Ccpa Cpra Privacy Expert

Tools

CCPA Compliance Checker

Evaluates organizational readiness against all CCPA/CPRA requirements. Validates privacy policies, consumer rights handling, technical safeguards, and opt-out mechanisms.

# Check compliance from a JSON profile
python scripts/ccpa_compliance_checker.py --input company_profile.json

# Generate a blank input template
python scripts/ccpa_compliance_checker.py --template > company_profile.json

# JSON output for automation
python scripts/ccpa_compliance_checker.py --input company_profile.json --json

# Export report to file
python scripts/ccpa_compliance_checker.py --input company_profile.json --output report.json

Assessment Categories:

Output:

• Overall compliance score (0-100)
• Per-category scores with pass/fail/partial status
• Prioritized findings with regulatory references
• Remediation recommendations

CCPA Data Mapper

Maps personal information categories, identifies sensitive personal information, tracks data flows across collection, use, sharing, and selling. Generates data inventory reports.

# Map data from a JSON data inventory
python scripts/ccpa_data_mapper.py --input data_inventory.json

# Generate a blank inventory template
python scripts/ccpa_data_mapper.py --template > data_inventory.json

# Export mapping report
python scripts/ccpa_data_mapper.py --input data_inventory.json --output mapping_report.json

# Generate data flow diagram (text-based)
python scripts/ccpa_data_mapper.py --input data_inventory.json --flow-diagram

Features:

• Maps all 11 CCPA personal information categories
• Identifies sensitive personal information (SPI) per CPRA definitions
• Tracks data flows: collection sources, business purposes, sharing/selling recipients
• Maps data to service providers, contractors, and third parties
• Generates CCPA-compliant data inventory for privacy policy disclosures
• Flags cross-border data transfers
• Detects data retention gaps

Personal Information Categories Tracked:

Reference Guides

CCPA/CPRA Requirements Guide

references/ccpa-cpra-requirements-guide.md

Complete regulatory requirements covering:

• Full CCPA/CPRA text analysis with section references
• Consumer rights implementation guidance (Right to Know, Delete, Opt-Out, Correct, Portability, Limit SPI Use)
• Privacy policy content requirements and templates
• Service provider and contractor agreement requirements
• Comparison with Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and GDPR
• Enforcement and penalty structure

CCPA Implementation Playbook

references/ccpa-implementation-playbook.md

Step-by-step implementation guidance:

• 6-month implementation roadmap
• Data mapping methodology and templates
• Privacy policy drafting guide
• Opt-out mechanism implementation (website, GPC, universal opt-out)
• Consumer request workflow design with SLA tracking
• Employee and vendor training program outline
• Annual cybersecurity audit planning
• Ongoing compliance monitoring

Workflows

Workflow 1: Initial CCPA/CPRA Compliance Assessment

Step 1: Determine applicability
        → Check $25M revenue, 100K+ consumers, 50%+ PI revenue thresholds
        → Review exemptions (HIPAA, GLBA, employment data)

Step 2: Generate compliance profile template
        → python scripts/ccpa_compliance_checker.py --template > profile.json
        → Fill in organizational details

Step 3: Run compliance assessment
        → python scripts/ccpa_compliance_checker.py --input profile.json

Step 4: Review scores and findings
        → Address critical gaps first (opt-out link, privacy policy)
        → Plan remediation by category

Step 5: Create data inventory
        → python scripts/ccpa_data_mapper.py --template > inventory.json
        → Document all PI categories collected
        → python scripts/ccpa_data_mapper.py --input inventory.json

Step 6: Develop implementation plan
        → See references/ccpa-implementation-playbook.md

Workflow 2: Consumer Rights Request Handling

Step 1: Receive consumer request
        → Identify request type (Know, Delete, Opt-Out, Correct, Portability, Limit SPI)

Step 2: Acknowledge within 10 business days (confirm receipt)
        → Document request in tracking system

Step 3: Verify consumer identity
        → Match 2+ data points for standard requests
        → Match 3+ data points for sensitive data requests
        → No verification needed for opt-out requests

Step 4: Fulfill request within 45 calendar days
        → Extension: up to 45 additional days with notice
        → Search all systems using data inventory
        → python scripts/ccpa_data_mapper.py --input inventory.json

Step 5: Deliver response
        → Provide information in portable format if requested
        → Document completion and response

Step 6: Monitor compliance
        → Track response times and completion rates
        → Generate quarterly compliance reports

Workflow 3: Privacy Policy Update Cycle

Step 1: Review current privacy policy against requirements
        → python scripts/ccpa_compliance_checker.py --input profile.json
        → Check privacy_policy category score

Step 2: Update data inventory
        → python scripts/ccpa_data_mapper.py --input inventory.json
        → Verify all PI categories are disclosed

Step 3: Verify required disclosures
        → Categories of PI collected (past 12 months)
        → Sources of PI
        → Business/commercial purposes
        → Categories of third parties
        → Consumer rights description
        → "Do Not Sell or Share" link
        → "Limit the Use of My Sensitive PI" link

Step 4: Update and publish
        → Annual update at minimum
        → Update within 30 days of material changes
        → Maintain prior version archive

Regulatory Overview

CCPA/CPRA Timeline

Scope and Applicability

A business is subject to CCPA/CPRA if it:

• Has annual gross revenue exceeding $25 million
• Buys, sells, or shares PI of 100,000+ consumers or households annually
• Derives 50% or more of annual revenue from selling or sharing consumers' PI

Entity Types:

Exemptions:

• HIPAA-covered entities: Health data governed by HIPAA exempt
• GLBA: Financial data subject to GLBA exempt
• Employment data: Employee/applicant PI (subject to review through 2026)
• B2B data: Business contact PI in B2B transactions (subject to review through 2026)
• FCRA: Data subject to Fair Credit Reporting Act

Consumer Rights

Sensitive Personal Information (CPRA)

SPI categories requiring enhanced protections under CPRA §1798.140(ae):

• Social Security number, driver's license, state ID, passport number
• Account log-in credentials (username + password/security question)
• Financial account number with access credentials
• Precise geolocation (within 1,850 feet / radius)
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Contents of mail, email, and text messages (unless business is intended recipient)
• Genetic data
• Biometric data for identification
• Health information
• Sex life or sexual orientation data

Enforcement and Penalties

Enforcement Bodies:

• California Privacy Protection Agency (CPPA): Primary enforcer under CPRA (operational 2023)
• California Attorney General: Retains enforcement authority
• Private right of action: Limited to data breaches from failure to maintain reasonable security

CCPA vs GDPR Comparison

Infrastructure Privacy Controls

Cookie Consent Management:

• Implement cookie consent banner for non-essential cookies
• Honor Global Privacy Control (GPC) browser signals (legally required)
• Maintain cookie inventory with retention periods
• Categorize cookies: strictly necessary, functional, analytics, advertising

Global Privacy Control (GPC):

• Businesses must treat GPC signal as valid opt-out request (§1798.135)
• Technical implementation: detect Sec-GPC: 1 header or navigator.globalPrivacyControl
• Apply opt-out to sale AND sharing of PI
• No re-authentication required for GPC

Privacy by Design:

• Data minimization: collect only PI necessary for disclosed purposes
• Purpose limitation: use PI only for purposes disclosed at collection
• Storage limitation: retain PI only as long as necessary
• Security by default: encrypt PI at rest and in transit

Data Inventory and Mapping:

• Maintain comprehensive PI inventory across all systems
• Map data flows: collection → processing → sharing → deletion
• Document retention schedules per PI category
• Track cross-border data transfers

Automated Decision-Making:

• Disclose use of automated decision-making technology
• Provide opt-out for profiling that produces legal or significant effects
• CPRA regulations may require access to logic of automated decisions

Compliance Roadmap

Month 1-2: Discovery and Assessment

• Determine CCPA/CPRA applicability
• Conduct data inventory and mapping
• Gap analysis against requirements
• Assign compliance ownership

Month 3-4: Implementation

• Draft/update privacy policy
• Implement "Do Not Sell or Share" link
• Implement "Limit Use of SPI" link
• Deploy GPC signal detection
• Build consumer request intake and fulfillment workflows
• Draft service provider/contractor agreements

Month 5-6: Operationalization

• Train employees on privacy obligations
• Test consumer request workflows end-to-end
• Conduct initial risk assessment
• Plan annual cybersecurity audit
• Establish ongoing monitoring and metrics
• Document compliance program for regulatory defense

Troubleshooting

Success Criteria

• Overall compliance score of 80+ on initial assessment -- indicating foundational CCPA/CPRA controls are in place, with per-category scores identifying targeted remediation areas
• All consumer rights requests fulfilled within 45 calendar days -- with 10-business-day acknowledgment, tracked through a request management system with automated deadline alerts
• Privacy policy updated at least annually -- with documented reviews quarterly, disclosing all 11 PI categories collected, sources, purposes, third-party sharing, and all seven consumer rights
• GPC signal honored automatically -- detected via Sec-GPC: 1 header and navigator.globalPrivacyControl, applied to both sale and sharing of PI, with no re-authentication required
• Complete data inventory maintained -- all PI categories mapped to collection sources, business purposes, sharing recipients, and retention schedules using ccpa_data_mapper.py
• Service provider and contractor agreements include all CCPA-required provisions -- including certification of limited use, deletion obligations, audit rights, and sub-contractor chain documentation
• Risk assessments completed for all applicable processing activities -- covering the six CPRA significant-risk categories, with attestation readiness by the April 2028 deadline

Scope & Limitations

In Scope:

• CCPA/CPRA applicability determination (revenue, consumer count, PI revenue thresholds)
• Privacy policy compliance assessment against all required disclosures
• Consumer rights readiness validation (Know, Delete, Opt-Out, Correct, Portability, Limit SPI Use)
• Data inventory mapping across all 11 CCPA personal information categories
• Sensitive personal information identification per CPRA definitions
• Technical safeguard assessment (encryption, access controls, opt-out mechanisms)
• Service provider and contractor agreement requirements

Out of Scope:

• Legal advice or determination of exemption applicability (HIPAA, GLBA, FCRA, employment data) -- consult privacy counsel for exemption analysis
• Implementation of cookie consent management platforms or GPC signal handling code
• CCPA private right of action defense (data breach litigation) -- consult legal counsel
• Other state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA) beyond the comparison tables provided -- use jurisdiction-specific guidance
• Automated decision-making technology (ADMT) compliance under CPRA regulations effective January 2027 -- monitor CPPA rulemaking for final requirements

Important Notes:

• CPPA enforcement is escalating significantly in 2025-2026, with fines exceeding $1.3M in individual cases and joint multi-state enforcement sweeps targeting GPC non-compliance
• New CPRA regulations effective January 1, 2026 add risk assessment, cybersecurity audit, and updated compliance requirements -- plan implementation accordingly

Integration Points

Tool Reference

ccpa_compliance_checker.py

Evaluates organizational readiness against all CCPA/CPRA requirements across 8 assessment categories.

Output: Overall compliance score (0-100), per-category scores with pass/fail/partial status, prioritized findings with regulatory references, and remediation recommendations.

ccpa_data_mapper.py

Maps personal information categories, tracks data flows, and generates data inventory reports.

Output: PI category mapping across all 11 CCPA categories, SPI identification, data flow analysis (sources, purposes, recipients), cross-border transfer flags, and data retention gap detection.