Controls & Evidence
CCPA / CPRA readiness evaluates your controls across multiple domains. For each domain, reviewers look for evidence that controls are designed properly and operating effectively. Below are the core control domains with minimum requirements and example evidence artifacts.
What reviewers look for: Reviewers don't just check that policies exist. They verify that controls are operating as described, that evidence is produced on schedule, and that gaps are tracked and remediated. The evidence examples below show what "operating effectiveness" looks like in practice.
Comprehensive mapping of personal information categories, sources, purposes of collection, and downstream sharing with third parties.
Requirements
- Maintain a personal information category inventory aligned with Cal. Civ. Code §1798.140(v)
- Create and update data flow diagrams showing PI collection, use, storage, and disclosure
- Document the business or commercial purpose for each category of PI collected (§1798.100(a))
- Record all third-party sharing and service provider disclosures by PI category
Evidence Examples
| Artifact | Owner | Frequency |
| PI category inventory spreadsheet with source, purpose, and retention columns | Privacy lead | Quarterly |
| Data flow diagram covering all consumer-facing applications | Engineering lead | Annually and on system change |
| Third-party data sharing register with contractual basis | Legal | Quarterly |
| Purpose-of-use documentation linked to each PI category | Privacy lead | Annually |
At-or-before-collection notice and a comprehensive privacy policy meeting all statutory disclosure requirements.
Requirements
- Provide notice at or before the point of collection identifying PI categories and purposes (§1798.100(b))
- Publish a privacy policy containing all 12 required disclosures under §1798.130(a)(5)
- Include a conspicuous 'Do Not Sell or Share My Personal Information' link on the homepage
- Update the privacy policy at least annually and upon material practice changes
Evidence Examples
| Artifact | Owner | Frequency |
| Privacy policy with tracked revision history and legal sign-off | Legal | Annually |
| At-collection notice screenshots or HTML snapshots for each intake channel | Marketing or Product | Quarterly |
| Homepage screenshot showing 'Do Not Sell or Share' link placement | Engineering lead | Quarterly |
| Privacy policy change log with effective dates | Legal | Event-driven |
Verified consumer request intake, processing, and fulfillment for access (right to know) and deletion rights within statutory timelines.
Requirements
- Respond to verified consumer requests within 45 calendar days, with one 45-day extension if reasonably necessary (§1798.145(g))
- Implement identity verification procedures proportional to the sensitivity of the PI requested (§1798.185(a)(7))
- Apply two-step confirmation for deletion requests to prevent accidental data loss
- Provide a 12-month lookback of PI collected, disclosed, and sold when responding to right-to-know requests (§1798.130(a)(2))
Evidence Examples
| Artifact | Owner | Frequency |
| Consumer request intake log with receipt dates, verification status, and response dates | Privacy lead | Monthly |
| Identity verification procedure documentation with threshold criteria | Legal | Annually |
| Sample right-to-know response package showing 12-month lookback | Privacy lead | On request |
| Deletion confirmation records with two-step verification evidence | Engineering lead | On request |
Mechanisms for consumers to opt out of the sale and sharing of personal information, including recognition of opt-out preference signals.
Requirements
- Provide a clear and conspicuous 'Do Not Sell or Share My Personal Information' link (§1798.135(a))
- Recognize and honor Global Privacy Control (GPC) and other opt-out preference signals (§1798.135(e))
- Process opt-out requests without requiring account creation or unnecessary verification
- Maintain opt-out status for at least 12 months before requesting re-authorization (§1798.135(c))
Evidence Examples
| Artifact | Owner | Frequency |
| GPC signal detection and processing logs showing honored requests | Engineering lead | Monthly |
| Opt-out mechanism testing results across browsers and devices | QA or Engineering | Quarterly |
| Consent management platform configuration showing opt-out defaults | Marketing or Privacy lead | Quarterly |
Collect and retain only the personal information reasonably necessary and proportionate to the disclosed purpose.
Requirements
- Limit PI collection to what is reasonably necessary and proportionate to the disclosed purpose (§1798.100(c))
- Establish and enforce retention schedules for each PI category
- Implement documented disposal procedures for PI that has exceeded its retention period
- Conduct proportionality reviews when introducing new PI collection or expanding existing uses
Evidence Examples
| Artifact | Owner | Frequency |
| Retention schedule matrix mapping PI categories to retention periods and legal bases | Privacy lead | Annually |
| Data disposal execution log with dates, categories purged, and systems affected | Engineering lead | Quarterly |
| Proportionality review for new PI collection or purpose expansion | Privacy lead | Event-driven |
Additional protections for sensitive PI categories including SSN, financial accounts, biometrics, precise geolocation, and other enumerated data types.
Requirements
- Implement the consumer's right to limit use and disclosure of sensitive personal information (§1798.121)
- Provide separate notice identifying SPI categories collected and purposes of use
- Restrict SPI use to purposes reasonably necessary for the service or transaction requested
- Offer a clear 'Limit the Use of My Sensitive Personal Information' link (§1798.135(a))
Evidence Examples
| Artifact | Owner | Frequency |
| SPI inventory identifying all sensitive categories collected and their storage locations | Privacy lead | Quarterly |
| Homepage and intake-point screenshots showing 'Limit Use of SPI' link | Engineering lead | Quarterly |
| SPI access control matrix with role restrictions and encryption status | IT or Security lead | Annually |
| SPI limitation request log with processing dates and downstream propagation | Privacy lead | Monthly |
Contractual restrictions ensuring service providers, contractors, and third parties process personal information only as permitted under CCPA/CPRA.
Requirements
- Execute written contracts with service providers restricting PI use to the specified business purpose (§1798.140(ag))
- Conduct due diligence on service providers' privacy and security practices before engagement
- Include subcontractor flow-down provisions requiring equivalent PI protections
- Contractually require service providers to notify the business of any inability to meet CCPA/CPRA obligations
Evidence Examples
| Artifact | Owner | Frequency |
| Vendor register with contract status, PI categories shared, and last review date | Legal | Quarterly |
| Service provider agreement template with CCPA/CPRA-required clauses | Legal | Annually |
| Vendor due diligence questionnaire responses and risk assessments | Privacy lead or Procurement | At onboarding and annually |
| Subcontractor flow-down clause audit results | Legal | Annually |
Reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure.
Requirements
- Implement reasonable security procedures and practices appropriate to the nature of the PI (§1798.100(e))
- Maintain breach notification procedures compliant with Cal. Civ. Code §1798.82
- Apply encryption to PI categories covered under the breach notification statute
- Conduct periodic risk assessments addressing threats to PI confidentiality, integrity, and availability
Evidence Examples
| Artifact | Owner | Frequency |
| Annual risk assessment report covering PI systems and threat landscape | Security lead | Annually |
| Encryption-at-rest and in-transit configuration evidence for PI data stores | Engineering lead | Quarterly |
| Breach response plan with tabletop exercise results | Security lead | Annually |
| Vulnerability scan and penetration test reports for PI-processing systems | Security lead | Quarterly |
Additional consent and protection requirements for the personal information of consumers under 16 years of age.
Requirements
- Obtain affirmative opt-in consent before selling or sharing PI of consumers aged 13–15 (§1798.120(c))
- Obtain verifiable parental consent before selling or sharing PI of consumers under 13 (§1798.120(c))
- Implement age verification mechanisms where minors are likely users
- Wait at least 12 months before requesting opt-in again after a minor declines (§1798.135(c))
Evidence Examples
| Artifact | Owner | Frequency |
| Age gate implementation evidence with technical documentation | Engineering lead | Annually |
| Minor opt-in consent records with timestamps and verification method | Privacy lead | On request |
| Parental consent workflow documentation and sample consent artifacts | Legal | Annually |
CPRA extension of consumer privacy rights to employee, job applicant, and business-to-business personal information.
Requirements
- Provide workforce PI notice to employees, applicants, and independent contractors at or before collection
- Honor employee rights to know, delete, correct, and opt out for their PI
- Establish HR data retention schedules aligned with employment law and CPRA requirements
- Extend service provider and vendor agreement requirements to HR technology vendors
Evidence Examples
| Artifact | Owner | Frequency |
| Employee privacy notice distributed at hire and updated annually | HR | Annually |
| HR data retention schedule with legal-hold exceptions documented | HR and Legal | Annually |
| Employee PI request log with response timelines | HR | Quarterly |
| HR vendor register with CCPA/CPRA contract clause verification | HR and Legal | Annually |
Evidence Naming Conventions
Organized, traceable evidence is critical for a smooth review. Adopting a consistent convention makes evidence retrieval faster and reduces friction.
Recommended format:
ControlID_System_ArtifactType_YYYY-MM-DD_Period_Owner_v# Key principles for evidence management:
- Centralized repository with access control and version history
- Consistent naming across all control domains and artifact types
- Defined cadence for each evidence type: event-driven, monthly, quarterly, or annual
- Immutable exports where possible to demonstrate evidence integrity
AI and data companies: Standard controls are the baseline. See the AI-specific advisory modules for additional controls addressing data governance, prompt logging, RAG security, and model vendor risk.