CCPA/CPRA Compliance Assessment

Evaluate compliance with California Consumer Privacy Act and California Privacy Rights Act requirements for businesses handling California resident data

BiotechHealthcareResearchCannabis18 minutes21 questions

1. Applicability & Scope

Does your business meet CCPA applicability thresholds?*

$25M+ annual revenue, OR 100k+ consumers/households, OR 50%+ revenue from selling PI

💡 If no, CCPA may not apply to your business

Have you identified all categories of personal information you collect?*

CCPA defines 11 categories including identifiers, commercial info, biometric, geolocation

Do you collect sensitive personal information (SPI) as defined by CPRA?*

SSN, financial accounts, precise geolocation, health data, genetic data, biometric data

2. Consumer Rights

Do you provide mechanisms for consumers to submit verified requests?*

At least 2 methods: toll-free number and website (email optional)

Can you respond to consumer requests within 45 days (with one 45-day extension if needed)?*

Deadline to provide information or deny request

Do you support the right to know what personal information is collected and how it is used?*

Right to access: categories and specific pieces of PI

Can consumers request deletion of their personal information?*

Right to delete with statutory exceptions (legal obligations, fraud prevention)

Do you support the right to correct inaccurate personal information?*

CPRA addition: right to correction of inaccurate PI

Do consumers have the right to opt-out of sale/sharing and limit use of sensitive PI?*

Prominent "Do Not Sell or Share My Personal Information" link required

3. Privacy Notice Requirements

Do you provide a privacy policy accessible from your homepage?*

Must disclose categories collected, purposes, 3rd party sharing, retention

Does your privacy notice explain consumer rights under CCPA/CPRA?*

Right to know, delete, correct, opt-out, non-discrimination

Do you provide notice at collection of personal information?*

At or before collection: categories and purposes

Is your privacy policy updated at least annually?*

Effective date and description of material changes required

4. Sale & Sharing of Personal Information

Have you determined if your business "sells" or "shares" personal information?*

CCPA has broad definition including advertising and cross-context behavioral advertising

Do you honor opt-out requests for at least 12 months before re-soliciting?*

Cannot request opt-in again for 12 months after opt-out

Do you treat Global Privacy Control (GPC) signals as valid opt-out requests?*

CPRA requires recognizing browser/device-level privacy signals

5. Service Providers & Contractors

Do you have written contracts with service providers and contractors?*

Contract must prohibit retention, use, or disclosure for purposes other than providing services

Do contracts certify that service providers understand CCPA restrictions?*

Service provider certification required in contract

6. Security & Risk Management

Do you implement reasonable security procedures to protect personal information?*

Required under CCPA; enhanced for sensitive PI under CPRA

Do you conduct regular security risk assessments?*

CPRA requires annual cybersecurity audits for high-risk businesses

Do you train employees on CCPA/CPRA requirements?*

Training for personnel handling consumer requests

Please answer all required questions to see your results