The California Consumer Privacy Act (CCPA), as significantly expanded by the California Privacy Rights Act (CPRA) in 2023, remains the most consequential US privacy law for marketers working with consumer data. In 2026, enforcement has matured, penalties are real, and regulators are increasingly focused on the advertising and data ecosystem, not just first-party data practices.
This checklist is written for marketing practitioners, not lawyers. It covers the requirements that most directly affect how you collect, use, share, and retain consumer data in the context of advertising and identity-based marketing. Consult your legal counsel for advice specific to your situation.
Checklist Item 1: Opt-Out Rights, The "Do Not Sell or Share" Obligation
CCPA/CPRA gives California residents the right to opt out of the sale or sharing of their personal information. The "sharing" addition from CPRA is especially significant for marketers: it covers the disclosure of personal information for cross-context behavioral advertising purposes, even when no money changes hands. If you're passing customer data to a DSP, an ad network, or a data clean room for targeting purposes, that's likely "sharing" under the law.
Checklist:
☐ Your website has a clearly labeled "Do Not Sell or Share My Personal Information" link in the footer
☐ The opt-out mechanism actually works, requests are logged, propagated to downstream partners within 15 business days, and confirmed
☐ You have a process to re-evaluate opt-out status if a consumer re-engages or you acquire their data from a new source
☐ Opt-outs are honored for at least 12 months before you can ask the consumer to reconsider
☐ You accept opt-out requests via the Global Privacy Control (GPC) browser signal, which CPRA explicitly endorses
Checklist Item 2: Permitted Use and Purpose Limitation
CPRA introduced the concept of purpose limitation: you can only use personal information for the purposes disclosed at the time of collection. You cannot collect data for one stated purpose and then use it for a materially different one without re-disclosure and, in some cases, re-consent.
For marketers, this means your data use cases need to match your privacy notice. If you collected email addresses for order confirmation and are now using them for third-party data enrichment, that may not be covered by your original disclosure.
Checklist:
☐ Your privacy notice accurately describes all the ways you use consumer data, including enrichment, onboarding to ad platforms, and sharing with identity partners
☐ You have reviewed your data flows and confirmed that actual use matches disclosed purpose
☐ New data use cases go through a privacy review before launch, not after
☐ You have a clear policy on whether and how you use sensitive personal information (defined broadly under CPRA to include precise geolocation, race, religion, health data, and others), and consumers can limit that use separately
Checklist Item 3: Consent Management for Sensitive Data
CPRA created a new "sensitive personal information" category that requires either an opt-in consent or the ability for consumers to limit its use. Marketers who rely on behavioral data, health signals, or precise location for targeting need to audit whether any of their audience inputs touch these categories.
Checklist:
☐ You have mapped which data inputs to your marketing programs might qualify as sensitive personal information
☐ For any sensitive data used in advertising, you have either explicit consent or a "Limit the Use of My Sensitive Personal Information" mechanism in place
☐ Your consent management platform (CMP) is capturing and storing consent records with timestamps and version identifiers
☐ Consent records are linked to specific individuals in a way that can be queried during a consumer rights request
☐ Your identity and data partners, including any third-party enrichment or identity resolution vendors, have confirmed they do not process sensitive data on your behalf without appropriate legal basis
Checklist Item 4: Data Retention Policies
CPRA added an explicit data minimization and retention limitation requirement. You cannot keep personal information longer than is necessary for the disclosed purpose. This is operationally significant for marketing teams that accumulate large historical files of prospect and customer data.
Checklist:
☐ You have defined retention periods for each category of personal information you collect, by data source and use case
☐ Those retention periods are documented and accessible to your legal and compliance team
☐ You have automated or semi-automated processes to delete or deidentify records that have exceeded their retention period
☐ Your CRM, data warehouse, and any third-party data stores are included in retention governance, not just your primary marketing database
☐ You have a documented policy on how long you retain opt-out and consent records (which should be kept longer than the data they govern, to demonstrate compliance)
Checklist Item 5: Audit Trails and Rights Request Fulfillment
California residents have the right to know what data you hold about them, request deletion, and request correction. Fulfilling these requests requires you to know where consumer data lives across all your systems, which is harder than it sounds when identity data is spread across a CRM, a CDP, an ad platform, an identity graph, and multiple email service providers.
Checklist:
☐ You have a documented process for receiving and logging consumer rights requests (access, deletion, correction, portability)
☐ You can fulfill a deletion request across all systems that hold the consumer's data, including third-party identity and activation partners, within 45 days
☐ You have a data inventory (or data map) that identifies every system, vendor, and process that touches personal information
☐ You conduct annual reviews of that inventory to catch new data flows introduced by product changes or new vendor relationships
☐ Your identity resolution partner propagates deletion requests downstream, opt-outs are not siloed in a single system
This last point is where working with a privacy-first identity partner makes a material operational difference. BIGDBM's Privacy-Compliant Data Operations product is built with rights fulfillment as a core function: opt-out suppression lists are maintained at the graph level and propagate to every downstream activation, so a single deletion request doesn't require manual coordination across a dozen vendor relationships.
The Bigger Picture: Privacy as Infrastructure, Not a Checklist
Running through this checklist once is valuable. But sustainable CCPA compliance requires treating privacy as infrastructure, something that's baked into your data stack from the start, not bolted on when an enforcement action appears in the news.
The most common failure mode we see is organizations that have excellent front-end consent flows but fragmented back-end data management. The opt-out link works, but the suppression list doesn't propagate to the DSP. The deletion request is logged, but no one knows which data warehouse tables to purge. The privacy notice is accurate for the main use case but doesn't reflect the enrichment workflow added eight months ago.
Fixing those gaps systematically, through clean data lineage, automated suppression propagation, and a rigorous vendor review process, is what separates organizations that can demonstrate compliance from those that merely claim it. In 2026, the California Privacy Protection Agency (CPPA) has made clear that it intends to investigate the full supply chain, not just the brand at the top of it. Your vendors' compliance is, in meaningful ways, your compliance too.
