California

Does your business inform consumers about data collection at or before the point of collection?

Must include: categories of personal information collected, purposes, whether data is sold or shared, and retention period or criteria.

If acting as a third party controller, how do you provide required information to consumers?

Must provide your own notice at collection or have a valid contract confirming the first party does.

Is your data collection reasonably necessary and proportionate to disclosed purposes?

Limit collection and use to what's necessary, proportionate, and consistent with disclosed purposes.

Do you have written agreements with third parties, service providers, or contractors?

Must have binding written contracts with clear CCPA terms, including purpose limits, confidentiality, and no further use clauses.

Do you implement reasonable security procedures to protect personal information?

Document and regularly review security protocols to ensure they stay effective and up to date.

Do you disclose the consumer's right to request deletion?

Disclose the right to deletion in your privacy policy and at collection, along with instructions for submitting a request.

Upon receiving a deletion request, do you delete from your records and notify service providers and third parties?

Must delete the data, instruct service providers and contractors to delete, and notify third parties unless there's a valid exception.

Do service providers cooperate with deletion requests?

Ensure contracts require cooperation, deletion on request, and onward notification to their own service providers or third parties.

Do you maintain confidential records of deletion requests?

Keep confidential records of deletion requests to comply with legal obligations and prevent re-collection or re-sale.

Are deletion request exceptions applied appropriately?

Only apply exceptions where strictly justified under CCPA. Denials must be narrowly tailored and well-documented.

Do you disclose the consumer's right to request correction?

Clearly disclose the right to request correction in your privacy notice and provide instructions for submitting requests.

Do you use commercially reasonable efforts to correct inaccurate data?

While verification is allowed, must make commercially reasonable efforts to evaluate and correct inaccurate data when appropriate.

What information do you disclose upon a verifiable request?

Provide both the categories and specific pieces of personal information collected, used, or shared, as required by the CCPA.

Does your privacy policy include California-specific rights?

Update your privacy policy to include categories of personal info collected, sources, purposes, sharing/sale details, rights, and how to exercise them.

How do you respond to requests about data sales or disclosures?

Provide a meaningful response that includes the categories of personal info sold, shared, or disclosed, and the third parties involved.

What do you publicly disclose about data sale/sharing practices?

Update your privacy policy to clearly state whether personal info is sold or shared, and include categories of data and third parties involved.

How do you provide the right to opt out of sale or sharing?

Ensure the mechanism is functional, user-friendly, and properly documents consumer choices.

What are the rules for consumers under 16 years of age?

Use an opt-in model for under-16 users and verify parental consent when required. Keep records of consent and use age-screening mechanisms.

How do you provide the right to limit use of sensitive personal information?

Provide a "Limit the Use of My Sensitive Personal Information" link and honor requests to limit use to what's necessary for core services.

How do you ensure service providers comply with limitations?

Maintain written agreements with proper CCPA clauses and conduct periodic vendor assessments for adherence.

How do you ensure non-discrimination for exercising CCPA rights?

Review policies—denying goods/services or charging different prices for exercising rights may be discriminatory unless tied to a value-based incentive program.

What are the rules for offering financial incentives?

Disclose the material terms of the incentive, including how the value is calculated, and ensure participation is voluntary and opt-in.

What methods are available for consumers to submit requests?

Ensure all methods are functional, verifiable, and consistently maintained for timely responses.

What is your timeline for responding to requests?

Respond to requests within 45 days, with one 45-day extension if reasonably necessary and communicated to the consumer.

How do you authenticate consumer requests?

Use balanced, proportional verification that protects against fraud but keeps access simple. Don't require account creation unless an account already exists.

How often do you update your privacy policy?

Review and update at least once every 12 months. Ensure it includes all required disclosures: rights, collection practices, sale/sharing, sensitive info use, and contact methods.

Are employees trained on CCPA requirements?

Keep training records, provide role-specific guidance, and update materials when laws or internal practices change.

How is verification data handled?

Use verification data only for request verification. Do not retain, use, or disclose it for any unrelated purpose.

Do you provide required opt-out links or utilize opt-out preference signals?

Add "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links clearly on your homepage, or implement a recognized opt-out preference signal (e.g., GPC).

Is your opt-out mechanism consumer-friendly?

Honor signals immediately without impacting user experience. Avoid any penalties, dark patterns, or degraded service tied to opt-out.

What information is in your privacy policy regarding opt-out rights?

Disclose the right to opt out of sale/sharing, the right to limit sensitive info use, and provide links or instructions in the privacy policy.

How long do you wait before requesting consent again?

Must wait at least 12 months before requesting consent again from consumers who opted out or limited use, or from minors who declined to opt in.

How is opt-out request data used?

Use opt-out data only to process and honor the request. Do not repurpose for marketing, profiling, or analytics.

Do you accept requests from authorized agents?

Update your process to accept requests from authorized agents, with reasonable verification of both the agent's authority and the consumer's identity.

How do you ensure third parties comply with opt-out requests?

Require contractual obligations to honor opt-outs and implement a process to verify compliance, especially for third parties.