Every CCPA/CPRA Readiness Audit check

CCPA § 1798.100 and § 1798.110 grant California consumers the right to know exactly what personal information a business holds about them, where it came from, why it is processed, and who receives it. Without an accessible disclosure mechanism — a web form, email address, or toll-free number — you are in statutory violation the moment a California resident asks. The California Privacy Protection Agency (CPPA) can impose fines of up to $7,500 per intentional violation, and class-action exposure under § 1798.150 covers statutory damages of $100–$750 per consumer per incident. Beyond the monetary risk, the absence of a rights mechanism signals to regulators that the rest of your privacy program is equally unprepared.

Why this severity: Critical because absence of any disclosure mechanism is a statutory violation under CCPA § 1798.100 the moment a California consumer makes a request, with direct civil penalty exposure.

CCPA § 1798.105 gives every California consumer — not just account holders — the right to have their personal information deleted. Deletion must be real: soft deletes that flip a `deleted_at` flag while leaving the record intact violate the statute. Worse, requiring an account to submit a deletion request is explicitly prohibited; that barrier alone is a CCPA violation independent of whether deletion actually works. Data retained past its legal basis is also a data-breach liability — hard-deleted records cannot be exfiltrated. Regulators treat deletion request failures as evidence of a systemic compliance gap, escalating enforcement from warnings to fines.

Why this severity: Critical because blocking or ignoring deletion requests is a direct CCPA § 1798.105 violation, and soft-delete implementations create ongoing data-breach exposure for data that should no longer exist.

CCPA § 1798.120 and § 1798.135 require businesses that sell or share personal information to provide a conspicuous opt-out mechanism. Under CPRA, "sharing" now includes disclosing identifiers to advertising platforms for cross-context behavioral advertising — which means Facebook Pixel, Google Ads remarketing, and TikTok Pixel qualify even when no money changes hands. A footer link that only describes the right without providing an actual opt-out button is non-compliant. An opt-out preference that resets on next visit is non-compliant. Both violations expose the business to the same enforcement actions as having no opt-out at all, and class-action plaintiffs specifically look for this pattern.

Why this severity: High because sharing PI with advertising platforms without an operative opt-out mechanism violates CCPA § 1798.120 and subjects the business to CPPA enforcement and consumer statutory damages.

CPRA (effective January 2023) added the right to correction alongside the original CCPA rights, codified at § 1798.106. A profile page where all fields are read-only — a common AI-built default — violates this right for authenticated users. For non-account-holders who have had their PI collected via a lead form or checkout, the violation is even starker: they have no path at all to correct inaccurate data. Inaccurate PI also degrades your own product — wrong email addresses bounce, wrong billing names cause payment disputes, and wrong phone numbers generate SMS failures. Correction serves both compliance and data quality.

Why this severity: Medium because the CPRA correction right (§ 1798.106) is a statutory requirement, but violations typically surface only when a consumer makes a specific correction request rather than triggering immediate enforcement.

CCPA § 1798.125 prohibits penalizing consumers for exercising their privacy rights — denying them features, charging higher prices, or degrading service quality because they opted out of data sharing. Feature flags keyed on a `ccpa_opt_out` field are the most common code-level violation: they were probably added to "personalize" something, but any degradation in service for opted-out users is discriminatory under the statute. Financial incentive programs — loyalty points or discounts in exchange for data — are permitted under § 1798.125(b) but require explicit disclosure of the data's estimated monetary value and a separate affirmative opt-in, which virtually no AI-built implementation includes.

Why this severity: Low because discrimination violations require proof of differential treatment tied to rights exercise, which demands a formal investigation — but code-level feature flags keyed on opt-out status are easily spotted and constitute a per-consumer violation.

CCPA § 1798.130(a)(5) requires the privacy policy to disclose, for the 12-month period before the policy's effective date, the specific CCPA-defined categories of PI collected (identifiers, internet activity, geolocation, commercial information, inferences, sensitive PI, and others enumerated in Civil Code § 1798.140), the business purpose for each, the categories of third parties who receive the PI, and which categories are sold or shared for cross-context behavioral advertising. A vague policy that says "we may share data with partners" satisfies none of these requirements. If your policy is stale — no update in 12 months — it is non-compliant regardless of content. Regulators read privacy policies before filing enforcement actions; a CCPA-deficient policy is often exhibit A.

Why this severity: Critical because a non-compliant or absent privacy policy violates CCPA § 1798.130(a)(5) on its face — it is the foundational document the law requires, and its absence or vagueness leaves every consumer request without a lawful basis for denial or fulfillment.

CCPA § 1798.135(a)(1) mandates that businesses that sell or share PI place a "Do Not Sell or Share My Personal Information" link — the statute specifies this exact text — conspicuously in the website footer, accessible on every page. A link only on the marketing homepage that disappears once users enter the authenticated app is non-compliant. Missing the exact statutory text (using "Privacy Choices" alone, for example) is also non-compliant. The footer link is often the first thing a CPPA investigator checks; its absence is a clear-cut violation requiring no further investigation to establish.

Why this severity: High because the footer link is an explicit statutory requirement under CCPA § 1798.135(a)(1) — its absence is a standalone violation regardless of whether an opt-out mechanism exists elsewhere.

CCPA § 1798.100(b) requires notice at or before the point of collection — not buried in a privacy policy that users are expected to locate and read on their own. A signup form that collects email and name without any adjacent disclosure violates this requirement, even if a comprehensive privacy policy exists at `/privacy`. CPRA's addition of § 1798.121 extends this to sensitive PI: precise geolocation, financial account details, and health data each require a distinct notice at the collection point. Forms with no inline notice cannot satisfy this requirement retroactively by updating the privacy policy after the fact.

Why this severity: High because collection without notice at the collection point violates CCPA § 1798.100(b) on every form submission — each affected consumer potentially represents a separate violation.

CCPA § 1798.125(b) permits financial incentive programs — discounts, loyalty points, free-tier upgrades in exchange for allowing data use — but imposes strict conditions: material terms disclosed before enrollment, a good-faith estimate of the monetary value of the consumer's data, explicit opt-in (not auto-enrollment), and the ability to withdraw at any time. A referral program that offers credits for sharing contact data with no policy disclosure, or a loyalty program that enrolls all registered users by default, violates all of these conditions simultaneously. The "value of personal information" disclosure is the most commonly missed requirement and the one regulators have specifically called out in guidance.

Why this severity: Medium because financial incentive violations require a specific program to exist, but when they do, both the missing disclosure and the opt-out default structure are concurrent statutory violations under § 1798.125(b).

CPRA added § 1798.121 establishing a new category of sensitive personal information (SPI) — Social Security numbers, precise geolocation, financial account credentials, biometric identifiers, health data, racial and ethnic origin, and a few others defined in Civil Code § 1798.140(ae) — with heightened protections. Collecting SPI without a separate privacy policy disclosure is a violation. Using SPI for profiling or cross-context behavioral advertising without offering a "Limit the Use of My Sensitive Personal Information" mechanism is a separate violation. Precise geolocation (within 1,850 feet via `navigator.geolocation`) is the most common SPI collected by AI-built apps that don't realize it qualifies.

Why this severity: Low because SPI violations require both collection and either missing disclosure or impermissible use — the combination is detectable but depends on the application's specific data flows.

The California Attorney General's 2022 enforcement guidance confirmed that businesses must treat the Global Privacy Control (GPC) signal as a valid opt-out of sale and sharing under CCPA § 1798.120. GPC is a browser-level HTTP header (`Sec-GPC: 1`) and JavaScript property (`navigator.globalPrivacyControl`) sent automatically by Brave, Firefox with privacy settings, and the Privacy Badger extension. If your middleware doesn't read this header before any third-party pixels initialize, you are sharing PI with advertising platforms before the consumer's opt-out signal is honored — a per-page-load violation. Unlike a manual opt-out form, GPC arrives on every qualifying request without any user action on your site.

Why this severity: High because GPC is a legally mandated opt-out signal under CCPA § 1798.120 — failing to honor it has the same legal weight as ignoring a manually submitted opt-out form, and it affects all GPC-enabled browsers automatically.

CCPA § 1798.120(c) and § 1798.135(b) require opt-out requests to be processed within 15 business days of receipt. For real-time client-side opt-outs — a cookie is set and pixels stop firing immediately — this deadline is automatically satisfied. The gap is backend-processing opt-outs: requests that require staff to remove the consumer from a CRM, advertising platform audience, or data broker list. Without a tracking system and documented SLA, there is no way to prove compliance, and regulators treat the absence of tracking as evidence of non-compliance. An opt-out form that routes to an unmonitored inbox with no SLA is a CCPA violation waiting for an enforcement trigger.

Why this severity: Medium because the 15-business-day processing requirement under CCPA § 1798.120(c) is specific and auditable — a manual fulfillment queue with no SLA tracking is a documented non-compliance gap.

Recording an opt-out preference without actually stopping data sharing is a CCPA § 1798.120 violation more egregious than having no opt-out at all — it deceives the consumer into believing their request was honored. The most common pattern: opt-out cookie is set correctly, suppressing one pixel (e.g., Facebook), while server-side Segment `track()` calls or a Google Analytics `identify()` still fire unconditionally because they were wired into API route handlers that never check the opt-out flag. Each page load where a third-party sharing call fires for an opted-out consumer is a separate violation. This check requires tracing the enforcement gap, not just the preference storage.

Why this severity: Medium because the gap between stored opt-out preference and actual enforcement of that preference across all sharing touchpoints is a concrete CCPA § 1798.120 violation per sharing event, even when the opt-out UI exists.

CCPA § 1798.120(a) grants every consumer — not just authenticated users — the right to opt out of the sale or sharing of their personal information. § 1798.135(a)(2) explicitly prohibits businesses from requiring consumers to create an account or log in to exercise this right. An opt-out page that returns a 404, requires authentication, stores the preference in `sessionStorage` only, or resets on next visit fails on multiple statutory requirements simultaneously. These failures also cannot be fixed client-side at runtime — they require a working deployment, an accessible route, and persistent server-side storage as the fallback when cookies are cleared.

Why this severity: Low because functional failures of an existing opt-out mechanism are harder to detect than its total absence, but requiring authentication to opt out is an explicit statutory prohibition under CCPA § 1798.135(a)(2).

CPRA regulations (11 CCR § 7026) require businesses that honor opt-out preference signals to disclose which signals they recognize in their privacy policy. If your `middleware.ts` silently honors the GPC `Sec-GPC: 1` header but the privacy policy makes no mention of it, the disclosure requirement is violated even though the technical implementation is correct. California consumers have a right to know which browser-based signals they can use — they cannot benefit from GPC protection they don't know your site respects. This is a documentation gap, not a technical one, but it is independently enforceable.

Why this severity: Info because the violation is a disclosure omission in the privacy policy rather than a functional failure — consumers' opt-out preference may still be honored in code even when this check fails.

CPRA amended CCPA to require, at § 1798.100(a)(3), that businesses disclose retention periods for each category of personal information — or the criteria used to determine them. A privacy policy that says "we retain your information for as long as necessary" satisfies neither the letter nor the spirit of this requirement. Beyond compliance, undisclosed retention creates a data-breach surface: data that should have been deleted years ago is still in the database when a breach occurs. Disclosed retention periods only close the compliance gap if automated enforcement — cron jobs, database lifecycle rules — actually delete or anonymize the data when periods expire. Policy and code must match.

Why this severity: Low because retention disclosure violations are unlikely to trigger priority enforcement on their own, but unmatched retention periods between policy and code are a data-minimization failure that amplifies breach impact.

CCPA § 1798.100(d) and § 1798.140(ag) establish that disclosing PI to a "service provider" does not constitute a "sale" — but only when a written contract prohibits the service provider from using the PI for any purpose beyond performing the contracted service. Without that contract, your payment processor, email provider, and error tracker are legally "third parties" receiving PI for commercial purposes, which converts every API call into a data sale. Stripe, SendGrid, Resend, Sentry, and Vercel all offer Data Processing Addendums that satisfy this requirement — but you must accept them explicitly, not assume they apply by default.

Why this severity: Low because service provider contract failures recharacterize routine PI transfers as sales only when combined with other CCPA triggers, but they eliminate the service-provider safe harbor for all downstream PI flows.

CCPA § 1798.120(c) and (d) impose heightened protections for minors: consumers aged 13–15 must affirmatively opt in before their PI is sold or shared (reversing the adult default of opt-out); those under 13 require parental opt-in. An application with social features, gaming mechanics, or educational content that applies the adult opt-out default to all users — because it has no age gate — is violating these provisions for every minor user. Unlike adult violations where the consumer must take action to trigger an investigation, minor PI violations can be initiated by the California AG or CPPA without a consumer complaint.

Why this severity: Info because minor-consent violations require the application to actually have minor users and be selling/sharing their PI — but when both conditions are met, the violation carries elevated regulatory attention.

CCPA § 1798.130(a)(6) requires that all individuals responsible for handling consumer privacy inquiries are informed of CCPA requirements and trained on how to direct consumers to exercise their rights. Without a designated privacy contact and a documented fulfillment process, consumer requests that arrive via the privacy form have no guaranteed path to a response — the 45-day statutory deadline starts running the moment a request is received, regardless of whether anyone is monitoring the inbox. In a two-person startup, "training" can be a one-page runbook; regulators accept that. What they do not accept is an unmonitored inbox or no documented process at all.

Why this severity: Info because the training requirement is process-focused and difficult to enforce without an investigation, but an unmonitored request inbox combined with a missed 45-day deadline is a clear CCPA § 1798.130 violation.

CCPA § 1798.100(b) and § 1798.110(c) require disclosures of PI categories, sources, purposes, and recipients — disclosures that are nearly impossible to make accurately without a data inventory. A privacy policy authored from memory invariably omits PI flows added in later sprints: a Stripe webhook that starts writing billing addresses to a CRM, a new analytics provider, a third-party enrichment API. The inventory is not itself a statutory requirement, but its absence makes every required disclosure unreliable. GDPR Art. 30 and ISO 27001:2022 A.5.9 treat the inventory as a foundational compliance artifact; CCPA regulators apply the same expectation during investigations.

Why this severity: Info because a missing data inventory does not independently constitute a CCPA violation, but it makes every CCPA disclosure requirement harder to fulfill accurately and is often the root cause of policy gaps.