CCPA/CPRA Compliance Checklist for EdTech

Allow consumers to request correction of inaccurate personal information your business maintains about them.

Allow consumers to limit the use and disclosure of sensitive personal information to what is necessary for providing services.

Do not discriminate against consumers who exercise their CCPA rights through pricing, service quality, or availability.

Create processes to respond to consumer requests to know what personal information is collected, used, shared, or sold within 45 days.

Establish procedures to delete consumer personal information upon request, including notifying service providers to delete data.

Provide a clear mechanism for consumers to opt out of the sale or sharing of their personal information including a Do Not Sell link.

Clearly disclose whether personal information is sold or shared for cross-context behavioral advertising and provide opt-out mechanisms.

Maintain a CCPA-compliant privacy notice listing categories of personal information collected, purposes, third parties, and consumer rights.

Inform consumers at or before the point of collection about categories of personal information collected and purposes.

Maintain a comprehensive inventory of all personal information collected, sources, purposes, and third parties it is shared with.

Document how personal information flows through your organization from collection to deletion including all third-party sharing.

Limit collection and retention of personal information to what is reasonably necessary for the disclosed purposes.

Ensure contracts with service providers include CCPA-required provisions restricting use of personal information.

Review and document all third-party relationships involving personal information sharing or selling.

Implement and maintain reasonable security procedures appropriate to the nature of personal information collected.