Free Download · CCPA / CPRA + 18 state privacy laws
The complete CCPA / CPRA + state privacy compliance checklist
California's CCPA + CPRA, plus the 18 other US state privacy laws now in force, in one downloadable checklist. The §1798.130 45-day DSAR clock, the §1798.140(ag) service-provider cascade, the universal Global Privacy Control opt-out signal, and the state-by-state rights matrix. Privacy-counsel reviewed. Free PDF, no credit card.
Used by privacy counsel and DSAR ops leads across e-commerce, ad-tech, SaaS, financial services, and healthcare organizations operating across California, Virginia, Colorado, Connecticut, Texas, and the other 14 state privacy regimes now in force.
What's inside
30 checklist items, grouped the way the regulators look at them
California-specific consumer rights first, then the multi-state overlap matrix, then the workflow-level controls (DSAR intake, service-provider cascade, GPC handling) every state law layers on top. Each row maps to the section of statute that governs it.
California-specific · CCPA + CPRA
The 6 consumer rights, the verifiable request workflow, the §1798.140(ag) service-provider terms, the CPRA-added rights, employee + B2B inclusions, and CPPA enforcement.
- §1798.100Right to know
categories + specific pieces of PI collected, sources, business purposes, third parties, 12-month lookback minimum
- §1798.105Right to delete
consumer deletion request + propagation to every service provider and contractor (the cascade)
- §1798.106Right to correct (CPRA)
added by CPRA, correct inaccurate PI within 45 days, document the review workflow
- §1798.120Right to opt-out of sale + sharing
'sale' = monetary OR other valuable consideration; 'sharing' = cross-context behavioral advertising
- §1798.121Right to limit use of sensitive PI
SSN, geolocation, racial origin, religious beliefs, biometrics, contents of mail/email/text
- §1798.125Non-discrimination
no denial of goods/services or different prices for exercising privacy rights
- §1798.130Verifiable consumer request workflow (45 days)
10-day acknowledgement, 45-day substantive response, one 45-day extension with notice
- §1798.130(a)(5)Privacy notice content
12 specific sections in the privacy policy, accessible at point of collection
- §1798.140(ag)Service-provider contracts (6 mandatory terms)
limit purpose, prohibit sale, prohibit retention, comply, allow audits, certify understanding
- CPRA · employee + B2BEmployee + B2B data inclusions (in force Jan 1 2023)
former carve-out expired; employee, applicant, contractor, and B2B contact PI is in scope
- Cal. CPPACPPA enforcement authority
California Privacy Protection Agency, primary enforcer; AG retains concurrent authority
- §1798.125(b)Financial-incentive disclosures
loyalty programs offering different prices/services require Notice of Financial Incentive
18 other state privacy laws · overlap matrix
Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Montana, Oregon, Delaware, New Jersey, Minnesota, Maryland, Rhode Island, New Hampshire, Nebraska, where they converge with CCPA and where they diverge.
- VCDPAVirginia (in force Jan 2023)
5 rights + sensitive-data opt-in + DPIA requirement; 30-day cure period applies
- CPA · CTDPA · UCPAColorado, Connecticut, Utah
5 rights + universal opt-out (Colorado); profiling opt-out; sensitive-data opt-in
- TDPSATexas (in force July 2024)
5 rights, no revenue threshold, applies to any business processing TX consumer PI
- FDBRFlorida (in force July 2024)
narrow applicability, $1B revenue + specific business activities; sensitive-data opt-in
- OCPA · MTCDPA · ICDPA · TIPAOregon, Montana, Iowa, Tennessee
rights-based regimes effective 2024-2025; CCPA-style opt-out
- DPDPA · NJ-DPA · MCDPA · MODPADelaware, New Jersey, Minnesota, Maryland
effective 2025; data-minimization standard rising in MD; profiling opt-out
- RI · NH · NE · INRhode Island, New Hampshire, Nebraska, Indiana
rolling 2025-2026 effective dates; converging on the 5-rights template
- Sensitive dataSensitive data opt-in (15 states)
most non-CA states require opt-in for sensitive data, CCPA only requires limit-of-use
Subject Rights workflow
The end-to-end DSAR pipeline that has to run inside the 45-day window. Authentication, identification, fulfillment, and the audit log.
- Step 1Intake + acknowledgement
two designated request channels (toll-free + online); 10-day acknowledgement; intake routing
- Step 2Identity verification (tiered)
match the consumer to the records held; standard scales with sensitivity of data requested
- Step 3Response timeline (45 days)
auto-discovery across CRM, support, billing, marketing, product analytics; redaction of third-party PI
- Step 4Deletion confirmation
confirm deletion in your systems + cascade to every service provider and downstream processor
- Step 5Denial reasons + audit log
documented reason for any denial; full audit trail capturable for CPPA on demand
Service-provider cascade
§1798.140(ag) + §1798.105(c). The contract terms, the deletion fan-out, and the audit rights you need to prove the cascade ran end-to-end.
- §1798.140(ag)Contract clauses (6 terms)
limit purpose, prohibit sale, prohibit retention beyond purpose, comply with obligations, allow monitoring, notify of sub-processors
- §1798.105(c)Downstream processor obligations
deletion request must propagate through every service provider, contractor, and sub-processor, confirmations captured
- §1798.140(ag)(5)Audit + monitoring rights
right to take steps to ensure service-provider compliance; sub-processor list maintained per provider
Universal Opt-Out signal · GPC
Global Privacy Control browser signal handling, mandatory in California, recognized in Colorado and Connecticut, and converging across the rest.
- CCPA Regs §7025GPC honored as a valid opt-out
browser-level GPC signal must be treated as a valid §1798.120 opt-out; frequency, scope, and authentication rules apply
- Multi-stateUniversal opt-out across CO + CT + others
Colorado's Universal Opt-Out Mechanism (UOOM) effective 2024; Connecticut recognizes GPC; the rest converging
Why this checklist
The privacy regulator landscape changed faster than your DPA template
CCPA has been in force since January 2020. The CPRA amendments, adding the right to correct, the sensitive PI category, the GPC signal mandate, and the California Privacy Protection Agency itself, went live in January 2023. The CPPA is the new enforcer, and it is more active than the AG ever was on privacy. The 8,265+ consumer complaints filed in 2024–2025 each get an investigation. DoorDash, Healthline, and Sephora all settled CCPA actions that started with consumer complaints.
Outside California, 18 other states now have comprehensive privacy laws, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Montana, Oregon, Delaware, New Jersey, Minnesota, Maryland, Rhode Island, New Hampshire, and Nebraska. The rights overlap (know, delete, correct, opt-out, portability) but the divergences matter, sensitive-data opt-in vs limit-of-use, DPIA vs risk assessment, cure period vs no cure, revenue threshold vs activity threshold. The 'rights checkerboard' is what makes a single privacy program hard to scale.
On top of the rights matrix sits the Universal Opt-Out signal, the Global Privacy Control browser header that must be honored as a valid opt-out under California regulations §7025 and Colorado's UOOM. Every state law also touches the sensitive PI category (15 of the 19 require opt-in, CCPA requires limit-of-use), and every law has a data-minimization standard that's tightening (Maryland's MODPA explicitly limits collection to what's reasonably necessary, not what's permissible). The checklist captures all three layers in one document.
Who it's for
Built for the three roles that own multi-state privacy compliance
Chief Privacy Officer / Privacy Counsel
Owns the privacy program across CCPA, the 18 state laws, GDPR/UK GDPR, sectoral overlays.
Single document that captures the rights matrix, the workflow controls, and the contract terms, the artefact you'd hand to outside counsel for a 30-minute readiness review.Director · Privacy Engineering
Owns the data-mapping, RoPA, deletion automation, and GPC handling across product + martech.
The cascade + GPC sections give the engineering team the spec, what signals to honor, what records to enumerate, and how to prove the deletion propagated to every sub-processor.DSAR / Subject-Rights Operations Lead
Owns the queue. Day 0 receipt to Day 45 delivery. Every right, every state, every audit log.
5-step subject-rights workflow + multi-state overlap matrix lets you score each incoming request against the right state law, California's 45 days vs Virginia's 45 vs Colorado's 45 with a 45-day extension all in one playbook.Common questions, answered up front.
CCPA vs CPRA, the 18-state overlap, GPC universal opt-out, the service-provider cascade, and sensitive PI categories.
Related pages
Other privacy + cross-framework resources
Past the checklist stage?
Manage CCPA + GDPR + 17 state laws on one platform?
RiskWatch maps each consumer right to its counterpart under California's CCPA/CPRA, the 18 other state privacy laws, GDPR + UK GDPR, LGPD, PIPEDA, and Australian Privacy Act. DSAR queue runs the 45-day clock end-to-end. Service-provider register tracks the §1798.140(ag) 6 contract terms per vendor. GPC handling is built in. One platform, most multi-jurisdiction privacy programs reduce duplicated work by 60–70%.
Or call US: +1 941-500-4525