, and enter into Data Processing Agreements with vendors that handle employee data.
Limited exceptions allow retaining data for legal compliance or legitimate business purposes. In practice, this means your organization should treat employee data with the same privacy controls and processes you use for customer data.
How Does CPRA Compare to GDPR?
Both laws establish privacy frameworks, but they differ in scope, requirements, and enforcement. GDPR applies to EU residents and requires a lawful basis before processing personal data. The CCPA applies to California residents and emphasizes transparency, consumer choice, and the right to opt out of the sale of personal data.
How Long Does CPRA Compliance Take?
The compliance timeline varies based on organization size, data complexity, existing controls, and resources. Small businesses with straightforward data practices may achieve basic compliance in three to six months.
Mid-sized organizations with multiple systems, vendors, and data types typically need six to 12 months. Large enterprises with complex data environments may require 12 to 18 months or longer for implementation.
But compliance never ends; it requires continuous monitoring, updates, and improvements as your business and regulations evolve. Budget for compliance as an operational expense, not a one-time capital investment.
Need help implementing CPRA compliance? Xantrion provides specialized cybersecurity and IT services designed to help businesses meet CPRA requirements through technical safeguard implementation and ongoing compliance support. We work with organizations across finance, healthcare, law, and life sciences to build audit-ready programs that protect data and meet California’s strict privacy obligations. Get in touch to discuss how we can help your organization navigate CPRA with confidence.
