What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

Who is the regulator?

California Attorney General (AG) and the California Privacy Protection Agency (CPPA — created by CPRA). Both can enforce; CPPA leads admin enforcement.

Do small businesses get an exemption?

Only by failing the thresholds. There is no general small-business exemption — even sub-$25M companies are in scope if they have 100K+ Californians' PI or ≥50% revenue from selling/sharing.

Is 'sale' just money?

No. Any 'valuable consideration' counts — including ad-tech cookie sharing for retargeting (which CPRA also captures as 'share').

GDPR and CCPA — do I need separate notices?

Often combined into one notice with jurisdiction-specific sections. Distinct rights & opt-out mechanisms per jurisdiction.

CCPA / CPRA Compliance Checklist 2026 — 25 Steps for California Privacy

The checklist

Scope

1

Determine if CCPA applies (thresholds)

critical

Annual revenue $25M+ OR PI of 100K+ Californians OR ≥50% revenue from selling/sharing PI.

→ §1798.140(d)

2

Inventory all PI collected (categories, sources, purposes, recipients)

critical

Required for privacy notice + DSR responses + risk assessment.

→ §1798.130(a)(5)

3

Identify Sensitive PI (SSN, drivers' license, biometric, geolocation, health, etc.)

critical

Triggers separate limit-use right; restricted purposes by default.

→ §1798.121

Notice

4

Publish a privacy policy with all CPRA-required disclosures

critical

Categories of PI, purposes, sources, recipients, retention, rights, contact, last updated.

→ §1798.130, §1798.135

5

Just-in-time notice at collection for each PI category

high

Use the data at/near the point of collection; not buried in privacy policy.

→ §1798.100(a), §1798.100(b)

6

high

Last-updated date visible; archive prior versions.

→ §1798.130(a)(5)(A)

Rights

7

DSR workflow: know, delete, correct, opt-out of sale/share, limit Sensitive PI use

critical

45 days standard SLA; 90 days extension with notice.

→ §1798.100–.125

8

Two methods for consumers to submit DSRs (web form + email/phone)

critical

Web-only insufficient if consumers interact offline; toll-free for offline-only.

→ §1798.130(a)(1)

9

Verify consumer identity proportionate to PI sensitivity

high

Match 2–3 data points; require declaration under penalty of perjury for deletion.

→ §1798.140 / CCPA Regs §7060

10

Handle authorized agent requests (registered with SoS or signed authorization)

high

Can't reject because submitted by agent; verify with consumer if needed.

→ Regs §7063

Opt-Out

11

'Do Not Sell or Share My Personal Information' link in footer

critical

Plus 'Limit the Use of My Sensitive Personal Information' if applicable.

→ §1798.135(a)

12

Honor Global Privacy Control (GPC) browser signal as opt-out

critical

Sephora was fined $1.2M for not honoring GPC; treat as valid request.

→ Regs §7025

13

Don't require account to opt-out

high

Use cookies/local identifiers; treat session-based requests as valid.

→ Regs §7027

14

Wait 12 months before asking opted-out consumers to opt back in

high

Mandatory waiting period.

→ §1798.135(c)(4)

Sensitive PI

15

Honor 'Limit the Use of My Sensitive PI' to permitted business purposes only

critical

Permitted: services, security, fraud prevention, short-term ads, employee functions.

→ §1798.121, Regs §7027

Contracts

16

Execute compliant agreements with Service Providers / Contractors / Third Parties

critical

Required clauses limit use to specific purposes; pass-through obligations.

→ §1798.140 / §1798.100(d)

17

Maintain inventory of recipients + categorisation (SP/Contractor/Third Party)

high

Different obligations apply; auditor will trace where PI flows.

→ §1798.130(a)(5)

Children

18

Don't sell/share PI of consumers under 16 without affirmative authorization

critical

Opt-IN for 13–16 (consumer); opt-IN for under-13 (parent).

→ §1798.120(c)

Discrimination

19

No discrimination against consumers exercising rights

critical

Can't deny goods/services, charge different prices, or provide different quality.

→ §1798.125

20

Financial incentive programs disclosed + opt-in + reasonable value calc

high

Permitted if reasonably related to value of consumer's data.

→ §1798.125(b)

Employee/B2B

21

Extend full CPRA rights to employees & B2B contacts (exemption sunset Jan 1 2023)

critical

Privacy notice at collection for employees; DSR workflow extends.

→ §1798.145

Risk Assessment

22

Conduct privacy risk assessment for high-risk processing

high

Required by CPRA regulations (effective 2024+); document risk + mitigation.

→ Regs §7150–7156

Security

23

Implement reasonable security measures (negligence standard)

high

AG can sue for breaches caused by failure to implement reasonable security.

→ §1798.150

Records

24

Maintain DSR records for 24 months (number, type, response time)

high

Annual public disclosure required for businesses processing 10M+ Californians.

→ Regs §7102

Governance

25

Annual privacy training for employees handling PI / responding to DSRs

high

Required by CPPA regs; documented attendance.

→ Regs §7102

CCPA / CPRA Compliance Checklist — 25 Steps for California Privacy

The checklist

Scope

Notice

Rights

Opt-Out

Sensitive PI

Contracts

Children

Discrimination

Employee/B2B

Risk Assessment

Security

Records

Governance

Pitfalls — where teams actually fail

FAQ

Other checklists