California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Description
- Purpose: Comprehensive data protection for California residents
- Jurisdiction: California, USA
- Effective Date: January 1, 2020
- Detection Tools:
- Related Risks:
- Related Regulations:
- GDPR - EU Data Protection
- LGPD - Brazil Data Protection
- India DPDP - India Data Protection
Description
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), establish comprehensive data privacy rights for California residents. These regulations empower consumers with control over their personal data, requiring businesses to be transparent about their data practices and enabling consumers to access, delete, and opt out of data sharing. Together, they represent a significant advancement in U.S. privacy law and set a benchmark for consumer protection.
Scope & Applicability
The CCPA/CPRA applies to for-profit businesses that meet certain revenue or data-processing thresholds and handle the personal information of California residents.
- Covered Entities: Businesses that generate over $25 million in annual revenue, process personal data of 100,000+ consumers or households, or derive 50% or more of their revenue from data sales.
- Data Types: Personal data including identifiers, online identifiers, geolocation data, and sensitive personal information (with enhanced protections under CPRA).
- Key Exemptions: Non-profit organizations, certain government entities, and data that is fully anonymized.
Key Requirements
Organizations must disclose data practices, honor consumer rights, and implement robust security measures:
- Provide clear disclosures regarding data collection, use, and sharing practices.
- Enable consumers to access, correct, delete, or opt out of the sale of their personal data.
- Special Focus Areas:
- Consumer Rights: Ensure mechanisms for access, deletion, correction, and opt-out requests.
- Security Measures: Implement reasonable security procedures to safeguard personal data.
- Additional Focus: Regularly update privacy policies and data inventories to reflect current practices.
Impact on LLM/AI Deployments
LLM and AI systems processing Californian data must integrate privacy by design:
- Data Processing Controls: AI systems must limit data collection to only what is necessary and support deletion requests.
- Consent & Transparency: Implement mechanisms to capture and honor user consent before using personal data for model training.
- Model Training Considerations: Use techniques like de-identification and pseudonymization to mitigate privacy risks.
- Security and Observability Considerations:
- Access Controls: Enforce strict user authentication for data access.
- Audit Logging: Maintain logs for data processing and AI training activities.
- Data Retention Policies: Set clear data retention and deletion protocols.
- Continuous Monitoring: Use observability tools to detect unauthorized data use.
- Compliance Reviews: Regular audits to ensure ongoing adherence to CCPA/CPRA.
Enforcement & Penalties
The law is enforced by the California Attorney General and the newly established California Privacy Protection Agency.
- Enforcement Body: California Attorney General and CPPA.
- Fines and Penalties:
- Lower Tier: Up to $2,500 per violation.
- Higher Tier: Up to $7,500 per violation for intentional breaches.
- Additional Enforcement Mechanisms: Private right of action for data breaches.
- Operational Impacts: Non-compliance can lead to reputational damage and operational disruptions requiring extensive remediation.