How to Comply with the CCPA: an 8-Step Guide for 2026

A practitioner's step-by-step CCPA compliance procedure for website owners: applicability, policies, opt-out, requests, vendor contracts, and the 2026 rules.


by Riad Us Salehin • 5 July 2026


To comply with the CCPA, confirm the law applies to your business. Then post a compliant privacy policy and notice at collection. Add a "Do Not Sell or Share" opt-out and honor opt-out signals. Build a process to fulfill consumer requests within 45 days, put vendor contracts in place, and secure the data you hold.

Treat it as an ordered project, not a legal maze. The eight steps below take you from applicability to a website that is genuinely defensible, including the 2026 rules most guides skip.

How Do You Comply with the CCPA? (Quick Answer)

Complying with the CCPA means completing eight sequential actions, from confirming applicability through securing your data and keeping the system current. Most enterprise guides start with a compliance officer. A website owner starts with a simpler question: does this even apply to me.

The eight steps, in the order you actually do them:

  1. Map the personal information your website collects
  2. Publish a compliant privacy policy and notice at collection
  3. Add the "Do Not Sell or Share" opt-out and honor opt-out signals
  4. Build a process to handle consumer rights requests
  5. Put service-provider and vendor contracts in place
  6. Apply reasonable security and a breach response plan
  7. Check whether the new 2026 rules apply to you
  8. Keep your compliance current

Confirm the law applies to you before step 1. That check sits in "What You Need Before You Start," below. It changes how much of the rest of this guide you need.

What You Need Before You Start

The prerequisite most people skip is a written, honest inventory of every place your site sends personal data, not just cookies. Analytics pixels, ad tags, chat widgets, and form processors all count. That inventory decides whether you sell or share data under the law's broad definition.

Gather these before you start.

  • Roles: the site owner or a developer implements the technical pieces (banner, opt-out link, script blocking). A business processing sensitive data at volume should add legal counsel for the 2026 risk-assessment and audit obligations in Step 7.
  • Time: a small business with existing analytics and ad tags can complete the core website steps in a few focused days. That covers the privacy policy, notice, and opt-out. Full program maturity, including a working request process and vendor contracts, more commonly takes several weeks.
  • Cost: estimates vary widely by business size. Reported ranges run from roughly $5,000 to $75,000 for smaller businesses, and $100,000 or more for large enterprises running full audits. Treat any specific figure as a planning anchor, not a quote.
  • Inputs: a list of every tool, tag, and vendor connected to your site. Include Google Analytics, ad pixels, embeds, form processors, and live chat. Note where your California visitors reach you from.
  • Tools: a consent management platform to handle the banner and opt-out mechanic, and a privacy-policy generator to produce the required disclosures. If you run on Shopify, making a Shopify store compliant walks through the platform-specific setup. On WordPress, the WordPress compliance walkthrough covers the plugin-level steps.

Does the CCPA Apply to You? (The Thresholds)

You must comply with the CCPA if you are a for-profit business doing business in California and you meet any one of three thresholds. There is no combined test. Hitting a single threshold is enough.

  • Revenue: gross annual revenue of $26,625,000 or more, effective January 1, 2025, adjusted from the original $25 million figure.
  • Data volume: you annually buy, sell, or share the personal information of 100,000 or more California residents or households.
  • Revenue from data: you derive 50% or more of your annual revenue from selling or sharing California residents' personal information.

The revenue and volume thresholds catch most people off guard. Selling and sharing data are defined far more broadly than a literal cash transaction. Uploading a customer list to Facebook for ad targeting counts as sharing. Sending visitor data to Google Analytics for cross-context behavioral advertising counts too.

One small-business operator on a discussion thread described the definition bluntly.

The CCPA's definition of sale is far more broad than what you would conventionally consider a sale.

A business that has never sold a customer record can still meet the 100,000-household threshold. Analytics and ad-pixel traffic alone can get there.

If none of the three thresholds apply to your business today, the rest of this guide is optional. Revisit the check whenever your traffic, revenue, or ad-tech stack grows. For the full obligation-by-obligation reference, see the full CCPA compliance requirements. If you are new to the law itself, start with what the CCPA is.

Step 1: Map the Personal Information Your Website Collects

Start by listing every source on your site that collects or transmits personal information. You cannot disclose, secure, or let people opt out of what you have not found. A data inventory is the foundation every later step depends on.

Walk through these sources systematically:

  1. Forms: contact forms, newsletter signups, account registration, checkout fields.
  2. Analytics: Google Analytics, heatmap tools, session-replay scripts.
  3. Advertising tags: Meta Pixel, Google Ads conversion tracking, TikTok Pixel, retargeting scripts.
  4. Embeds and widgets: live chat, review widgets, video embeds, social share buttons.
  5. Back-office systems: your CRM, email platform, and customer support tool, even though these sit outside the website layer.

For each source, note what personal information it collects and which third party receives it. A user in a discussion thread about affiliate and content sites described the sale and share test as broader than expected.

Uploading targeting lists (name, email, phone) to FB in order to run advertising could be considered a sale.

That single practice, common on small marketing sites, can trigger CCPA obligations without any traditional data-sale relationship.

Your website is one slice of a bigger data map. Back-office systems, vendor contracts, and internal data retention sit outside a cookie banner's reach. They need their own inventory pass.

💡 Using a scanning tool? Automatic cookie scanning discovers the cookies, trackers, scripts, and iframes running on your site. That covers the website layer of this inventory. It will not map your CRM, email list, or back-office systems.

Done: you have a written list of every website-level source that collects or transmits personal information, and what each one shares.

Step 2: Publish a Compliant Privacy Policy and Notice at Collection

Two separate deliverables satisfy this step. One is a privacy policy that discloses your data practices. The other is a notice at collection, shown at or before the moment you collect data. Skipping either leaves a real compliance gap, even if the other is done well.

Your privacy policy must disclose, at minimum:

  • The categories of personal information you collect, sell, or share.
  • The business or commercial purposes for collecting each category.
  • The third parties you share data with.
  • Consumers' CCPA rights and how to exercise them.

The notice at collection is narrower and more immediate. It informs visitors what data you are collecting and why, delivered at or before the point of collection. On a website, that is typically the cookie consent banner shown on first visit, paired with a link to the full privacy policy.

A user answering a question about CCPA basics in a marketing forum put the starting point simply.

First step is to make sure their website has the proper privacy policy language.

Even a business that never sells data still needs both documents published and current. The disclosure and rights obligations apply regardless of whether a sale occurs. One practitioner described this exact gap.

Even if the data is never sold, data retention policies and transparencies need to be established and clearly labeled.

Consently's Privacy Policy generator produces the CCPA-required policy through a guided workflow, with rich-text editing, direct website embedding, and 10-plus language output. The Cookie Policy generator covers the separate cookie disclosure. The consent banner delivers the notice at collection with a link back to the full policy. Consently's CCPA compliance solution packages the banner and both generators for the website side of this step.

Done: your privacy policy names your data categories, purposes, and third parties. Your notice at collection displays before or at the point of collection. Both are live on the site.

Step 3: Add the "Do Not Sell or Share" Opt-Out (and Honor Opt-Out Signals)

If you sell or share personal information, this step carries two distinct legal obligations, not one. Treating them as the same thing is the single most common implementation gap. The first is a visible link. The second is honoring a signal the visitor's browser sends automatically.

Obligation one: the link. Place a clear and conspicuous "Do Not Sell or Share My Personal Information" link in your site's footer or header. The accepted alternate label "Your Privacy Choices" also satisfies this. Clicking it must actually stop the sale or sharing. The ad and analytics tags that fire for that visitor must stop firing, not just display a confirmation message.

A user account in a technology-discussion thread described testing this exact failure mode. They clicked a "Do Not Sell" button, then checked the network traffic. Dozens of tracking cookies kept firing behind it regardless.

Obligation two: honoring the signal. Separately from the link, California law requires you to honor opt-out preference signals. The most common is Global Privacy Control, sent automatically by a visitor's browser or browser extension. The California Privacy Protection Agency states the requirement directly:

Businesses must honor opt-out preference signals (OOPS) that meet certain requirements, such as the Global Privacy Control, as a valid request to opt-out of sale/sharing.

A banner or link alone is not GPC honoring. Your site's backend must detect the incoming signal and suppress the relevant tags automatically, with no click required from the visitor.

ObligationWhat it requiresWho acts
"Do Not Sell or Share" linkVisible link that stops tags from firing on clickThe visitor clicks; your site must respond
GPC / OOPS honoringDetect the browser-sent signal and suppress tags automaticallyNo visitor action; the business's system must listen and respond

For minors under 16, the law adds one more requirement. Explicit opt-in consent is needed before you can sell or share their personal information at all, not a simple opt-out.

Consently's US/CCPA opt-out banner template, Do-Not-Sell/opt-out control, and automatic geotargeting deliver the consumer-facing link. They can block non-essential tags for California visitors on opt-out. Consently does not detect or automatically honor GPC or other opt-out preference signals. Honoring GPC is a separate obligation your business must satisfy through other means. No cookie banner tool, Consently included, makes a site CCPA compliant on its own.

To place the banner and link itself, how to add a cookie banner to your site covers the concrete setup. For the consumer-facing side of the opt-out mechanism, see the "Do Not Sell or Share" opt-out explained from the visitor's perspective. For the signal side specifically, see opt-out preference signals like GPC.

Done: your "Do Not Sell or Share" link is live, and clicking it demonstrably stops the relevant tags from firing. You also have a separate, working mechanism for detecting and honoring GPC signals.

Step 4: Build a Process to Handle Consumer Rights Requests

Consumers can exercise six rights under the CCPA: know, delete, correct, opt-out, limit the use of sensitive personal information, and non-discrimination. You need a working intake and fulfillment process, not just a policy that mentions these rights.

The mechanics:

  1. Offer at least two request methods. Most covered businesses provide a toll-free phone number plus a web form or email address.
  2. Verify the requester's identity before fulfilling a know, delete, or correct request, to prevent one consumer's data from reaching someone else.
  3. Acknowledge receipt within 10 business days, then substantively respond within 45 calendar days.
  4. Extend once if genuinely needed: one additional 45-day extension is available, 90 days total, provided you notify the consumer within the original window.
  5. Keep records of every request and your response, generally for at least 24 months.

The 45-day clock, plus the less-publicized 10-business-day acknowledgment, is the deadline most small teams miss. Many teams plan only for the final response date and skip the interim confirmation.

Consently's consent logs with export give you the opt-out record and audit trail: evidence that you honored a visitor's opt-out choice. Consently does not run a full access, correction, or deletion request portal. Pair it with your own intake process, a form plus a documented internal workflow, for the broader set of rights requests.

For the rights themselves in more depth, see a data subject access request and the full set of consumer privacy rights you must honor.

Done: you have at least two working intake channels and a documented identity-verification step. You track the 45-day response clock and keep a 24-month record of requests and responses.

Step 5: Put Service-Provider and Vendor Contracts in Place

Identify every vendor you send personal data to, then sign a CCPA-compliant contract restricting each one to the specific business purpose you specify. This single contract term keeps a routine data transfer to a vendor from legally counting as a sale.

Cover your full vendor list:

  • Analytics platforms (Google Analytics and similar).
  • Advertising and marketing platforms.
  • Email service providers.
  • Hosting and infrastructure providers.
  • Fulfillment and shipping partners.

California's regulations spell out the required contract terms. The agreement must limit the vendor to your named business purpose. It must prohibit the vendor from selling, sharing, retaining, using, or disclosing the data for any other purpose. It must require the vendor to assist with consumer requests, grant you audit rights, and bind any subcontractors to the same terms.

A user in a webdev discussion thread confirmed the practical version of this rule.

The CCPA requires the written contract to state that the service provider will not retain, use, or disclose the personal information for any other purpose.

Another practitioner described the operational habit worth adopting.

Review all contracts with service providers (Google, ShipStation, etc.) to include a DPA during the annual renewal.

Treat that review as a recurring task, not a one-time fix.

Done: every vendor that receives personal data from your site has a signed contract limiting use to your specified business purpose. You review that list annually.

Step 6: Apply Reasonable Security and a Breach Response Plan

Apply security measures proportionate to the personal information you hold: encryption, access controls, and regular testing. Have a breach detection and response plan ready before you need it. This step carries outsized legal risk relative to its size.

The reason security gets its own step, separate from general compliance, is the CCPA's private right of action. Consumers can sue directly over a data breach involving unencrypted or unredacted personal information, if that breach resulted from your failure to maintain reasonable security. Statutory damages run from $100 to $750 per consumer per incident. A single breach affecting a few thousand records at the $750 ceiling scales to a seven-figure exposure before any other penalty applies.

Baseline security measures worth prioritizing:

  • Encrypt personal information at rest and in transit.
  • Restrict access to personal information on a need-to-know basis.
  • Test your defenses regularly, not just at setup.
  • Redact or truncate sensitive fields, such as Social Security numbers and financial account numbers, wherever full values are not operationally required.

Most CCPA enforcement actions and civil penalties trace back to gaps at this step. Either a breach itself or an inadequate response causes the exposure. A breach also triggers separate breach notification duties beyond the CCPA's own private right of action.

Done: sensitive personal information is encrypted, and access is restricted and logged. You have a written breach response plan naming who does what in the first 72 hours after detection.

Step 7: Check Whether the New 2026 Rules Apply to You (ADMT, Risk Assessments, Audits)

The California Privacy Protection Agency's regulations on automated decision-making technology, risk assessments, and cybersecurity audits became effective January 1, 2026. Specific compliance deadlines phase in through 2027 and 2028. Most small brochure or e-commerce sites fall outside this scope, but the test is worth running once.

You are more likely to be in scope if your business:

  • Uses ADMT, algorithmic or AI-based tools, to make significant decisions about consumers, such as employment, lending, or housing.
  • Processes a high volume of consumer data or handles sensitive personal information at scale.
  • Trains automated decision-making models on consumer data for these significant-decision use cases.

If you meet the trigger, two new obligations follow: risk assessments and cybersecurity audits. A risk assessment is required for data processing that presents significant risk, including ADMT used for significant decisions. Initial assessments for processing that began before January 1, 2026, must be completed, with attestations due to the CPPA by April 1, 2028.

A cybersecurity audit is required in one of two cases. Your business processes the sensitive personal information of 50,000 or more consumers. Or it generates $25 million or more in revenue while processing personal information of 250,000 or more consumers. Audit certifications are due on a schedule tiered by revenue: 2028 for the largest businesses, through 2030 for smaller ones.

A typical small business running a website with a contact form and standard analytics is very unlikely to fall inside this scope in 2026. That holds as long as you use no ADMT and no high-volume sensitive-data processing. Revisit the test annually as your data volume and any AI-driven features grow.

Done: you have determined whether ADMT, risk-assessment, or cybersecurity-audit obligations apply to your business. If they do, you have logged the relevant deadline on your compliance calendar.

Step 8: Keep Your Compliance Current

CCPA compliance is not a one-time project. Treat the seven steps above as a system you maintain on a schedule, not a checklist you close out once.

The maintenance cadence:

  • Re-scan your site regularly. New tools, embeds, and ad tags add new cookies and trackers continuously. A stale scan understates your real data footprint.
  • Refresh your privacy policy at least annually, and immediately whenever your data practices change.
  • Re-test your opt-out mechanism. Confirm the "Do Not Sell or Share" control and GPC honoring still stop the relevant tags. A tool update or a new tag can silently break this.
  • Watch new and updated state laws. The CCPA is California's law, but other US states now mirror its core structure. A multistate site needs to track each one.

💡 Using Consently? Weekly scheduled cookie re-scans keep your website inventory and banner current automatically as you add new tools and tags. For the cookie-specific side of ongoing maintenance, the cookie-law compliance guide covers the parent workflow this guide's website steps sit inside.

Done: you have a recurring calendar entry for re-scanning, an annual policy-review date, and a periodic test of your opt-out mechanism.

Common CCPA Compliance Mistakes to Avoid

The most damaging mistake is assuming the CCPA does not apply because you do not sell data. The law's definition of sale and sharing is broad enough that ordinary analytics and advertising tags routinely qualify, regardless of whether cash changes hands.

  • Assuming "we don't sell data" means the CCPA doesn't apply. Uploading customer lists to Facebook for ad targeting counts as sharing. So does running standard analytics that supports cross-context behavioral advertising. Confirm your actual data flows against the broad legal definition before ruling yourself out.
  • Using outdated thresholds. Older guides and forum posts cite a $25 million revenue figure or a 50,000-resident threshold. The current figures are $26,625,000 in revenue, effective January 1, 2025, and 100,000 California residents or households.
  • An opt-out link that doesn't actually stop the tags. A visible link can show a confirmation message while the underlying scripts keep firing. That is not compliance. It is a liability with a friendly face. Test the actual network requests after clicking opt-out.
  • Forgetting to honor GPC and other opt-out signals. A banner and a footer link are not enough on their own. California requires businesses to treat a browser-sent Global Privacy Control signal as a valid opt-out request. It must be detected and honored automatically.
  • No service-provider contracts, or treating compliance as one-and-done. Skipping the vendor-contract terms erodes compliance quietly. So does setting up your banner once and never testing it again.

How Consently Helps You Cover the Website Side of CCPA Compliance

Consently covers the website and consumer-facing layer of CCPA compliance across four of the eight steps above. It leaves the internal, legal, and vendor-side work to you. It handles the banner, the opt-out control, the required policies, and the audit trail. It does not make legal determinations or handle every step end to end.

Specifically, Consently provides:

  • The US/CCPA opt-out banner template, the Do-Not-Sell/opt-out control, and automatic geotargeting for Step 3's consumer-facing opt-out.
  • The Privacy Policy and Cookie Policy generators for Step 2's required disclosures.
  • Automatic cookie scanning and weekly scheduled re-scans for Steps 1 and 8's data inventory and ongoing maintenance.
  • Consent logs with export as the opt-out audit trail supporting Step 4.

What it does not cover: vendor contracts in Step 5 and your internal security program in Step 6. It also skips the full access-correct-delete request portal in Step 4. The same goes for automatic GPC signal detection in Step 3 and the 2026 ADMT and audit program in Step 7. Consently's tools are compliance assistance, not legal advice. No software product alone makes a website CCPA compliant.

FAQs

How do I comply with the CCPA?

Confirm the law applies to your business under the three thresholds. Then publish a compliant privacy policy and notice at collection. Add a "Do Not Sell or Share" opt-out that honors GPC signals. Build a 45-day request process, sign vendor contracts, and apply reasonable security. Treat it as an eight-step ordered project, not a single task.

Do I have to comply with the CCPA if I don't sell data?

Yes, if you meet any one of the three applicability thresholds. The CCPA's definition of sale and sharing is broad enough to include routine analytics and advertising tags. Even a business that never sells data in the conventional sense still owes the privacy policy, notice, and consumer-rights obligations once a threshold applies.

How long does CCPA compliance take?

A small business with existing analytics and ad tags can typically stand up the core website pieces within a few focused days. That covers the privacy policy, notice at collection, and opt-out link. Building a fully mature program, including a working request process and signed vendor contracts, more commonly takes several weeks.

How much does CCPA compliance cost?

Estimates vary widely by business size. Reported ranges run from roughly $5,000 to $75,000 for smaller businesses, and $100,000 or more for large enterprises running full data audits and request programs. Treat any specific figure as a planning anchor, not a fixed quote for your situation.

Do I need a "Do Not Sell or Share My Personal Information" link?

Yes, if your business sells or shares personal information under the CCPA's broad definition. The link must appear clearly in your site's footer or header. The accepted alternate label "Your Privacy Choices" satisfies the same requirement. Clicking the link must actually stop the relevant tags from firing.

Does the CCPA require me to honor Global Privacy Control (GPC)?

Yes. California requires businesses that sell or share personal information to honor opt-out preference signals, including Global Privacy Control, as a valid opt-out request. This is separate from the "Do Not Sell or Share" link. Your systems must detect the browser-sent signal automatically and suppress the relevant tags without any click.

How long do I have to respond to a CCPA request?

You must acknowledge receipt within 10 business days and substantively respond within 45 calendar days. One additional 45-day extension is available if needed, for 90 days total, provided you notify the consumer of the delay within the original window.

Does the CCPA apply to businesses outside California?

Yes, if you meet one of the three applicability thresholds and handle the personal information of California residents. Your business's physical location does not matter. A growing list of other US state privacy laws impose similar obligations, so a multistate business increasingly needs a broader compliance view.

What happens if I don't comply with the CCPA?

The California Privacy Protection Agency and the Attorney General can bring enforcement actions. Civil penalties run up to $2,663 per unintentional violation and up to $7,988 per intentional violation, figures adjusted for inflation effective January 1, 2025. Separately, a data breach involving unencrypted personal information can trigger a private right of action. Statutory damages run $100 to $750 per consumer per incident. See CCPA fines and penalties for the full enforcement picture. If you also serve visitors in the EU, see how the CCPA compares to the GDPR.

You have the full map now: eight steps, the website layer, and the internal and vendor work only you can do. Consently sets up the website pieces in one place. The banner, opt-out control, and required policies get done before you turn to the parts it does not touch. It is compliance assistance, not legal advice. Start a free 14-day trial with Consently to build the website side of this guide, no credit card required.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.