CCPA Audit Checklist in 2026: What to Test Before Regulators Do
A real ccpa audit checklist is no longer just a privacy-policy review. In 2026, California enforcement is making teams prove that notices match tag behavior, opt-out choices work across devices, and data collection stays inside the lines.
That shift is easy to see in the state’s recent actions. The California Privacy Protection Agency says the CCPA regulations now in force took effect on January 1, 2026, and the Attorney General keeps pressing on broken opt-out flows and over-collection. If you need the scope question first, our guides to CCPA who does it apply to, California web privacy law, and California privacy law delete data cover the foundation.

The short version of a ccpa audit checklist
Start by testing seven things:
- whether the business is actually in scope;
- whether notices and the privacy policy say what the site really does;
- whether opt-out requests and Global Privacy Control change downstream behavior;
- whether request workflows meet the CCPA’s timing and recordkeeping demands;
- whether the interface uses balanced choices instead of dark patterns;
- whether collection, use, and retention are limited to what is reasonably necessary; and
- whether vendors, service providers, and any data broker activity are documented well enough to defend.
If you only do one pass this quarter, make it operational. A polished banner with weak routing behind it is exactly the kind of gap regulators have been targeting.
CCPA audit checklist: 7 tests worth running now
1) Confirm scope before you test controls
The CCPA applies to for-profit businesses that do business in California and meet at least one threshold. The current revenue threshold is $26.625 million, effective January 1, 2025. The law also reaches businesses that buy, sell, or share the personal information of 100,000 or more California residents or households, or get 50% or more of annual revenue from selling or sharing personal information.
This sounds basic, but it sets the rest of the audit. If the business is in scope, your audit should name the covered entity, the digital properties it controls, the request channels it offers, and the internal owner for each control.
2) Compare notices against what the site and app actually do
Your notice at collection and privacy policy should not read like old inventory. California requires businesses to explain categories of personal information, purposes, rights, and how consumers can exercise those rights. The privacy policy also needs to be updated at least once every 12 months.
I would test this the blunt way: open the site with developer tools, list the trackers, SDKs, and form fields, then compare that list to the disclosures. If the page shares identifiers with ad tech, but the policy still talks in vague generalities, the audit should mark that as a fix, not a drafting note.
3) Test opt-out flows and GPC all the way through
This is where a lot of audits fall apart. The Attorney General’s office says covered businesses must honor Global Privacy Control as a valid request to opt out of sale or sharing. Recent enforcement also shows that the request has to travel across the consumer relationship, not die on the device where it started.
When Attorney General Rob Bonta announced California’s February 11, 2026 Disney settlement, he put it plainly: “Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights.”
For a practical California privacy audit, that means testing more than the link text. You need to verify that:
- the “Do Not Sell or Share My Personal Information” path is easy to find;
- GPC changes tag firing or downstream sharing where it should;
- account-linked users do not have to repeat the same opt-out device by device; and
- suppression persists in the systems that matter.
4) Audit request intake, deadlines, and evidence
The CPPA FAQ says businesses must confirm delete, correct, and know requests within 10 business days and respond within 45 calendar days, with one extra 45-day extension when allowed and disclosed.
That part of the audit should look at routing, not policy prose. Can the team see when a request arrived, who owns it, whether identity verification was required, what systems were searched, and when the response went out? If not, the risk is operational, not theoretical.
5) Look for dark patterns, not just missing links
The CPPA’s dark-patterns advisory is one of the clearest audit documents California has published. Michael Macko, the agency’s Deputy Director of Enforcement, said: “Dark patterns aren’t about intent, they’re about effect.”
That is a useful test standard. If “Accept All” is bright and immediate while opt-out takes three extra clicks, your interface may still fail even if every required word is technically present. A good audit should review button symmetry, wording clarity, and whether the privacy path asks consumers to do extra work for no good reason.

6) Check data minimization and retention against real use
This is the part many teams still treat as abstract. They should not. In May 2026, California announced a $12.75 million General Motors settlement and described it as the largest CCPA penalty in California history to date, as well as the first data minimization case. Attorney General Rob Bonta’s summary was sharper: companies “can’t just hold on to data and use it later for another purpose.”
Your audit should ask simple questions. Why is each category collected? Who uses it? How long is it kept? Is that retention period documented? Can the business defend why location, behavioral, or sensitive data is necessary for the stated purpose?
7) Review vendors, contracts, and any data broker exposure
A California privacy audit is not complete if it stops at the website layer. Review service providers, contractors, ad tech, and enrichment partners. Confirm that contracts match the role each vendor plays, that sharing paths are documented, and that request handling instructions are clear.
If the company qualifies as a data broker, the audit should also include registry obligations and the state’s newer delete workflow. California says consumers can sign up for DROP now, and starting August 1, 2026, data brokers must start deleting data based on those requests.
What a passing CCPA audit looks like
A strong California privacy audit ends with evidence, not comfort. You want screenshots of notices, logs showing GPC handling, request tickets with timestamps, current policy dates, vendor inventories, and a short gap list with owners and deadlines.
That is the standard California is pushing toward: fewer decorative controls, more proof that the control changed behavior. If your current audit still lives in a spreadsheet with no tag tests and no request evidence, start there.
Sources
- California Privacy Protection Agency FAQ
- California Privacy Protection Agency CCPA monetary thresholds page
- California Privacy Protection Agency laws and regulations page
- California Privacy Protection Agency dark patterns enforcement advisory
- California Attorney General Global Privacy Control guidance
- California Attorney General Disney settlement announcement
- California Attorney General General Motors settlement announcement
- California Privacy Protection Agency data brokers page