Resources/CCPA Checklist For Marketing Software

Summary

CCPA Checklist for Marketing Software: Everything You Need to Stay Compliant If your business uses marketing software to collect, store, or process data from California residents, the California Consumer Privacy Act (CCPA) applies to you. Non-compliance isn’t just a legal risk — it can cost you up to $7,500 per intentional violation and permanently damage customer trust.

CCPA Checklist for Marketing Software: Everything You Need to Stay Compliant

If your business uses marketing software to collect, store, or process data from California residents, the California Consumer Privacy Act (CCPA) applies to you. Non-compliance isn’t just a legal risk — it can cost you up to $7,500 per intentional violation and permanently damage customer trust.

This checklist walks marketing teams and compliance officers through every critical step to ensure your marketing stack meets CCPA requirements.

Who Needs This Checklist?

The CCPA applies to for-profit businesses that meet at least one of the following thresholds:

  • Annual gross revenues exceeding $25 million
  • Buy, sell, or share personal information of 100,000 or more consumers or households annually
  • Derive 50% or more of annual revenue from selling consumers’ personal information

If your marketing software collects email addresses, tracks website behavior, runs retargeting campaigns, or profiles users in any way, you are almost certainly processing personal information under the CCPA’s broad definition.

Step 1: Map All Personal Data Your Marketing Software Collects

Before you can comply, you need to know exactly what data you have.

Conduct a Data Inventory

  • Identify every marketing tool in your stack (CRM, email platforms, ad tech, analytics, chatbots, etc.)
  • Document what personal information each tool collects (names, emails, IP addresses, device IDs, browsing behavior, purchase history)
  • Map where data flows — from collection point to storage to third-party sharing
  • Note whether each vendor acts as a service provider or a third party under CCPA definitions

Key Categories to Look For

Under the CCPA, personal information includes:

  • Identifiers: real names, aliases, email addresses, IP addresses, account names
  • Commercial information: purchase records, browsing or search history
  • Internet/network activity: website interactions, ad click data
  • Geolocation data: location tracking used in geo-targeted campaigns
  • Inferences: profiles built from the above to predict preferences or behavior

Step 2: Review Your Marketing Software Vendor Agreements

Every third-party tool your marketing team uses must be evaluated for CCPA compliance.

What to Look For in Vendor Contracts

  • Does the vendor have a Data Processing Agreement (DPA) or Service Provider Agreement that includes CCPA-specific language?
  • Does the contract prohibit the vendor from selling or retaining your customers’ data for their own purposes?
  • Is there a clear description of the permissible purposes for which the vendor can use the data?
  • Does the vendor agree to delete or return data upon request?

Red Flags to Watch

  • Vendors that use your customer data to build their own audience segments
  • Ad platforms that share data with undisclosed third parties
  • Tools without a clear privacy policy or DPA available

If a vendor doesn’t qualify as a “service provider” under CCPA, sharing data with them may constitute a sale — triggering opt-out rights for consumers.

Step 3: Update Your Privacy Notice

Your privacy policy must be updated to reflect CCPA requirements before you collect any personal information.

Required Disclosures

Your privacy notice must include:

  • The categories of personal information you collect
  • The purposes for which you collect it
  • Whether you sell or share personal information (and to whom)
  • The rights California residents have under the CCPA
  • How consumers can submit requests (access, deletion, opt-out, correction)
  • A “Do Not Sell or Share My Personal Information” link if applicable

Website and In-App Requirements

  • Place the privacy notice link in your website footer
  • Add a “Do Not Sell or Share My Personal Information” link prominently on your homepage
  • Ensure your cookie banner or consent management platform (CMP) reflects opt-out options for data sharing with ad networks

Step 4: Implement Consumer Rights Request Processes

The CCPA gives California consumers five core rights that your marketing systems must support.

The Five Consumer Rights

  1. Right to Know: Consumers can request what personal information you’ve collected about them
  2. Right to Delete: Consumers can request deletion of their personal information
  3. Right to Opt-Out: Consumers can opt out of the sale or sharing of their personal information
  4. Right to Correct: Consumers can request correction of inaccurate personal information
  5. Right to Non-Discrimination: Consumers cannot be penalized for exercising their rights

Operational Steps

  • Create a dedicated request intake process (web form, email address, or toll-free number)
  • Build workflows to verify consumer identity before fulfilling requests
  • Establish a 45-day response timeline (extendable by another 45 days with notice)
  • Document all requests and responses for your compliance records
  • Test your marketing software’s ability to locate, export, and delete individual records

Step 5: Address Marketing-Specific Compliance Issues

Marketing activities create some of the trickiest CCPA compliance scenarios. Here’s what to focus on.

Behavioral Advertising and Retargeting

  • Sharing data with ad platforms (Google, Meta, etc.) for retargeting may constitute “sharing” under CCPA — even if no money changes hands
  • Implement Global Privacy Control (GPC) signal recognition on your website
  • Review your pixel and tag configurations to ensure opt-out signals suppress data sharing

Email Marketing

  • Ensure your email lists were collected with proper disclosures
  • Honor deletion requests by removing individuals from all marketing lists and suppression lists
  • Document the source and consent basis for each contact in your CRM

Lead Generation

  • Review third-party lead sources to ensure leads were collected compliantly
  • Require lead vendors to provide CCPA-compliant warranties
  • Avoid purchasing lists that don’t meet CCPA standards

Analytics and Tracking

  • Audit your analytics platforms for data sharing with third parties
  • Implement cookie consent management that respects opt-out preferences
  • Consider server-side tagging to better control data flows

Step 6: Train Your Marketing Team

Compliance isn’t just a legal or IT function — your marketing team needs to understand CCPA basics.

Training Topics to Cover

  • What counts as personal information under CCPA
  • How to handle consumer rights requests received via social media or email
  • Rules around purchasing or renting marketing lists
  • How to evaluate new martech tools for CCPA compliance before adoption
  • Proper handling of sensitive personal information (health data, precise geolocation)

Step 7: Maintain Ongoing Compliance Documentation

CCPA compliance isn’t a one-time project. Regulators expect ongoing accountability.

Documentation to Maintain

  • Data inventory and data flow maps (updated annually or when tools change)
  • Vendor agreements and DPAs
  • Consumer rights request logs
  • Employee training records
  • Privacy notice version history
  • Records of opt-out signals honored

CCPA Compliance Checklist Summary

Use this quick-reference list to track your progress:

  • [ ] Data inventory completed for all marketing tools
  • [ ] Vendor agreements reviewed and updated with CCPA language
  • [ ] Privacy notice updated with required CCPA disclosures
  • [ ] “Do Not Sell or Share” link added to website
  • [ ] Consumer rights request process implemented and tested
  • [ ] GPC signal recognition enabled
  • [ ] Email list compliance verified
  • [ ] Lead generation sources audited
  • [ ] Analytics and pixel configurations reviewed
  • [ ] Marketing team trained on CCPA requirements
  • [ ] Ongoing documentation process established

Frequently Asked Questions

Does CCPA apply to B2B marketing software?

Yes. While the CCPA originally had a B2B exemption, that exemption expired in 2023 under the CPRA amendments. Personal information collected in a B2B context — including business contact information — is now covered. If your marketing software processes contact data for California-based business contacts, CCPA applies.

What’s the difference between “selling” and “sharing” under CCPA?

“Selling” involves exchanging personal information for money or other valuable consideration. “Sharing” was added by the CPRA and covers making personal information available to a third party for cross-context behavioral advertising — even without payment. Most retargeting and programmatic advertising activities qualify as “sharing.”

Do we need consent to send marketing emails under CCPA?

CCPA doesn’t require affirmative consent for email marketing the way CASL or GDPR do. However, you must provide proper disclosures about data collection and honor opt-out requests. If your email platform shares data with third parties for advertising purposes, you must provide opt-out rights for that sharing.

How does CCPA interact with our CRM data?

Your CRM likely contains significant amounts of personal information subject to CCPA. You’ll need to ensure your CRM vendor qualifies as a service provider, that you can respond to data access and deletion requests, and that data retention policies align with your privacy notice disclosures.

What are the penalties for CCPA violations related to marketing?

The California Attorney General can impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. The CPRA also created a dedicated California Privacy Protection Agency (CPPA) with independent enforcement authority. Additionally, consumers have a private right of action for data breaches involving their personal information.

Get Compliant Faster With Ready-to-Use CCPA Templates

Working through CCPA compliance from scratch takes dozens of hours and carries real legal risk if you miss something. Our professionally drafted CCPA compliance template bundle gives your marketing and legal teams everything they need to get compliant quickly and confidently.

The bundle includes:

  • ✅ CCPA-compliant Privacy Notice template
  • ✅ Service Provider Agreement / DPA template
  • ✅ Consumer Rights Request Form and Response Templates
  • ✅ Data Inventory and Vendor Assessment Worksheet
  • ✅ Employee Training Acknowledgment Form
  • ✅ Marketing-specific CCPA Compliance Checklist (printable)

Stop guessing and start complying. Download the CCPA Marketing Compliance Template Bundle →

Templates are attorney-reviewed, regularly updated to reflect CPRA amendments, and ready to customize for your business in minutes.

Next step after reading this guide
Browse Documentation Kits

Start with the framework or readiness kit that matches your current compliance track.

Open Recommended KitCompare All Kits
Recommended documentation for CCPA Checklist For Marketing Software
SOC2 Starter Pack

Complete SOC2 Type II readiness kit with all essential controls and policies

View template →
GDPR Compliance Kit

EU data protection essentials for global SaaS companies

View template →
Multi-Compliance Bundle

SOC2 + GDPR + ISO 27001 documentation foundation with supporting docs

View template →
Need documents now?
Get editable kits instead of starting from a blank page.
Browse Documentation Kits →
Need an execution path?
See how the readiness workflow turns a purchase into review and evidence work.
See How It Works →
Need more guidance first?
Keep exploring framework guides before choosing your starting kit.
Explore More Guides →
We use analytics cookies to understand traffic and improve the site.Learn more.