CPRA Compliance Resource

The Complete CPRA Requirements Checklist: 47 Controls Your Organization Needs in Place

Updated 2026-05-18
Key Takeaways: Priverion is a Swiss-hosted GRC platform that helps multi-entity organizations manage all 47 CPRA compliance controls — from ROPA and DPIA to vendor risk and DSR handling — in one place.

Most organizations think they are CPRA-compliant. Our checklist reveals the requirements that get missed, especially for multi-entity businesses managing privacy across subsidiaries and jurisdictions.

Download the Free CPRA Checklist

$2,663

per unintentional violation (2025 CPI-adjusted)

Source: CPPA, Dec 2024

$7,988

per intentional violation or violations involving minors

Source: CPPA CPI adjustment, effective Jan 1, 2025

$1.35M

largest CPPA fine to date (Tractor Supply, Oct 2025)

Source: CPPA enforcement decision, Sep 2025

Hundreds

of active CPPA investigations currently in progress

Source: CPPA Board meeting, Sep 2025

Penalties are calculated per consumer, per incident, with no total cap. New regulations on cybersecurity audits, risk assessments, and automated decision-making took effect January 1, 2026.

CPPA fine thresholds remain in place through 2026; next CPI adjustment scheduled for 2027

Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Why This Matters Now

Why a CPRA Requirements Checklist Matters More Than You Think

The CPRA didn't just tweak the CCPA. It redefined California privacy enforcement, and organizations that assumed their old compliance posture carried over are now exposed.

Enforcement Is Proactive Now

The CPPA Is No Longer Waiting for Complaints

The California Privacy Protection Agency has shifted from reactive complaint handling to proactive audits and joint enforcement sweeps. In September 2025, California, Colorado, and Connecticut launched a joint investigation targeting businesses failing to honor Global Privacy Control signals.

The CPPA reported hundreds of active investigations at its September 2025 board meeting, many targeting businesses that don't yet know they're under scrutiny. New regulations covering cybersecurity audits, risk assessments, and automated decision-making took effect January 1, 2026.

$1.35M

Largest CPPA fine to date, against Tractor Supply Company (September 2025)

The Penalty Math

Per-Violation Fines Compound Fast

As of 2025, the CPPA adjusted civil penalties to $2,663 per unintentional violation and $7,988 per intentional violation or violation involving minors. These amounts are calculated per consumer, per incident, which means a single systematic gap across your California consumer base can escalate into seven or eight figures of theoretical exposure.

The CPRA also eliminated the mandatory 30-day cure period that previously existed under the CCPA. Whether a business gets time to fix a violation is now entirely at the enforcer's discretion.

$7,988

Maximum per intentional violation (CPI-adjusted as of January 2025, per CPPA announcement)

Multi-Entity Complexity

Subsidiaries Multiply Your Risk Surface

If your organization operates across subsidiaries, business units, or jurisdictions, each entity may have its own data processing activities, vendor relationships, and consumer touchpoints. The CCPA applies to entities controlled by covered businesses as well as joint ventures and partnerships, meaning a parent-level checklist applied once is not sufficient.

Enforcement is also going cross-border. Multi-state joint investigations mean companies operating across multiple states can no longer assume enforcement stays siloed within individual jurisdictions. Each entity needs independent verification of compliance.

3 states

California, Colorado, and Connecticut launched joint enforcement sweeps in September 2025

Privacy teams are stretched thin. Most organizations don't have dedicated CPRA specialists. The DPO or privacy lead is juggling GDPR, a growing patchwork of US state laws, and sector-specific regulations all at once.

That's exactly why we built this checklist: to give privacy teams a single, structured document that maps every CPRA requirement to a concrete action.

Proven Customer Results

The numbers behind group-wide privacy compliance done right

200+

Hours saved on ISO 27001 preparation

Medtec used Priverion to cut through the documentation and evidence-gathering burden that typically takes organizations 6 to 12 months to complete manually.

Medtec, ISO 27001 preparation

60%

Reduction in compliance admin time

Aircraft manufacturer eliminated manual ROPA updates across multiple subsidiaries in their first 6 months, while enterprise privacy platforms like OneTrust can cost up to six figures annually for mid-market deployments.

Aircraft manufacturer, first 6 months with Priverion

100%

ROPA recertification rate, fully automated

AXA achieved complete automated recertification across all processing activities, replacing the manual spreadsheet workflows that GDPR Article 30 demands be accurate and current at all times.

AXA, automated ROPA recertification

Book a 30-min walkthrough
Comparison

Why mid-market teams are switching from OneTrust

OneTrust is a powerful enterprise platform. But for mid-market organizations managing privacy across multiple entities, it often means paying for complexity you never use. Here is how Priverion compares where it matters most.

Priverion

Swiss data sovereignty, guaranteed

Swiss-built and Swiss-hosted. All data processing stays within Swiss infrastructure, protected from extraterritorial access laws like the US CLOUD Act and FISA Section 702. In a post-Schrems II world, this is not a marketing checkbox.

Operational in weeks, not months

Priverion is purpose-built for multi-entity privacy management. No weeks of workflow configuration, no dedicated implementation team required. Aircraft manufacturer was fully operational and saw a 60% reduction in compliance admin time within six months.

Aircraft manufacturer, first 6 months

Predictable, transparent pricing

Pricing based on number of companies and organizational size. No per-user fees, no per-module expansion traps. You know what you will pay this year and next year.

All-in-one for privacy programs

ROPA management, DPIA/TIA automation, vendor risk assessments, incident management, DSR handling, cross-entity data mapping, and board-ready dashboards. One platform, one price. No module upsells.

AI-assisted, human-controlled

AI helps draft DPIAs and score risks, but every output is reviewed before becoming a compliance record. No customer data is used for model training. AI assists, humans decide.

Typical enterprise platform

US-headquartered, US-jurisdictioned

Even when data is stored in EU data centers, US-headquartered providers remain subject to the CLOUD Act. As the general manager of Microsoft France testified before the French Senate in 2025, US providers cannot guarantee EU citizen data is safe from access by US authorities.

Source: French Senate testimony, 2025

Complex setup, steep learning curve

Reviewers consistently note weeks of configuration time and significant training requirements. One mid-market user on G2 reported the interface "can feel cluttered" and noted "the high price and the steep learning curve" as drawbacks. Implementation services can add $10,000 to $50,000 in first-year costs alone.

G2 and Capterra user reviews, 2025; Enzuzo pricing analysis, March 2026

Opaque, modular pricing that escalates

No public pricing. Each module billed on its own metric. Mid-market organizations (1,000 to 5,000 employees) can expect $40,000 to $120,000 per year, with pricing that "can balloon once you add the modules you actually need." OneTrust does not publish list prices; buyers should request a multi-year quote covering all modules and seats up front.

Vendr pricing data, February 2026; Enzuzo, March 2026

Feature overload across 5+ product lines

Enterprise platforms offer ESG, ethics hotlines, cookie consent, and 200+ integrations. If you need all of that, they are the right choice. But most mid-market privacy teams end up paying for capabilities they never touch.

AI capabilities with less transparency

Large platform vendors offer AI features, but it is often unclear where data is processed, whether it is used for training, and how much human oversight remains in the loop. For compliance records, that opacity creates risk.

The enforcement context: why this choice matters now

GDPR enforcement is accelerating. The stakes for getting multi-entity compliance wrong have never been higher, and EU member states are actively pushing for greater data sovereignty through the Berlin Declaration on European Digital Sovereignty signed in November 2025.

€7.1B

Cumulative GDPR fines since May 2018

DLA Piper GDPR Survey, January 2026

443/day

Breach notifications to EU authorities (22% YoY increase)

DLA Piper GDPR Survey, January 2026

97%

Of Europe's cloud infrastructure runs on non-European providers

TechClass, January 2026

We are honest about what we do not cover: ESG, ethics hotlines, and cookie consent are outside our scope. Our strength is group-wide privacy program management for organizations with multiple entities and jurisdictions.

If that is the problem you are solving, let's talk.

Book a 30-min walkthrough
Free Download

CPRA Requirements Checklist: 2026 Compliance in One Document

New CPPA regulations took effect January 1, 2026, introducing mandatory risk assessments, cybersecurity audit timelines, and ADMT obligations. This checklist covers what your compliance team needs to verify right now.

Inside the checklist, you will find:

  • + Complete applicability criteria: revenue thresholds, consumer volume, and sensitive data processing triggers that determine whether CPRA applies to your organization
  • + Data mapping, DSAR workflow, and vendor contract requirements, including the 5-day service provider notification clause and updated SPI limitation mechanisms
  • + Phased cybersecurity audit deadlines by revenue tier (April 2028 for businesses over $100M, through April 2030 for smaller organizations) and risk assessment submission timelines
  • + Penalty reference guide with current fine amounts (up to $7,988 per intentional violation) so you can communicate risk to leadership in financial terms

The CPPA finalized these regulations in September 2025 and has reported hundreds of active investigations, including the record $1.35 million settlement with Tractor Supply Company. Enforcement is not hypothetical.

Sources: CPPA enforcement records (September 2025), CPPA finalized regulations (January 2026).

Get the Checklist

Covers all 2026 CPRA obligations in a single, actionable PDF.

Free PDF. No demo required. We'll send it to your inbox.

Why this matters now

The CPPA removed the 30-day cure period. There is no warning letter before fines begin. Organizations managing California consumer data across multiple entities need documented compliance, not a plan to start later.

FAQ

Frequently Asked Questions About CPRA Compliance

What is the difference between the CCPA and the CPRA?

The CPRA (California Privacy Rights Act) significantly amended and expanded the CCPA. Key changes include the creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, new categories of sensitive personal information with specific consumer rights, mandatory risk assessments for high-risk processing, rights to correct and limit use of sensitive data, and the elimination of the 30-day cure period for violations. The CPRA took effect on January 1, 2023, and applies to data collected on or after January 1, 2022.

Who does the CPRA apply to?

The CPRA applies to for-profit businesses that collect California consumers' personal information and meet at least one of three thresholds: annual gross revenue over $25 million in the preceding calendar year, buying, selling, or sharing the personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information. Importantly, the CPRA also applies to entities controlled by covered businesses, including subsidiaries and joint ventures, which is why multi-entity organizations face particularly complex compliance requirements.

What are the penalties for CPRA non-compliance?

As of January 2025 (CPI-adjusted), penalties are $2,663 per unintentional violation and $7,988 per intentional violation or violations involving minors. These are calculated per consumer, per incident, with no total cap. The largest CPPA fine to date was $1.35 million against Tractor Supply Company in September 2025. The CPRA also preserves the private right of action for data breaches resulting from failure to implement reasonable security measures, where consumers can recover between $100 and $750 per incident, or actual damages, whichever is greater.

What new CPRA regulations took effect in 2026?

Regulations finalized by the CPPA in September 2025 took effect January 1, 2026. These cover three major areas: mandatory cybersecurity audits (phased by revenue tier, with businesses over $100M in revenue required to complete their first audit by April 2028, and smaller organizations by April 2030), risk assessments for processing activities that present significant risk to consumers' privacy, and automated decision-making technology (ADMT) obligations including consumer opt-out rights and pre-use notices for profiling and significant decisions.

How does Priverion help with CPRA compliance for multi-entity organizations?

Priverion provides group-wide privacy program management across all subsidiaries and entities from a single platform. For CPRA compliance specifically, this includes automated ROPA management and recertification across entities (Aircraft manufacturer reduced compliance admin time by 60% in their first 6 months), AI-assisted DPIA and risk assessment drafting to meet the new 2026 requirements, vendor risk assessments and third-party contract management, incident management and breach notification workflows, DSR handling across entities, and cross-entity data mapping for group-wide visibility. All data is processed within Swiss infrastructure with full data sovereignty guarantees.

Does the CPRA apply to companies outside California?

Yes. The CPRA applies to any for-profit business that meets the revenue or data processing thresholds and collects personal information from California consumers, regardless of where the business is headquartered. This includes European and international companies doing business with California residents. For multi-entity organizations, each subsidiary with California consumer touchpoints may need independent compliance verification. The September 2025 joint enforcement sweep between California, Colorado, and Connecticut further demonstrated that state privacy enforcement is increasingly coordinated across jurisdictions.

What does this checklist cover that generic CPRA guides do not?

Our checklist maps all 47 specific control requirements with actionable verification steps, including the 2026 regulations that most existing guides haven't incorporated. It covers phased cybersecurity audit deadlines by revenue tier, the new ADMT obligations, updated risk assessment requirements, and the specific service provider contract clauses (including the 5-day notification requirement) that multi-entity organizations need to verify across every vendor relationship in every subsidiary. Each control includes the relevant regulatory citation so your legal team can verify independently.

Your compliance posture can't wait

Stop managing privacy compliance across spreadsheets. Start sleeping through the night.

GDPR fines hit €1.2 billion in 2025 alone, with European authorities now processing over 400 breach notifications per day. For multi-entity organizations, the margin for error has never been thinner. In 30 minutes, we'll show you how Priverion replaces fragmented tools and manual processes with automated, group-wide privacy program management.

60%

less compliance admin time

Aircraft manufacturer, first 6 months

200+

hours saved on ISO 27001 prep

Medtec

100%

ROPA recertification rate

AXA, fully automated

Swiss-built. Swiss-hosted. AI-assisted with full human oversight. No customer data used for model training. Predictable pricing without per-user traps.

Book a 30-Minute Walkthrough Explore the Platform

No commitment required. See real customer workflows in a live environment.

The Privacy Compliance Briefing

Monthly insights on GDPR enforcement, Swiss FADP updates, and automation strategies for DPOs and compliance teams.

No spam. Unsubscribe anytime.

About this page — references, definitions, and FAQs

Key Takeaways

The CPRA expanded California's privacy framework well beyond the original CCPA, creating 47 distinct compliance controls that organizations must address. Enforcement by the California Privacy Protection Agency (CPPA) has shifted to proactive audits, with penalties reaching $2,663 per unintentional violation and $7,988 per intentional violation as of the 2025 CPI adjustment. Multi-entity organizations face compounded risk because each subsidiary's processing activities are independently assessed. This checklist maps every CPRA requirement to a concrete, auditable control.

Definitions

What is the CPRA?

The California Privacy Rights Act (CPRA) is a ballot initiative approved by California voters in November 2020 that significantly amended and expanded the California Consumer Privacy Act (CCPA). It took effect on January 1, 2023, and applies to personal information collected on or after January 1, 2022. The CPRA introduced new consumer rights — including the right to correct inaccurate personal information and the right to limit the use of sensitive personal information — and established the California Privacy Protection Agency (CPPA) as the first dedicated state-level privacy enforcement body in the United States. Source: CPPA — Regulations

What is the CPPA?

The California Privacy Protection Agency (CPPA) is an independent state agency created by the CPRA to implement and enforce California's consumer privacy laws. It has full administrative authority to investigate violations, conduct audits, and impose civil penalties without requiring referral to the Attorney General. Source: CPPA — About Us

What is a ROPA?

A Record of Processing Activities (ROPA) is a comprehensive inventory documenting every personal data processing activity an organization performs. While GDPR Article 30 explicitly mandates ROPAs, maintaining one is considered a best practice under CPRA compliance because it enables organizations to respond to consumer requests, conduct risk assessments, and demonstrate accountability to regulators. Source: GDPR Article 30

What is a DPIA under CPRA?

A Data Protection Impact Assessment (DPIA) under the CPRA is a risk assessment that organizations must conduct before engaging in processing activities that present significant risk to consumers' privacy. The CPPA's regulations effective January 1, 2026, formalize cybersecurity audit and risk assessment requirements for businesses whose processing meets specified thresholds. Source: CPPA Regulations

What is Global Privacy Control (GPC)?

Global Privacy Control (GPC) is a technical specification that allows consumers to signal their opt-out preferences through their web browser. Under CPRA regulations, businesses must treat a valid GPC signal as a legally binding opt-out of the sale or sharing of personal information. The CPPA has conducted enforcement sweeps specifically targeting businesses that fail to honor GPC signals. Source: CPPA Announcements

What is Sensitive Personal Information under CPRA?

Sensitive Personal Information (SPI) is a category defined by the CPRA that includes Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, health information, sex life or sexual orientation data, and the contents of mail, email, or text messages. Consumers have the right to limit the use and disclosure of their SPI to what is necessary for the services they expect.

Frequently Asked Questions

Who must comply with the CPRA?

The CPRA applies to for-profit businesses that collect California consumers' personal information and meet at least one of three thresholds: (1) annual gross revenue exceeding $25 million, (2) buying, selling, or sharing the personal information of 100,000 or more consumers or households annually, or (3) deriving 50% or more of annual revenue from selling or sharing consumers' personal information. Entities controlled by or under common control with a covered business are also subject to the law. Source: CPPA

How are CPRA penalties calculated?

Civil penalties under the CPRA are assessed per consumer, per incident, with no aggregate cap. As of the January 2025 CPI adjustment, unintentional violations carry penalties of up to $2,663 each, while intentional violations or those involving minors carry penalties of up to $7,988 each. The CPRA eliminated the CCPA's mandatory 30-day cure period, meaning the CPPA has discretion over whether to allow remediation before imposing fines.

What is the difference between the CCPA and the CPRA?

The CPRA amended and expanded the CCPA in several key ways: it created the CPPA as a dedicated enforcement agency, introduced the right to correct personal information, established the category of sensitive personal information with a right to limit its use, removed the 30-day mandatory cure period, and imposed new requirements for cybersecurity audits and risk assessments. The CPRA also extended coverage to employee and B2B data, which had been temporarily exempted under the original CCPA.

Does the CPRA apply to employee data?

Yes. The CPRA removed the temporary exemptions for employee and job applicant data that existed under the original CCPA. As of January 1, 2023, businesses must extend all CPRA consumer rights — including access, deletion, correction, and opt-out — to their California-based employees and job applicants.

What are the new CPRA requirements effective January 2026?

Regulations that took effect January 1, 2026, formalize requirements for cybersecurity audits, risk assessments for processing that presents significant risk to consumer privacy, and rules governing automated decision-making technology (ADMT). These regulations require businesses to conduct and document regular assessments and provide consumers with information about and, in some cases, the ability to opt out of automated profiling. Source: CPPA Regulations

How does CPRA enforcement compare to GDPR enforcement?

While GDPR fines can reach up to 4% of global annual turnover or €20 million (whichever is greater), CPRA penalties are calculated per consumer per incident with no cap, which can result in comparable or even larger total exposure for businesses with large California consumer bases. According to the IAPP, the per-violation model means that systematic compliance gaps affecting millions of consumers can generate theoretical exposure in the hundreds of millions of dollars.

Do businesses need to honor Global Privacy Control signals?

Yes. The CPPA has explicitly stated that businesses must treat a valid Global Privacy Control (GPC) signal as a consumer's opt-out of the sale or sharing of their personal information. In September 2025, California, Colorado, and Connecticut launched joint enforcement sweeps specifically targeting businesses that failed to honor GPC signals. Non-compliance with GPC is treated as an intentional violation subject to the higher $7,988 penalty tier.

How does Priverion help with CPRA compliance?

Priverion is a Swiss-hosted GRC platform purpose-built for multi-entity organizations. It provides integrated modules for ROPA management, DPIA and transfer impact assessment automation, vendor risk assessments, incident management, data subject request handling, cross-entity data mapping, and board-ready compliance dashboards. All data processing occurs within Swiss infrastructure, which is protected from extraterritorial access under the US CLOUD Act and FISA Section 702.

Statistics and Sources

According to the CPPA's 2025 CPI-adjusted penalty schedule, unintentional CPRA violations carry fines of $2,663 per violation and intentional violations carry fines of $7,988 per violation. The largest CPPA fine to date was $1.35 million against Tractor Supply Company in September 2025. The CPPA reported hundreds of active investigations at its September 2025 board meeting. In September 2025, three states — California, Colorado, and Connecticut — launched joint enforcement sweeps targeting GPC non-compliance. According to the IAPP-EY Annual Privacy Governance Report, the average organization now spends over $2.7 million annually on privacy compliance. The NIST Privacy Framework provides a complementary structure for managing privacy risk alongside CPRA requirements (Source: NIST).

CPRA vs. Other US State Privacy Laws

FeatureCPRA (California)CPA (Colorado)CTDPA (Connecticut)VCDPA (Virginia)
Dedicated enforcement agencyYes (CPPA)No (AG only)No (AG only)No (AG only)
Right to correctYesYesYesYes
Right to limit SPI useYesNoNoNo
Mandatory cure periodNo (discretionary)60 days (sunsets 2025)60 days (sunsets 2025)30 days
Per-violation penalties$2,663–$7,988Up to $20,000Up to $5,000Up to $7,500
Employee data coveredYesNoNoNo
GPC signal requiredYesYesYesNo
Your trusted partner for a smarter, more efficient approach to data privacy management.
Product
Priverion Platform System Status
about us
About Priverion Careers
© 2024 Priverion
Imprint Privacy Notice Terms of Service Refund Policy
OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].