CCPA & CPRA Compliance

Navigate California privacy law when using AI with consumer data

California Sets the Privacy Standard for the US

The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), apply to businesses that collect personal information from California residents. Penalties can reach $7,500 per intentional violation.

CCPA vs. CPRA: What Changed?

CCPA (2020)

  • • Right to know what data is collected
  • • Right to delete personal information
  • • Right to opt-out of sale of data
  • • Non-discrimination for exercising rights

CPRA (2023+) Added:

  • Sensitive personal information category
  • • Right to correct inaccurate data
  • • Right to limit use of sensitive data
  • Sharing now regulated (not just sale)
  • • California Privacy Protection Agency created
  • • Automated decision-making restrictions

⚠️ Does CCPA/CPRA Apply to You?

Your business is covered if you do business in California AND meet any of:

  • • Annual gross revenues exceed $25 million
  • • Buy, sell, or share personal information of 100,000+ California consumers/households
  • • Derive 50%+ of annual revenue from selling/sharing California consumer data

Sensitive Personal Information (SPI)

CPRA introduced a special category of "sensitive" data with additional restrictions. Using LLMs with SPI requires extra care.

Sensitive Personal Information Includes:

• Social Security, driver's license, passport numbers
• Account login credentials
• Financial account numbers with access codes
• Precise geolocation
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Mail, email, text message contents
• Genetic data
• Biometric data for unique identification
• Health data
• Sex life or sexual orientation

⚠️ LLM Risk with SPI

Consumers have the right to limit use of SPI. If you're using LLMs to process SPI, you must disclose this and allow consumers to opt-out. Avoid sending SPI to LLMs unless absolutely necessary.

Consumer Rights Under CCPA/CPRA

Right to Know

What personal information you've collected, used, disclosed, or sold about them.

LLM Impact: Can you track what consumer data was sent to LLMs? Response required within 45 days.

Right to Delete

Request deletion of their personal information.

LLM Impact: Use zero-retention LLM options. Data in trained models cannot be deleted.

Right to Correct

Request correction of inaccurate personal information (CPRA).

LLM Impact: Ensure source data can be corrected if LLM-generated insights are stored.

Right to Opt-Out

Opt-out of sale or sharing of personal information, and limit use of SPI.

LLM Impact: If LLM vendor uses data for improvement, this may be "sharing." Ensure opt-out mechanisms work.

"Sale" and "Sharing" of Personal Information

Important Definitions

Sale

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating personal information for monetary or valuable consideration.

Sharing (CPRA)

Communicating personal information to a third party for cross-context behavioral advertising, whether or not for monetary consideration.

⚠️ Does Using an LLM Count as "Sale" or "Sharing"?

Generally NO, if:

  • • The LLM vendor is a "service provider" acting on your behalf
  • • You have a contract prohibiting the vendor from using data beyond providing the service
  • • Data is not used for the vendor's own purposes or sold to others

But YES, if the vendor uses your data to train models that benefit other customers!

Service Provider Contracts

To ensure LLM vendors are "service providers" (not third parties receiving "sold" data), your contract must include:

Required Contract Terms:

  • • Vendor processes data only for the specific business purpose in the contract
  • • Vendor is prohibited from retaining, using, or disclosing data for any other purpose
  • • Vendor is prohibited from selling or sharing the data
  • • Vendor certifies it understands these restrictions and will comply
  • • Right to audit vendor compliance

Best Practice: Explicitly opt-out of data being used for model training or improvement.

CCPA/CPRA Compliance Best Practices

DO: Update Privacy Policy

Disclose LLM usage and categories of personal information processed

DO: Provide "Do Not Sell or Share" Link

If data goes to LLMs, provide opt-out mechanism on homepage and privacy policy

DO: Implement Consumer Request Portal

Make it easy for consumers to submit access, deletion, and correction requests

DO: Verify Service Provider Status

Ensure LLM vendor contracts include all required service provider terms

DO: Limit SPI Processing

Minimize use of sensitive personal information with LLMs

DO: Document Data Flows

Map what consumer data goes to LLMs and how it's used

DON'T: Allow Training on Consumer Data

This could constitute "sharing" even without monetary exchange

DON'T: Ignore Automated Decision-Making Rules

CPRA restricts fully automated decisions with legal/significant effects

Stay Compliant with California Privacy Law

We can help you implement CCPA/CPRA-compliant AI workflows and consumer rights processes

Schedule a Consultation Back to Home