CPRA Readiness Checklist: What to Implement First

Do You Fall Under CPRA?

The California Privacy Rights Act (CPRA) applies to businesses that handle California residents’ personal information and meet certain thresholds. Before diving into compliance, run a quick scope test:

• Annual gross revenue over $25 million
• Buy, sell, or share personal information of 100,000+ consumers or households
• Derive 50%+ of annual revenue from selling or sharing personal information

If you check any of these boxes—or you’re preparing for growth that will trigger them—you need a CPRA compliance plan.

Step 1: Build Your Data Inventory

The fastest win in CPRA compliance is building a single list of every system that stores personal data, along with the owner of each system. This becomes the foundation for everything else.

Your data inventory should answer:

• What personal data do we collect? (names, emails, payment info, browsing behavior)
• Where does it live? (CRM, website analytics, support tools, marketing platforms)
• Who owns each system?
• How long do we keep it?
• Who has access?

“Start with your top 3 systems—CRM, website, and support tool. That covers 80% of consumer data for most businesses.”

Step 2: Establish Your DSAR Workflow

Data Subject Access Requests (DSARs) aren’t “if”—they’re “when.” California consumers have the right to request access to, deletion of, or correction of their personal data. You need a documented workflow before the first request arrives.

Your DSAR workflow must cover:

• Intake: Web form and email channel for receiving requests
• Verification: Steps to confirm the requester’s identity
• Fulfillment: Standard response templates for access, delete, correct, and opt-out requests
• Logging: Tracking request type, due date, systems touched, outcome, and evidence

CPRA gives you 45 days to respond (with one 45-day extension if needed). Without a workflow, you’ll scramble every time.

Step 3: Vendor Controls and Contracts

Vendor risk is where compliance plans often fall apart. Every third party that touches consumer data needs appropriate contractual controls.

For each vendor, document:

• What data they access or process
• Whether they’re a “service provider” or “contractor” under CPRA
• Breach notification requirements
• Subprocessor policies
• Data retention and deletion commitments

Update contracts to include CPRA-required provisions. Prioritize vendors that handle sensitive personal information first.

Step 4: Retention and Deletion Policies

CPRA requires you to disclose how long you retain personal information—and actually honor those timeframes. This means:

• Defining retention periods for each data category
• Implementing automated deletion where possible
• Documenting exceptions (legal holds, ongoing disputes)
• Training staff on retention requirements

Step 5: Evidence and Audit Trail

Compliance without documentation isn’t compliance—it’s hope. Maintain evidence of:

• DSAR request logs and response records
• Data inventory updates
• Vendor assessments and contract amendments
• Employee training completion
• Policy version history

Key Takeaways

• Start with a data inventory—it’s the foundation of everything else
• Build your DSAR workflow before requests arrive
• Vendor contracts must include CPRA-required provisions
• Define and enforce retention periods
• Document everything for audit readiness

Conclusion

CPRA compliance is achievable when you tackle it in the right order. Start with your data inventory, establish DSAR workflows, lock down vendor controls, implement retention policies, and maintain your audit trail. Each step builds on the previous one.