Skills
skills/borghei/claude-skills/ccpa-cpra-privacy-expert

ccpa-cpra-privacy-expert

SKILL.md

CCPA/CPRA Privacy Expert

Tools and guidance for California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) compliance.

Table of Contents

Tools

CCPA Compliance Checker

Evaluates organizational readiness against all CCPA/CPRA requirements. Validates privacy policies, consumer rights handling, technical safeguards, and opt-out mechanisms.

# Check compliance from a JSON profile
python scripts/ccpa_compliance_checker.py --input company_profile.json

# Generate a blank input template
python scripts/ccpa_compliance_checker.py --template > company_profile.json

# JSON output for automation
python scripts/ccpa_compliance_checker.py --input company_profile.json --json

# Export report to file
python scripts/ccpa_compliance_checker.py --input company_profile.json --output report.json

Assessment Categories:

Category Key Checks
Applicability Revenue threshold, consumer count, data selling revenue
Privacy Policy Required disclosures, update cadence, accessibility
Consumer Rights Request handling, verification, timelines
Opt-Out Mechanisms "Do Not Sell" link, GPC signal, cookie consent
Sensitive PI SPI categories, use limitation link, handling controls
Technical Safeguards Encryption, access controls, security measures
Service Providers Agreement requirements, data processing terms
Risk Assessments Annual audits, processing risk evaluations

Output:

  • Overall compliance score (0-100)
  • Per-category scores with pass/fail/partial status
  • Prioritized findings with regulatory references
  • Remediation recommendations

CCPA Data Mapper

Maps personal information categories, identifies sensitive personal information, tracks data flows across collection, use, sharing, and selling. Generates data inventory reports.

# Map data from a JSON data inventory
python scripts/ccpa_data_mapper.py --input data_inventory.json

# Generate a blank inventory template
python scripts/ccpa_data_mapper.py --template > data_inventory.json

# Export mapping report
python scripts/ccpa_data_mapper.py --input data_inventory.json --output mapping_report.json

# Generate data flow diagram (text-based)
python scripts/ccpa_data_mapper.py --input data_inventory.json --flow-diagram

Features:

  • Maps all 11 CCPA personal information categories
  • Identifies sensitive personal information (SPI) per CPRA definitions
  • Tracks data flows: collection sources, business purposes, sharing/selling recipients
  • Maps data to service providers, contractors, and third parties
  • Generates CCPA-compliant data inventory for privacy policy disclosures
  • Flags cross-border data transfers
  • Detects data retention gaps

Personal Information Categories Tracked:

Category CCPA Section Examples
Identifiers 1798.140(v)(1)(A) Name, SSN, IP address, email
Customer Records 1798.140(v)(1)(B) Financial info, medical info
Protected Classifications 1798.140(v)(1)(C) Race, sex, age, disability
Commercial Information 1798.140(v)(1)(D) Purchase history, tendencies
Biometric Information 1798.140(v)(1)(E) Fingerprints, face geometry
Internet Activity 1798.140(v)(1)(F) Browsing, search, interaction
Geolocation Data 1798.140(v)(1)(G) Precise location
Sensory Data 1798.140(v)(1)(H) Audio, visual, thermal
Professional Info 1798.140(v)(1)(I) Employment, education
Education Info 1798.140(v)(1)(J) Non-public education records
Inferences 1798.140(v)(1)(K) Profiles, preferences

Reference Guides

CCPA/CPRA Requirements Guide

references/ccpa-cpra-requirements-guide.md

Complete regulatory requirements covering:

  • Full CCPA/CPRA text analysis with section references
  • Consumer rights implementation guidance (Right to Know, Delete, Opt-Out, Correct, Portability, Limit SPI Use)
  • Privacy policy content requirements and templates
  • Service provider and contractor agreement requirements
  • Comparison with Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and GDPR
  • Enforcement and penalty structure

CCPA Implementation Playbook

references/ccpa-implementation-playbook.md

Step-by-step implementation guidance:

  • 6-month implementation roadmap
  • Data mapping methodology and templates
  • Privacy policy drafting guide
  • Opt-out mechanism implementation (website, GPC, universal opt-out)
  • Consumer request workflow design with SLA tracking
  • Employee and vendor training program outline
  • Annual cybersecurity audit planning
  • Ongoing compliance monitoring

Workflows

Workflow 1: Initial CCPA/CPRA Compliance Assessment

Step 1: Determine applicability
        → Check $25M revenue, 100K+ consumers, 50%+ PI revenue thresholds
        → Review exemptions (HIPAA, GLBA, employment data)

Step 2: Generate compliance profile template
        → python scripts/ccpa_compliance_checker.py --template > profile.json
        → Fill in organizational details

Step 3: Run compliance assessment
        → python scripts/ccpa_compliance_checker.py --input profile.json

Step 4: Review scores and findings
        → Address critical gaps first (opt-out link, privacy policy)
        → Plan remediation by category

Step 5: Create data inventory
        → python scripts/ccpa_data_mapper.py --template > inventory.json
        → Document all PI categories collected
        → python scripts/ccpa_data_mapper.py --input inventory.json

Step 6: Develop implementation plan
        → See references/ccpa-implementation-playbook.md

Workflow 2: Consumer Rights Request Handling

Step 1: Receive consumer request
        → Identify request type (Know, Delete, Opt-Out, Correct, Portability, Limit SPI)

Step 2: Acknowledge within 10 business days (confirm receipt)
        → Document request in tracking system

Step 3: Verify consumer identity
        → Match 2+ data points for standard requests
        → Match 3+ data points for sensitive data requests
        → No verification needed for opt-out requests

Step 4: Fulfill request within 45 calendar days
        → Extension: up to 45 additional days with notice
        → Search all systems using data inventory
        → python scripts/ccpa_data_mapper.py --input inventory.json

Step 5: Deliver response
        → Provide information in portable format if requested
        → Document completion and response

Step 6: Monitor compliance
        → Track response times and completion rates
        → Generate quarterly compliance reports

Workflow 3: Privacy Policy Update Cycle

Step 1: Review current privacy policy against requirements
        → python scripts/ccpa_compliance_checker.py --input profile.json
        → Check privacy_policy category score

Step 2: Update data inventory
        → python scripts/ccpa_data_mapper.py --input inventory.json
        → Verify all PI categories are disclosed

Step 3: Verify required disclosures
        → Categories of PI collected (past 12 months)
        → Sources of PI
        → Business/commercial purposes
        → Categories of third parties
        → Consumer rights description
        → "Do Not Sell or Share" link
        → "Limit the Use of My Sensitive PI" link

Step 4: Update and publish
        → Annual update at minimum
        → Update within 30 days of material changes
        → Maintain prior version archive

Regulatory Overview

CCPA/CPRA Timeline

Date Milestone
Jan 1, 2020 CCPA effective
Jul 1, 2020 AG enforcement begins
Nov 3, 2020 CPRA passed (Proposition 24)
Jan 1, 2023 CPRA amendments effective
Jul 1, 2023 CPPA enforcement of CPRA begins
2026 Employment and B2B data exemptions status review

Scope and Applicability

A business is subject to CCPA/CPRA if it:

  • Has annual gross revenue exceeding $25 million
  • Buys, sells, or shares PI of 100,000+ consumers or households annually
  • Derives 50% or more of annual revenue from selling or sharing consumers' PI

Entity Types:

Entity Definition Obligations
Business Determines purposes and means of processing Full CCPA/CPRA compliance
Service Provider Processes PI on behalf of a business (contractual) Limited use, deletion obligations
Contractor Processes PI via written contract (CPRA addition) Certification, limited use, audit rights
Third Party Receives PI not as service provider/contractor Subject to opt-out rights

Exemptions:

  • HIPAA-covered entities: Health data governed by HIPAA exempt
  • GLBA: Financial data subject to GLBA exempt
  • Employment data: Employee/applicant PI (subject to review through 2026)
  • B2B data: Business contact PI in B2B transactions (subject to review through 2026)
  • FCRA: Data subject to Fair Credit Reporting Act

Consumer Rights

Right CCPA Section Description Timeline
Right to Know §1798.100, §1798.110 Categories and specific pieces of PI collected 45 days
Right to Delete §1798.105 Delete PI collected from the consumer 45 days
Right to Opt-Out §1798.120 Opt out of sale or sharing of PI Immediate
Right to Non-Discrimination §1798.125 No retaliation for exercising rights Ongoing
Right to Correct §1798.106 Correct inaccurate PI (CPRA) 45 days
Right to Limit SPI Use §1798.121 Limit use of sensitive PI (CPRA) Immediate
Right to Data Portability §1798.130 Receive PI in portable format (CPRA) 45 days

Sensitive Personal Information (CPRA)

SPI categories requiring enhanced protections under CPRA §1798.140(ae):

  • Social Security number, driver's license, state ID, passport number
  • Account log-in credentials (username + password/security question)
  • Financial account number with access credentials
  • Precise geolocation (within 1,850 feet / radius)
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
  • Contents of mail, email, and text messages (unless business is intended recipient)
  • Genetic data
  • Biometric data for identification
  • Health information
  • Sex life or sexual orientation data

Enforcement and Penalties

Violation Type Penalty Enforcer
Unintentional violation $2,500 per violation CPPA / AG
Intentional violation $7,500 per violation CPPA / AG
Violations involving minors (under 16) $7,500 per violation CPPA / AG
Data breach (private action) $100-$750 per consumer per incident Consumer (court)

Enforcement Bodies:

  • California Privacy Protection Agency (CPPA): Primary enforcer under CPRA (operational 2023)
  • California Attorney General: Retains enforcement authority
  • Private right of action: Limited to data breaches from failure to maintain reasonable security

CCPA vs GDPR Comparison

Aspect CCPA/CPRA GDPR
Scope California consumers EU/EEA data subjects
Legal basis Opt-out model Opt-in (consent or legal basis)
Data covered Personal information Personal data
Sensitive data SPI with limit-use right Special category with explicit consent
Breach notification AG notification, private action 72-hour DPA notification
DPO requirement None Required for certain processing
Penalties $2,500-$7,500 per violation Up to 4% global revenue or €20M
Private right of action Data breaches only Varies by member state
Cross-border transfers No restrictions Adequacy decisions, SCCs, BCRs
Children's data Opt-in for under 16, parental for under 13 Parental consent for under 16 (variable)

Infrastructure Privacy Controls

Cookie Consent Management:

  • Implement cookie consent banner for non-essential cookies
  • Honor Global Privacy Control (GPC) browser signals (legally required)
  • Maintain cookie inventory with retention periods
  • Categorize cookies: strictly necessary, functional, analytics, advertising

Global Privacy Control (GPC):

  • Businesses must treat GPC signal as valid opt-out request (§1798.135)
  • Technical implementation: detect Sec-GPC: 1 header or navigator.globalPrivacyControl
  • Apply opt-out to sale AND sharing of PI
  • No re-authentication required for GPC

Privacy by Design:

  • Data minimization: collect only PI necessary for disclosed purposes
  • Purpose limitation: use PI only for purposes disclosed at collection
  • Storage limitation: retain PI only as long as necessary
  • Security by default: encrypt PI at rest and in transit

Data Inventory and Mapping:

  • Maintain comprehensive PI inventory across all systems
  • Map data flows: collection → processing → sharing → deletion
  • Document retention schedules per PI category
  • Track cross-border data transfers

Automated Decision-Making:

  • Disclose use of automated decision-making technology
  • Provide opt-out for profiling that produces legal or significant effects
  • CPRA regulations may require access to logic of automated decisions

Compliance Roadmap

Month 1-2: Discovery and Assessment

  • Determine CCPA/CPRA applicability
  • Conduct data inventory and mapping
  • Gap analysis against requirements
  • Assign compliance ownership

Month 3-4: Implementation

  • Draft/update privacy policy
  • Implement "Do Not Sell or Share" link
  • Implement "Limit Use of SPI" link
  • Deploy GPC signal detection
  • Build consumer request intake and fulfillment workflows
  • Draft service provider/contractor agreements

Month 5-6: Operationalization

  • Train employees on privacy obligations
  • Test consumer request workflows end-to-end
  • Conduct initial risk assessment
  • Plan annual cybersecurity audit
  • Establish ongoing monitoring and metrics
  • Document compliance program for regulatory defense
Weekly Installs
6
Repository
borghei/claude-skills
GitHub Stars
38
First Seen
6 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
opencode6
gemini-cli6
github-copilot6
amp6
cline6
codex6