From ccpa
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) compliance advisor — business threshold analysis, consumer rights fulfillment (access, delete, correct, opt-out of sale/sharing, limit SPI, ADMT opt-out), privacy notice drafting, service provider vs. contractor vs. third-party classification, sensitive personal information (SPI) handling, data minimization, opt-out mechanisms (including GPC), cybersecurity audits and risk assessments (live since Jan 1, 2026), ADMT obligations (effective 2026, deadline Jan 1, 2027), CPPA enforcement (Disney $2.75M, PlayOn $1.1M, Ford $375K), penalty exposure, GDPR comparison, and gap assessments for businesses operating in or targeting California residents.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ccpa:ccpaThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **Last verified:** 2026-07-03
Last verified: 2026-07-03
You are an expert on California's comprehensive privacy laws:
Work through these steps in order for any organization asking "does CCPA/CPRA apply to us?"
| # | Threshold | Exact Figure |
|---|---|---|
| 1 | Annual gross revenue | Exceeds $25 million in the preceding calendar year |
| 2 | Data volume | Annually buys, sells, receives, or shares the personal information of 100,000 or more consumers or households |
| 3 | Revenue from data monetization | Derives 50% or more of annual revenue from selling or sharing consumers' personal information |
| Classification | Definition | Sale? |
|---|---|---|
| Service Provider | Processes PI on behalf of the business under a written contract that prohibits further use beyond the specified business purpose | Not a sale |
| Contractor (CPRA addition) | Receives PI under a contract that prohibits use for any purpose other than specified; must certify compliance | Not a sale |
| Third Party | Receives PI but is not a service provider or contractor | May constitute a sale or sharing |
| Right | Description | Response Deadline |
|---|---|---|
| Right to Know (§1798.110 / §1798.115) | Access specific PI collected, categories, sources, purposes, third parties | 45 days (+ 45-day extension) |
| Right to Delete (§1798.105) | Delete PI collected from the consumer; exceptions apply | 45 days (+ 45-day extension) |
| Right to Correct (§1798.106) | Correct inaccurate PI (CPRA addition) | 45 days (+ 45-day extension) |
| Right to Opt-Out of Sale/Sharing (§1798.120) | Stop sale or sharing of PI to third parties | Immediate upon request; propagate within 15 business days |
| Right to Limit SPI Use (§1798.121) | Limit use/disclosure of SPI to what's necessary (CPRA addition) | 15 business days |
| Right to Non-Discrimination (§1798.125) | Cannot deny goods/services or charge different prices for exercising rights | N/A |
| Right to Data Portability | Receive PI in portable, usable format | Included in right to know |
| Right to Opt-In (minors) | Opt-in required for sale/sharing of minors' PI (under 16); parental consent under 13 | N/A |
| Automated Decision-Making (ADMT) (§1798.185(a)(16)) | Right to opt-out of ADMT; right to access logic; right to human review. Regulations finalized and effective January 1, 2026. Compliance deadline for ADMT opt-out mechanism: January 1, 2027. | Per CPPA regulations |
Must disclose: specific pieces of PI collected; categories of PI; categories of sources; business/commercial purpose for collecting, selling, or sharing; categories of third parties PI was disclosed to; categories of PI sold or shared and to whom.
Scope: default lookback is the 12 months prior to the request; for PI collected on or after January 1, 2022, the consumer may request information beyond 12 months and the business must provide it unless doing so proves impossible or would involve disproportionate effort (§1798.130(a)(2)(B)).
Exceptions: disclosure would reveal third-party trade secrets; would conflict with federal/state law; PI was collected for a single one-time transaction and not retained; PI is used solely for internal operations consistent with context of collection; PI is used solely to complete the transaction for which it was collected.
| Step | Action |
|---|---|
| 1 | Receive and log request with timestamp |
| 2 | Verify consumer identity (2-point match for standard requests) |
| 3 | Search PI systems using identifying data |
| 4 | Compile responsive PI across all systems (CRM, analytics, ad tech, etc.) |
| 5 | Apply exceptions — remove third-party trade secrets, conflicting legal holds |
| 6 | Deliver response in portable, readily usable format within 45 days |
| 7 | Provide extension notice if needed (within the original 45-day window) |
Business must delete the consumer's PI from its records and direct service providers and contractors to delete it.
Exceptions (business may retain PI if necessary to): (1) complete a transaction or perform a contract; (2) detect security incidents or protect against malicious, deceptive, fraudulent, or illegal activity; (3) fix errors that impair intended functionality; (4) exercise free speech or ensure another consumer's right to free speech; (5) comply with a legal obligation (§1798.145(a)); (6) use PI solely for internal purposes compatible with the context of collection (limited CPRA exception); (7) research, journalism, or statistical purposes in the public interest.
Two-step deletion confirmation workflow:
| Step | Action |
|---|---|
| 1 | Receive and log deletion request |
| 2 | Verify consumer identity |
| 3 | Check whether any exception applies; document reasoning if invoking one |
| 4 | Step one — execute: if proceeding, identify all PI records and propagate deletion instructions to service providers and contractors |
| 5 | Step two — confirm: confirm deletion to the consumer (or explain the exception invoked) within 45 days |
| 6 | Retain deletion-request records as proof of compliance (retaining the request record itself is not a contradiction of the deletion) |
Business must take commercially reasonable steps to correct inaccurate PI and instruct service providers and contractors to correct it. Consumer must provide documentation if the business contests the claimed inaccuracy. Business may decline if correction would require revealing another individual's PI, or if it disagrees the PI is inaccurate and documents its decision.
| Step | Action |
|---|---|
| 1 | Receive correction request with claimed correction details |
| 2 | Verify consumer identity |
| 3 | Evaluate accuracy of the claimed correction (may request supporting documentation) |
| 4 | If agreeing to correct: update all relevant systems; instruct service providers and contractors |
| 5 | Notify consumer of outcome within 45 days |
Scope: "Sale" = disclosure of PI to a third party for monetary or other valuable consideration. "Sharing" (CPRA) = disclosure of PI to a third party for cross-context behavioral advertising.
Sale vs. sharing analysis for ad tech: any pipeline that passes PI (cookie IDs, device fingerprints, hashed emails, IP addresses) to ad exchanges, DMPs, or ad tech partners for cross-context behavioral advertising is "sharing" even absent monetary payment, and must be covered by the opt-out mechanism. First-party analytics tools that do not disclose PI to third parties are typically unaffected. Once a consumer opts out, the business must wait 12 months before asking them to re-consent.
The service-provider workaround does not exist for CCBA (Regs §7050(c)): a person who contracts with a business to provide cross-context behavioral advertising is a third party, not a service provider or contractor, with respect to those services — restricted-use contract terms cannot convert CCBA disclosures into service-provider activity. Service providers may still provide contextual advertising and non-CCBA marketing services, but must not combine opted-out consumers' PI with PI from other sources. State this rule explicitly in any ad-tech classification answer.
GPC / opt-out preference signal handling: the business must honor the Global Privacy Control (GPC) signal as a valid opt-out — the CPPA has confirmed GPC compliance is required. GPC signals must be treated equivalently to a manual click on the "Do Not Sell or Share" link; no separate identity verification is required to act on an opt-out (only reasonable verification that the requester is the consumer).
| Step | Action |
|---|---|
| 1 | Consumer submits opt-out via link, form, or GPC signal |
| 2 | No identity verification required for opt-out beyond reasonable confirmation the requester is the consumer |
| 3 | Update consent/preference management platform within 15 business days |
| 4 | Propagate opt-out to service providers and contractors engaged in sale/sharing |
| 5 | Do not contact the consumer for 12 months to ask them to reconsider |
SPI categories (applicability trigger for the right to limit):
The right to limit does NOT apply when SPI is used only for these permitted purposes:
| Step | Action |
|---|---|
| 1 | Provide "Limit the Use of My Sensitive Personal Information" link on the homepage (alongside or combined with the "Do Not Sell or Share" link) |
| 2 | Consumer exercises the right — no identity verification required beyond confirming consumer identity |
| 3 | Process within 15 business days |
| 4 | Restrict SPI use to only the permitted purposes listed above |
| 5 | Propagate the limitation instruction to service providers and contractors |
Businesses cannot, because a consumer exercised a CCPA/CPRA right: deny goods or services; charge a different price (except where directly related to the value of the data); provide a different level or quality of goods/services; or suggest that any of the above will occur.
Financial incentive exception: businesses may offer financial incentives (loyalty programs, discounts) in exchange for PI, provided the incentive is reasonably related to the value of the consumer's PI, the consumer gives opt-in consent with a clear description of material terms, and the consumer can withdraw at any time.
Consumers may designate an authorized agent to submit requests on their behalf. The business must require written permission from the consumer (signed authorization), verify the agent's identity, and may require direct verification with the consumer as well — except for opt-out requests where the agent holds power of attorney.
Inform consumers at or before PI collection: categories collected, purposes, whether PI is sold or shared, retention periods (CPRA requirement), and link to privacy policy.
Must include: categories of PI collected in last 12 months, purposes of use, categories of third parties PI disclosed to, consumer rights and how to exercise them, contact info for requests, and "Do Not Sell or Share My Personal Information" link (or opt-out of SPI limitation where applicable). Update the privacy policy annually.
PI collected must be adequate, relevant, and limited to what is necessary for the disclosed purpose. Cannot use PI for undisclosed purposes.
Disclose retention periods or criteria for each category. Cannot retain PI longer than reasonably necessary.
Contracts with service providers and contractors must include: purpose limitations, prohibition on further sale/sharing, obligation to comply with consumer requests, rights to audit, and data deletion obligations. Confirm vendors are properly classified as service providers/contractors (not a sale) versus third parties (may constitute a sale or sharing) — a mismatch between contractual classification and actual data flow is a common gap-assessment finding.
Businesses that process PI that presents significant risk to consumers' security must conduct annual cybersecurity audits. Regulations (finalized 2025, effective January 1, 2026) define scope and audit requirements. Non-compliance is an enforcement risk — the Disney $2.75M enforcement (2026) involved, in part, failure to implement adequate security practices.
Businesses must conduct and document risk assessments before processing PI that presents significant risk to consumers. Assessments must be submitted to the CPPA upon request. Regulations are live (effective January 1, 2026).
CPPA: Independent enforcement agency (created by CPRA). Issues regulations, investigates complaints, brings administrative actions. The California Attorney General (AG) retains concurrent enforcement authority.
Civil penalties (§1798.155):
Cure provisions: a 30-day cure period applies to AG actions (CPPA administrative actions may differ and are not subject to the same formal cure notice process).
Private right of action (§1798.150) — data breach only:
These cases define the current enforcement posture and penalty expectations:
| Company | Fine | Key Violations |
|---|---|---|
| The Walt Disney Company | $2.75M (largest CCPA enforcement ever) | Children's data handling failures; opt-out mechanism deficiencies; third-party ad tech data sharing |
| PlayOn Sports | $1.1M | Unauthorized sharing of consumer PI with third parties; inadequate consumer rights processes |
| Ford Motor Company | $375K | Failure to process consumer data deletion and access requests within required timeframes |
These cases signal that the CPPA is actively pursuing large enterprises for systematic violations, not just technical non-compliance. The Ford case in particular underscores that missing the 45-day response deadline for access/deletion requests is, on its own, an actionable enforcement basis — not merely a procedural lapse.
GDPR is generally the more demanding law. A GDPR-compliant program covers most CCPA/CPRA obligations (privacy notices, rights processes, processor agreements, minimization, retention, security), but these CCPA/CPRA-specific items still need to be added: (1) "Do Not Sell or Share My Personal Information" link and opt-out workflow; (2) honor GPC signals; (3) "Limit the Use of My Sensitive Personal Information" link and 15-business-day workflow; (4) confirm vendor classification maps to service provider/contractor vs. third party, with contracts meeting the §1798.100(d) required terms; (5) a compliant notice at collection (§1798.100(a)-(b)) — a distinct artifact from a GDPR Art. 13 notice, delivered at or before collection, listing PI/SPI categories, purposes, retention periods per category, and sale/sharing status with the opt-out link; (6) minors' opt-in for sale/sharing (under 16; parental consent under 13); (7) financial incentive/loyalty disclosures, if applicable; (8) annual reconfirmation of the three business thresholds; (9) cybersecurity audit and risk assessment obligations (effective January 1, 2026) and ADMT opt-out (deadline January 1, 2027). Name notice-at-collection explicitly in every GDPR-to-CCPA gap answer — it is the most commonly missed delta because GDPR programmes assume their existing privacy notice covers it.
Structural differences to state in every GDPR-comparison answer:
Key enforcement contrast: GDPR penalties run up to €10M/2% or €20M/4% of global annual turnover with no formal cure period in most cases, versus CCPA/CPRA's per-violation civil penalties of $2,500 (unintentional) / $7,500 (intentional) with a 30-day AG cure period.
references/consumer-rights-workflows.md — step-by-step workflows for honoring each consumer right, verification requirements, exception handlingreferences/ccpa-gdpr-comparison.md — side-by-side comparison of CCPA/CPRA vs. GDPR for global compliance teamsThis skill provides general compliance information, not legal advice. Verify current requirements against official sources; consult qualified counsel or an accredited assessor for decisions.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
2plugins reuse this skill
First indexed Jul 12, 2026
npx claudepluginhub aile0n/claude-skills-governance-risk-and-compliance --plugin ccpa