ccpa-cpra-privacy-expert
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCCPA/CPRA Privacy Expert
CCPA/CPRA隐私合规专家
Tools and guidance for California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) compliance.
助力加州消费者隐私法案(CCPA)与加州隐私权利法案(CPRA)合规的工具与指南。
Table of Contents
目录
Tools
工具
CCPA Compliance Checker
CCPA合规检查器
Evaluates organizational readiness against all CCPA/CPRA requirements. Validates privacy policies, consumer rights handling, technical safeguards, and opt-out mechanisms.
bash
undefined评估企业是否符合CCPA/CPRA的全部要求,验证隐私政策、消费者权利处理流程、技术保障措施以及退出机制的合规性。
bash
undefinedCheck compliance from a JSON profile
通过JSON配置文件检查合规性
python scripts/ccpa_compliance_checker.py --input company_profile.json
python scripts/ccpa_compliance_checker.py --input company_profile.json
Generate a blank input template
生成空白输入模板
python scripts/ccpa_compliance_checker.py --template > company_profile.json
python scripts/ccpa_compliance_checker.py --template > company_profile.json
JSON output for automation
输出JSON格式结果用于自动化流程
python scripts/ccpa_compliance_checker.py --input company_profile.json --json
python scripts/ccpa_compliance_checker.py --input company_profile.json --json
Export report to file
将报告导出至文件
python scripts/ccpa_compliance_checker.py --input company_profile.json --output report.json
**Assessment Categories:**
| Category | Key Checks |
|----------|-----------|
| Applicability | Revenue threshold, consumer count, data selling revenue |
| Privacy Policy | Required disclosures, update cadence, accessibility |
| Consumer Rights | Request handling, verification, timelines |
| Opt-Out Mechanisms | "Do Not Sell" link, GPC signal, cookie consent |
| Sensitive PI | SPI categories, use limitation link, handling controls |
| Technical Safeguards | Encryption, access controls, security measures |
| Service Providers | Agreement requirements, data processing terms |
| Risk Assessments | Annual audits, processing risk evaluations |
**Output:**
- Overall compliance score (0-100)
- Per-category scores with pass/fail/partial status
- Prioritized findings with regulatory references
- Remediation recommendations
---python scripts/ccpa_compliance_checker.py --input company_profile.json --output report.json
**评估类别:**
| 类别 | 核心检查项 |
|----------|-----------|
| 适用范围 | 收入阈值、消费者数量、数据售卖收入占比 |
| 隐私政策 | 强制披露内容、更新频率、可访问性 |
| 消费者权利 | 请求处理流程、身份验证机制、响应时限 |
| 退出机制 | "请勿售卖我的信息"链接、GPC信号、Cookie同意机制 |
| 敏感个人信息(SPI) | SPI类别、使用限制链接、处理管控措施 |
| 技术保障措施 | 加密、访问控制、安全防护手段 |
| 服务提供商 | 协议要求、数据处理条款 |
| 风险评估 | 年度审计、数据处理风险评估 |
**输出内容:**
- 整体合规得分(0-100)
- 各分类得分及通过/未通过/部分通过状态
- 按优先级排序的问题及监管条款参考
- 整改建议
---CCPA Data Mapper
CCPA数据映射器
Maps personal information categories, identifies sensitive personal information, tracks data flows across collection, use, sharing, and selling. Generates data inventory reports.
bash
undefined绘制个人信息类别图谱,识别敏感个人信息,追踪信息在收集、使用、共享、售卖全流程的流转路径,生成数据清单报告。
bash
undefinedMap data from a JSON data inventory
通过JSON数据清单进行数据映射
python scripts/ccpa_data_mapper.py --input data_inventory.json
python scripts/ccpa_data_mapper.py --input data_inventory.json
Generate a blank inventory template
生成空白数据清单模板
python scripts/ccpa_data_mapper.py --template > data_inventory.json
python scripts/ccpa_data_mapper.py --template > data_inventory.json
Export mapping report
导出映射报告
python scripts/ccpa_data_mapper.py --input data_inventory.json --output mapping_report.json
python scripts/ccpa_data_mapper.py --input data_inventory.json --output mapping_report.json
Generate data flow diagram (text-based)
生成文本格式的数据流转图
python scripts/ccpa_data_mapper.py --input data_inventory.json --flow-diagram
**Features:**
- Maps all 11 CCPA personal information categories
- Identifies sensitive personal information (SPI) per CPRA definitions
- Tracks data flows: collection sources, business purposes, sharing/selling recipients
- Maps data to service providers, contractors, and third parties
- Generates CCPA-compliant data inventory for privacy policy disclosures
- Flags cross-border data transfers
- Detects data retention gaps
**Personal Information Categories Tracked:**
| Category | CCPA Section | Examples |
|----------|-------------|---------|
| Identifiers | 1798.140(v)(1)(A) | Name, SSN, IP address, email |
| Customer Records | 1798.140(v)(1)(B) | Financial info, medical info |
| Protected Classifications | 1798.140(v)(1)(C) | Race, sex, age, disability |
| Commercial Information | 1798.140(v)(1)(D) | Purchase history, tendencies |
| Biometric Information | 1798.140(v)(1)(E) | Fingerprints, face geometry |
| Internet Activity | 1798.140(v)(1)(F) | Browsing, search, interaction |
| Geolocation Data | 1798.140(v)(1)(G) | Precise location |
| Sensory Data | 1798.140(v)(1)(H) | Audio, visual, thermal |
| Professional Info | 1798.140(v)(1)(I) | Employment, education |
| Education Info | 1798.140(v)(1)(J) | Non-public education records |
| Inferences | 1798.140(v)(1)(K) | Profiles, preferences |
---python scripts/ccpa_data_mapper.py --input data_inventory.json --flow-diagram
**功能特性:**
- 覆盖CCPA规定的全部11类个人信息
- 依据CPRA定义识别敏感个人信息(SPI)
- 追踪数据流转:收集来源、业务用途、共享/售卖接收方
- 关联数据与服务提供商、承包商及第三方主体
- 生成符合CCPA要求的数据清单用于隐私政策披露
- 标记跨境数据传输行为
- 检测数据留存漏洞
**追踪的个人信息类别:**
| 类别 | CCPA条款 | 示例 |
|----------|-------------|---------|
| 身份标识 | 1798.140(v)(1)(A) | 姓名、社保号(SSN)、IP地址、邮箱 |
| 客户记录 | 1798.140(v)(1)(B) | 财务信息、医疗信息 |
| 受保护分类信息 | 1798.140(v)(1)(C) | 种族、性别、年龄、残疾状况 |
| 商业信息 | 1798.140(v)(1)(D) | 购买历史、消费倾向 |
| 生物识别信息 | 1798.140(v)(1)(E) | 指纹、面部特征 |
| 互联网活动数据 | 1798.140(v)(1)(F) | 浏览记录、搜索行为、交互数据 |
| 地理位置数据 | 1798.140(v)(1)(G) | 精准定位信息 |
| 感知数据 | 1798.140(v)(1)(H) | 音频、视频、热感数据 |
| 职业信息 | 1798.140(v)(1)(I) | 就业经历、教育背景 |
| 教育信息 | 1798.140(v)(1)(J) | 非公开教育记录 |
| 推断信息 | 1798.140(v)(1)(K) | 用户画像、偏好特征 |
---Reference Guides
参考指南
CCPA/CPRA Requirements Guide
CCPA/CPRA要求指南
references/ccpa-cpra-requirements-guide.mdComplete regulatory requirements covering:
- Full CCPA/CPRA text analysis with section references
- Consumer rights implementation guidance (Right to Know, Delete, Opt-Out, Correct, Portability, Limit SPI Use)
- Privacy policy content requirements and templates
- Service provider and contractor agreement requirements
- Comparison with Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and GDPR
- Enforcement and penalty structure
references/ccpa-cpra-requirements-guide.md完整的监管要求说明,包含:
- 带条款引用的CCPA/CPRA全文解析
- 消费者权利落地指南(知情权、删除权、退出权、更正权、可携权、SPI使用限制权)
- 隐私政策内容要求及模板
- 服务提供商与承包商协议要求
- 与弗吉尼亚VCDPA、科罗拉多CPA、康涅狄格CTDPA及GDPR的对比
- 执法机制与处罚标准
CCPA Implementation Playbook
CCPA实施手册
references/ccpa-implementation-playbook.mdStep-by-step implementation guidance:
- 6-month implementation roadmap
- Data mapping methodology and templates
- Privacy policy drafting guide
- Opt-out mechanism implementation (website, GPC, universal opt-out)
- Consumer request workflow design with SLA tracking
- Employee and vendor training program outline
- Annual cybersecurity audit planning
- Ongoing compliance monitoring
references/ccpa-implementation-playbook.md分步实施指南:
- 6个月实施路线图
- 数据映射方法与模板
- 隐私政策撰写指南
- 退出机制实施(网站端、GPC、通用退出)
- 带SLA跟踪的消费者请求工作流设计
- 员工与供应商培训大纲
- 年度网络安全审计规划
- 持续合规监控方案
Workflows
工作流
Workflow 1: Initial CCPA/CPRA Compliance Assessment
工作流1:CCPA/CPRA初始合规评估
Step 1: Determine applicability
→ Check $25M revenue, 100K+ consumers, 50%+ PI revenue thresholds
→ Review exemptions (HIPAA, GLBA, employment data)
Step 2: Generate compliance profile template
→ python scripts/ccpa_compliance_checker.py --template > profile.json
→ Fill in organizational details
Step 3: Run compliance assessment
→ python scripts/ccpa_compliance_checker.py --input profile.json
Step 4: Review scores and findings
→ Address critical gaps first (opt-out link, privacy policy)
→ Plan remediation by category
Step 5: Create data inventory
→ python scripts/ccpa_data_mapper.py --template > inventory.json
→ Document all PI categories collected
→ python scripts/ccpa_data_mapper.py --input inventory.json
Step 6: Develop implementation plan
→ See references/ccpa-implementation-playbook.md步骤1:确定适用范围
→ 检查2500万美元收入、10万+消费者、50%+数据售卖收入阈值
→ 审查豁免条款(HIPAA、GLBA、雇佣数据)
步骤2:生成合规配置模板
→ python scripts/ccpa_compliance_checker.py --template > profile.json
→ 填写企业详细信息
步骤3:执行合规评估
→ python scripts/ccpa_compliance_checker.py --input profile.json
步骤4:查看得分与问题
→ 优先解决关键漏洞(退出链接、隐私政策)
→ 按类别规划整改方案
步骤5:创建数据清单
→ python scripts/ccpa_data_mapper.py --template > inventory.json
→ 记录所有收集的PI类别
→ python scripts/ccpa_data_mapper.py --input inventory.json
步骤6:制定实施计划
→ 参考references/ccpa-implementation-playbook.mdWorkflow 2: Consumer Rights Request Handling
工作流2:消费者权利请求处理
Step 1: Receive consumer request
→ Identify request type (Know, Delete, Opt-Out, Correct, Portability, Limit SPI)
Step 2: Acknowledge within 10 business days (confirm receipt)
→ Document request in tracking system
Step 3: Verify consumer identity
→ Match 2+ data points for standard requests
→ Match 3+ data points for sensitive data requests
→ No verification needed for opt-out requests
Step 4: Fulfill request within 45 calendar days
→ Extension: up to 45 additional days with notice
→ Search all systems using data inventory
→ python scripts/ccpa_data_mapper.py --input inventory.json
Step 5: Deliver response
→ Provide information in portable format if requested
→ Document completion and response
Step 6: Monitor compliance
→ Track response times and completion rates
→ Generate quarterly compliance reports步骤1:接收消费者请求
→ 识别请求类型(知情权、删除权、退出权、更正权、可携权、SPI使用限制权)
步骤2:10个工作日内确认收到请求
→ 在跟踪系统中记录请求信息
步骤3:验证消费者身份
→ 常规请求匹配2个以上数据点
→ 敏感数据请求匹配3个以上数据点
→ 退出请求无需验证身份
步骤4:45个自然日内完成请求处理
→ 可延长最多45个自然日并通知用户
→ 借助数据清单搜索所有系统
→ python scripts/ccpa_data_mapper.py --input inventory.json
步骤5:交付响应结果
→ 若有需求,提供可移植格式的信息
→ 记录处理完成情况与响应内容
步骤6:监控合规性
→ 跟踪响应时长与完成率
→ 生成季度合规报告Workflow 3: Privacy Policy Update Cycle
工作流3:隐私政策更新周期
Step 1: Review current privacy policy against requirements
→ python scripts/ccpa_compliance_checker.py --input profile.json
→ Check privacy_policy category score
Step 2: Update data inventory
→ python scripts/ccpa_data_mapper.py --input inventory.json
→ Verify all PI categories are disclosed
Step 3: Verify required disclosures
→ Categories of PI collected (past 12 months)
→ Sources of PI
→ Business/commercial purposes
→ Categories of third parties
→ Consumer rights description
→ "Do Not Sell or Share" link
→ "Limit the Use of My Sensitive PI" link
Step 4: Update and publish
→ Annual update at minimum
→ Update within 30 days of material changes
→ Maintain prior version archive步骤1:对照要求审查当前隐私政策
→ python scripts/ccpa_compliance_checker.py --input profile.json
→ 查看隐私政策类别的得分
步骤2:更新数据清单
→ python scripts/ccpa_data_mapper.py --input inventory.json
→ 确认所有PI类别已披露
步骤3:验证强制披露内容
→ 过去12个月收集的PI类别
→ PI来源
→ 商业用途
→ 第三方类别
→ 消费者权利说明
→ "请勿售卖或共享我的信息"链接
→ "限制我的敏感个人信息使用"链接
步骤4:更新并发布
→ 至少每年更新一次
→ 重大变更后30日内更新
→ 保留历史版本存档Regulatory Overview
监管概述
CCPA/CPRA Timeline
CCPA/CPRA时间线
| Date | Milestone |
|---|---|
| Jan 1, 2020 | CCPA effective |
| Jul 1, 2020 | AG enforcement begins |
| Nov 3, 2020 | CPRA passed (Proposition 24) |
| Jan 1, 2023 | CPRA amendments effective |
| Jul 1, 2023 | CPPA enforcement of CPRA begins |
| 2026 | Employment and B2B data exemptions status review |
| 日期 | 里程碑 |
|---|---|
| 2020年1月1日 | CCPA正式生效 |
| 2020年7月1日 | 总检察长开始执法 |
| 2020年11月3日 | CPRA通过(第24号提案) |
| 2023年1月1日 | CPRA修正案生效 |
| 2023年7月1日 | CPPA开始执行CPRA相关条款 |
| 2026年 | 雇佣数据与B2B数据豁免状态复审 |
Scope and Applicability
范围与适用条件
A business is subject to CCPA/CPRA if it:
- Has annual gross revenue exceeding $25 million
- Buys, sells, or shares PI of 100,000+ consumers or households annually
- Derives 50% or more of annual revenue from selling or sharing consumers' PI
Entity Types:
| Entity | Definition | Obligations |
|---|---|---|
| Business | Determines purposes and means of processing | Full CCPA/CPRA compliance |
| Service Provider | Processes PI on behalf of a business (contractual) | Limited use, deletion obligations |
| Contractor | Processes PI via written contract (CPRA addition) | Certification, limited use, audit rights |
| Third Party | Receives PI not as service provider/contractor | Subject to opt-out rights |
Exemptions:
- HIPAA-covered entities: Health data governed by HIPAA exempt
- GLBA: Financial data subject to GLBA exempt
- Employment data: Employee/applicant PI (subject to review through 2026)
- B2B data: Business contact PI in B2B transactions (subject to review through 2026)
- FCRA: Data subject to Fair Credit Reporting Act
满足以下任一条件的企业需遵守CCPA/CPRA:
- 年度总收入超过2500万美元
- 每年购买、售卖或共享10万+消费者/家庭的PI
- 年度收入的50%及以上来自售卖或共享消费者PI
主体类型:
| 主体 | 定义 | 合规义务 |
|---|---|---|
| 企业 | 决定数据处理目的与方式的主体 | 全面遵守CCPA/CPRA |
| 服务提供商 | 代表企业处理PI的主体(需签订合同) | 限制数据使用、履行删除义务 |
| 承包商 | 通过书面合同处理PI的主体(CPRA新增) | 提供合规证明、限制数据使用、接受审计 |
| 第三方 | 非服务提供商/承包商身份接收PI的主体 | 需遵守退出权利相关要求 |
豁免条款:
- HIPAA覆盖主体: 受HIPAA管辖的健康数据可豁免
- GLBA: 受GLBA管辖的金融数据可豁免
- 雇佣数据: 员工/申请人PI(2026年前复审豁免状态)
- B2B数据: B2B交易中的企业联系人PI(2026年前复审豁免状态)
- FCRA: 受公平信用报告法案管辖的数据可豁免
Consumer Rights
消费者权利
| Right | CCPA Section | Description | Timeline |
|---|---|---|---|
| Right to Know | §1798.100, §1798.110 | Categories and specific pieces of PI collected | 45 days |
| Right to Delete | §1798.105 | Delete PI collected from the consumer | 45 days |
| Right to Opt-Out | §1798.120 | Opt out of sale or sharing of PI | Immediate |
| Right to Non-Discrimination | §1798.125 | No retaliation for exercising rights | Ongoing |
| Right to Correct | §1798.106 | Correct inaccurate PI (CPRA) | 45 days |
| Right to Limit SPI Use | §1798.121 | Limit use of sensitive PI (CPRA) | Immediate |
| Right to Data Portability | §1798.130 | Receive PI in portable format (CPRA) | 45 days |
| 权利 | CCPA条款 | 说明 | 时限 |
|---|---|---|---|
| 知情权 | §1798.100, §1798.110 | 知晓收集的PI类别与具体内容 | 45天 |
| 删除权 | §1798.105 | 删除从消费者处收集的PI | 45天 |
| 退出权 | §1798.120 | 退出PI的售卖或共享 | 立即生效 |
| 非歧视权 | §1798.125 | 不得因消费者行使权利而实施报复 | 持续生效 |
| 更正权 | §1798.106 | 更正不准确的PI(CPRA新增) | 45天 |
| SPI使用限制权 | §1798.121 | 限制敏感个人信息的使用(CPRA新增) | 立即生效 |
| 数据可携权 | §1798.130 | 以可移植格式接收PI(CPRA新增) | 45天 |
Sensitive Personal Information (CPRA)
敏感个人信息(CPRA)
SPI categories requiring enhanced protections under CPRA §1798.140(ae):
- Social Security number, driver's license, state ID, passport number
- Account log-in credentials (username + password/security question)
- Financial account number with access credentials
- Precise geolocation (within 1,850 feet / radius)
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union membership
- Contents of mail, email, and text messages (unless business is intended recipient)
- Genetic data
- Biometric data for identification
- Health information
- Sex life or sexual orientation data
CPRA §1798.140(ae)规定需加强保护的SPI类别:
- 社保号、驾照号、州身份证号、护照号
- 账户登录凭证(用户名+密码/安全问题)
- 带访问凭证的金融账户号
- 精准地理位置(1850英尺范围内)
- 种族或族裔出身
- 宗教或哲学信仰
- 工会成员身份
- 邮件、电子邮件及短信内容(除非企业为收件人)
- 基因数据
- 用于身份识别的生物识别数据
- 健康信息
- 性生活或性取向数据
Enforcement and Penalties
执法与处罚
| Violation Type | Penalty | Enforcer |
|---|---|---|
| Unintentional violation | $2,500 per violation | CPPA / AG |
| Intentional violation | $7,500 per violation | CPPA / AG |
| Violations involving minors (under 16) | $7,500 per violation | CPPA / AG |
| Data breach (private action) | $100-$750 per consumer per incident | Consumer (court) |
Enforcement Bodies:
- California Privacy Protection Agency (CPPA): Primary enforcer under CPRA (operational 2023)
- California Attorney General: Retains enforcement authority
- Private right of action: Limited to data breaches from failure to maintain reasonable security
| 违规类型 | 处罚标准 | 执法主体 |
|---|---|---|
| 非故意违规 | 每项违规2500美元 | CPPA / 总检察长 |
| 故意违规 | 每项违规7500美元 | CPPA / 总检察长 |
| 涉及未成年人(16岁以下)的违规 | 每项违规7500美元 | CPPA / 总检察长 |
| 数据泄露(私人诉讼) | 每位消费者每起事件100-750美元 | 消费者(法院) |
执法机构:
- 加州隐私保护局(CPPA): CPRA下的主要执法机构(2023年开始运作)
- 加州总检察长: 保留执法权限
- 私人诉讼权: 仅适用于因未维持合理安全措施导致的数据泄露案件
CCPA vs GDPR Comparison
CCPA与GDPR对比
| Aspect | CCPA/CPRA | GDPR |
|---|---|---|
| Scope | California consumers | EU/EEA data subjects |
| Legal basis | Opt-out model | Opt-in (consent or legal basis) |
| Data covered | Personal information | Personal data |
| Sensitive data | SPI with limit-use right | Special category with explicit consent |
| Breach notification | AG notification, private action | 72-hour DPA notification |
| DPO requirement | None | Required for certain processing |
| Penalties | $2,500-$7,500 per violation | Up to 4% global revenue or €20M |
| Private right of action | Data breaches only | Varies by member state |
| Cross-border transfers | No restrictions | Adequacy decisions, SCCs, BCRs |
| Children's data | Opt-in for under 16, parental for under 13 | Parental consent for under 16 (variable) |
| 维度 | CCPA/CPRA | GDPR |
|---|---|---|
| 适用范围 | 加州消费者 | 欧盟/欧洲经济区数据主体 |
| 法律基础 | 退出模式 | 同意或其他合法基础的 opt-in 模式 |
| 覆盖数据 | 个人信息(PI) | 个人数据 |
| 敏感数据 | SPI及使用限制权 | 特殊类别数据需明确同意 |
| 泄露通知 | 通知总检察长、支持私人诉讼 | 72小时内通知数据保护机构(DPA) |
| DPO要求 | 无 | 特定处理场景需设置 |
| 处罚标准 | 每项违规2500-7500美元 | 最高全球年收入的4%或2000万欧元 |
| 私人诉讼权 | 仅适用于数据泄露 | 成员国规定不同 |
| 跨境传输 | 无限制 | 需充分性认定、标准合同条款(SCCs)、约束性企业规则(BCRs) |
| 儿童数据 | 16岁以下需opt-in,13岁以下需家长同意 | 16岁以下需家长同意(成员国可调整) |
Infrastructure Privacy Controls
基础设施隐私控制
Cookie Consent Management:
- Implement cookie consent banner for non-essential cookies
- Honor Global Privacy Control (GPC) browser signals (legally required)
- Maintain cookie inventory with retention periods
- Categorize cookies: strictly necessary, functional, analytics, advertising
Global Privacy Control (GPC):
- Businesses must treat GPC signal as valid opt-out request (§1798.135)
- Technical implementation: detect header or
Sec-GPC: 1navigator.globalPrivacyControl - Apply opt-out to sale AND sharing of PI
- No re-authentication required for GPC
Privacy by Design:
- Data minimization: collect only PI necessary for disclosed purposes
- Purpose limitation: use PI only for purposes disclosed at collection
- Storage limitation: retain PI only as long as necessary
- Security by default: encrypt PI at rest and in transit
Data Inventory and Mapping:
- Maintain comprehensive PI inventory across all systems
- Map data flows: collection → processing → sharing → deletion
- Document retention schedules per PI category
- Track cross-border data transfers
Automated Decision-Making:
- Disclose use of automated decision-making technology
- Provide opt-out for profiling that produces legal or significant effects
- CPRA regulations may require access to logic of automated decisions
Cookie同意管理:
- 为非必要Cookie设置同意弹窗
- 尊重全球隐私控制(GPC)浏览器信号(法律强制要求)
- 维护Cookie清单及留存期限
- 对Cookie分类:严格必要、功能性、分析性、广告性
全球隐私控制(GPC):
- 企业必须将GPC信号视为有效的退出请求(§1798.135)
- 技术实现:检测请求头或
Sec-GPC: 1属性navigator.globalPrivacyControl - 应用于PI的售卖与共享场景
- GPC请求无需重新验证身份
隐私设计:
- 数据最小化:仅收集披露目的所需的PI
- 目的限制:仅用于收集时披露的业务用途
- 存储限制:仅在必要期限内留存PI
- 默认安全:PI在静态存储与传输过程中均需加密
数据清单与映射:
- 维护覆盖所有系统的完整PI清单
- 绘制数据流转路径:收集→处理→共享→删除
- 记录各PI类别的留存时间表
- 追踪跨境数据传输行为
自动化决策:
- 披露自动化决策技术的使用情况
- 对产生法律或重大影响的画像分析提供退出选项
- CPRA法规可能要求开放自动化决策的逻辑
Compliance Roadmap
合规路线图
Month 1-2: Discovery and Assessment
- Determine CCPA/CPRA applicability
- Conduct data inventory and mapping
- Gap analysis against requirements
- Assign compliance ownership
Month 3-4: Implementation
- Draft/update privacy policy
- Implement "Do Not Sell or Share" link
- Implement "Limit Use of SPI" link
- Deploy GPC signal detection
- Build consumer request intake and fulfillment workflows
- Draft service provider/contractor agreements
Month 5-6: Operationalization
- Train employees on privacy obligations
- Test consumer request workflows end-to-end
- Conduct initial risk assessment
- Plan annual cybersecurity audit
- Establish ongoing monitoring and metrics
- Document compliance program for regulatory defense
第1-2个月:发现与评估
- 确定CCPA/CPRA适用范围
- 开展数据清单与映射工作
- 对照要求进行差距分析
- 指定合规负责人
第3-4个月:落地实施
- 起草/更新隐私政策
- 部署"请勿售卖或共享我的信息"链接
- 部署"限制我的敏感个人信息使用"链接
- 实现GPC信号检测
- 搭建消费者请求接收与处理工作流
- 起草服务提供商/承包商协议
第5-6个月:运营落地
- 开展员工隐私义务培训
- 端到端测试消费者请求工作流
- 进行初始风险评估
- 规划年度网络安全审计
- 建立持续监控与指标体系
- 记录合规方案用于监管抗辩
Troubleshooting
故障排查
| Problem | Possible Cause | Resolution |
|---|---|---|
| Compliance score unexpectedly low despite privacy policy updates | Policy disclosures incomplete -- missing SPI categories, retention periods, or sale/sharing categories | Run |
| Data mapper flags cross-border transfers but organization operates only in US | Data inventory includes cloud services with non-US processing locations | Review data inventory entries for cloud provider data processing locations; document all sub-processor locations per service provider agreements |
| Consumer rights requests consistently exceed 45-day response deadline | Manual fulfillment process without tracking system or unclear ownership | Implement |
| GPC signal detection not working | Application does not check | Implement server-side header detection and client-side JavaScript check; test with browsers that support GPC (Firefox, Brave); log detection events |
| CPPA enforcement inquiry received | Potential compliance gap discovered during regulatory sweep or consumer complaint | Immediately run full compliance assessment; prioritize critical gaps (opt-out link, GPC, privacy policy); engage privacy counsel; document remediation timeline |
| Vendor contracts missing CCPA-required provisions | Service provider agreements predate CPRA amendments | Audit all vendor agreements against CCPA service provider/contractor requirements; update contracts to include certification, limited use, audit rights, and data deletion obligations |
| Risk assessment requirements unclear | New CPRA regulations (effective January 1, 2026) mandate risk assessments for six processing categories | Review processing activities against the six "significant risk" categories; document risk assessments per CPPA regulatory template; plan for April 2028 attestation deadline |
| 问题 | 可能原因 | 解决方案 |
|---|---|---|
| 已更新隐私政策,但合规得分仍意外偏低 | 政策披露不完整——缺失SPI类别、留存期限或售卖/共享类别 | 运行 |
| 数据映射器标记跨境传输,但企业仅在美国运营 | 数据清单包含带有非美国处理节点的云服务 | 审查数据清单中云服务商的数据处理地点;根据服务提供商协议记录所有分包商的地点 |
| 消费者权利请求持续超出45天响应时限 | 手动处理流程无跟踪系统或职责不明确 | 部署 |
| GPC信号检测失效 | 应用未检测 | 实现服务端请求头检测与客户端JavaScript检查;使用支持GPC的浏览器(Firefox、Brave)测试;记录检测事件 |
| 收到CPPA执法问询 | 监管抽查或消费者投诉发现潜在合规漏洞 | 立即执行全面合规评估;优先解决关键漏洞(退出链接、GPC、隐私政策);咨询隐私法律顾问;记录整改时间表 |
| 供应商合同缺失CCPA强制条款 | 服务提供商协议早于CPRA修正案 | 对照CCPA服务提供商/承包商要求审计所有供应商协议;更新合同以包含合规证明、限制使用、审计权及数据删除义务 |
| 风险评估要求不明确 | 2026年1月1日生效的新CPRA法规要求对6类处理活动进行风险评估 | 对照6类"重大风险"类别审查处理活动;根据CPPA监管模板记录风险评估;为2028年4月的证明截止日期做准备 |
Success Criteria
成功标准
- Overall compliance score of 80+ on initial assessment -- indicating foundational CCPA/CPRA controls are in place, with per-category scores identifying targeted remediation areas
- All consumer rights requests fulfilled within 45 calendar days -- with 10-business-day acknowledgment, tracked through a request management system with automated deadline alerts
- Privacy policy updated at least annually -- with documented reviews quarterly, disclosing all 11 PI categories collected, sources, purposes, third-party sharing, and all seven consumer rights
- GPC signal honored automatically -- detected via header and
Sec-GPC: 1, applied to both sale and sharing of PI, with no re-authentication requirednavigator.globalPrivacyControl - Complete data inventory maintained -- all PI categories mapped to collection sources, business purposes, sharing recipients, and retention schedules using
ccpa_data_mapper.py - Service provider and contractor agreements include all CCPA-required provisions -- including certification of limited use, deletion obligations, audit rights, and sub-contractor chain documentation
- Risk assessments completed for all applicable processing activities -- covering the six CPRA significant-risk categories, with attestation readiness by the April 2028 deadline
- 初始评估整体合规得分达80分以上——表明已建立CCPA/CPRA基础管控措施,各分类得分可指导针对性整改
- 所有消费者权利请求在45个自然日内完成处理——10个工作日内确认收到请求,通过带自动期限提醒的请求管理系统跟踪
- 隐私政策至少每年更新一次——每季度进行文档审查,披露所有11类收集的PI、来源、用途、第三方共享情况及全部7项消费者权利
- 自动尊重GPC信号——通过请求头与
Sec-GPC: 1检测,应用于PI的售卖与共享场景,无需重新验证身份navigator.globalPrivacyControl - 维护完整的数据清单——使用将所有PI类别映射至收集来源、业务用途、共享接收方及留存时间表
ccpa_data_mapper.py - 服务提供商与承包商协议包含全部CCPA强制条款——包括限制使用证明、删除义务、审计权及分包商链文档
- 完成所有适用处理活动的风险评估——覆盖CPRA规定的6类重大风险类别,为2028年4月的证明截止日期做好准备
Scope & Limitations
范围与限制
In Scope:
- CCPA/CPRA applicability determination (revenue, consumer count, PI revenue thresholds)
- Privacy policy compliance assessment against all required disclosures
- Consumer rights readiness validation (Know, Delete, Opt-Out, Correct, Portability, Limit SPI Use)
- Data inventory mapping across all 11 CCPA personal information categories
- Sensitive personal information identification per CPRA definitions
- Technical safeguard assessment (encryption, access controls, opt-out mechanisms)
- Service provider and contractor agreement requirements
Out of Scope:
- Legal advice or determination of exemption applicability (HIPAA, GLBA, FCRA, employment data) -- consult privacy counsel for exemption analysis
- Implementation of cookie consent management platforms or GPC signal handling code
- CCPA private right of action defense (data breach litigation) -- consult legal counsel
- Other state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA) beyond the comparison tables provided -- use jurisdiction-specific guidance
- Automated decision-making technology (ADMT) compliance under CPRA regulations effective January 2027 -- monitor CPPA rulemaking for final requirements
Important Notes:
- CPPA enforcement is escalating significantly in 2025-2026, with fines exceeding $1.3M in individual cases and joint multi-state enforcement sweeps targeting GPC non-compliance
- New CPRA regulations effective January 1, 2026 add risk assessment, cybersecurity audit, and updated compliance requirements -- plan implementation accordingly
涵盖范围:
- CCPA/CPRA适用范围判定(收入、消费者数量、PI收入阈值)
- 隐私政策合规性评估(所有强制披露要求)
- 消费者权利响应准备验证(知情权、删除权、退出权、更正权、可携权、SPI使用限制权)
- 覆盖CCPA全部11类个人信息的数据清单映射
- 依据CPRA定义识别敏感个人信息
- 技术保障措施评估(加密、访问控制、退出机制)
- 服务提供商与承包商协议要求
未涵盖范围:
- 法律建议或豁免适用性判定(HIPAA、GLBA、FCRA、雇佣数据)——豁免分析请咨询隐私法律顾问
- Cookie同意管理平台或GPC信号处理代码的落地实现
- CCPA私人诉讼抗辩(数据泄露诉讼)——请咨询法律顾问
- 其他州隐私法(弗吉尼亚VCDPA、科罗拉多CPA、康涅狄格CTDPA)——仅提供对比表格,需参考对应辖区的专属指南
- 2027年1月1日生效的CPRA自动化决策技术(ADMT)合规要求——需关注CPPA规则制定的最终要求
重要提示:
- CPPA执法力度在2025-2026年显著升级,单案罚款超130万美元,且多州联合执法行动重点针对GPC不合规情况
- 2026年1月1日生效的新CPRA法规新增风险评估、网络安全审计及更新的合规要求——需提前规划实施
Integration Points
集成点
| Skill | Integration | When to Use |
|---|---|---|
| Unified privacy program satisfying both GDPR and CCPA; cross-framework privacy mapping | When organization operates in both EU and California markets |
| Technical safeguard validation (encryption, access controls, logging) for CCPA reasonable security | When assessing infrastructure controls supporting CCPA compliance |
| Security controls supporting CCPA "reasonable security" requirement | When building security program that satisfies both ISO 27001 and CCPA |
| SOC 2 controls mapped to CCPA technical safeguard requirements | When SOC 2 audit evidence supports CCPA security compliance |
| Skill | 集成方式 | 使用场景 |
|---|---|---|
| 构建满足GDPR与CCPA要求的统一隐私方案;跨框架隐私映射 | 企业同时在欧盟与加州市场运营时 |
| 验证支撑CCPA合理安全要求的技术保障措施(加密、访问控制、日志) | 评估基础设施管控是否符合CCPA合规要求时 |
| 构建同时满足ISO 27001与CCPA"合理安全"要求的安全方案 | 搭建兼顾ISO 27001与CCPA合规的安全体系时 |
| 将SOC 2管控映射至CCPA技术保障要求 | 使用SOC 2审计证据支撑CCPA安全合规时 |
Tool Reference
工具参考
ccpa_compliance_checker.py
ccpa_compliance_checker.py
Evaluates organizational readiness against all CCPA/CPRA requirements across 8 assessment categories.
| Flag | Required | Description |
|---|---|---|
| Yes (unless | Path to JSON company profile for assessment |
| No | Generate blank input template to stdout |
| No | Output results in JSON format for automation |
| No | Export report to specified file path |
Output: Overall compliance score (0-100), per-category scores with pass/fail/partial status, prioritized findings with regulatory references, and remediation recommendations.
从8个评估类别出发,评估企业是否符合CCPA/CPRA的全部要求。
| 参数 | 是否必填 | 说明 |
|---|---|---|
| 是(除非使用 | 用于评估的JSON企业配置文件路径 |
| 否 | 向标准输出流生成空白输入模板 |
| 否 | 以JSON格式输出结果用于自动化流程 |
| 否 | 将报告导出至指定文件路径 |
输出内容: 整体合规得分(0-100)、各分类得分及通过/未通过/部分通过状态、按优先级排序的问题及监管条款参考、整改建议。
ccpa_data_mapper.py
ccpa_data_mapper.py
Maps personal information categories, tracks data flows, and generates data inventory reports.
| Flag | Required | Description |
|---|---|---|
| Yes (unless | Path to JSON data inventory for mapping |
| No | Generate blank inventory template to stdout |
| No | Export mapping report to specified file path |
| No | Generate text-based data flow diagram showing collection, use, sharing, and selling paths |
Output: PI category mapping across all 11 CCPA categories, SPI identification, data flow analysis (sources, purposes, recipients), cross-border transfer flags, and data retention gap detection.
绘制个人信息类别图谱,追踪数据流转路径,生成数据清单报告。
| 参数 | 是否必填 | 说明 |
|---|---|---|
| 是(除非使用 | 用于映射的JSON数据清单文件路径 |
| 否 | 向标准输出流生成空白数据清单模板 |
| 否 | 将映射报告导出至指定文件路径 |
| 否 | 生成文本格式的数据流转图,展示收集、使用、共享、售卖路径 |
输出内容: 覆盖CCPA全部11类别的PI映射、SPI识别、数据流转分析(来源、用途、接收方)、跨境传输标记、数据留存漏洞检测。