CCPA Compliance
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) policy framework detects California consumer personal information and generates violations according to California privacy requirements.
Overview
CCPA/CPRA establishes privacy rights for California consumers and obligations for businesses handling their personal information. Aquilon DLP’s CCPA policy helps organizations comply with:
- 1798.100 - Right to Know (consumer data collection disclosure)
- 1798.105 - Right to Delete
- 1798.120 - Right to Opt-Out (sale of personal information)
- CPRA 2023 - Enhanced sensitive personal information categories
Personal Information Categories
The CCPA policy detects the following personal information categories:
| Category | Scanners | Severity |
|---|---|---|
| Direct Identifiers | ssn, drivers_license | Critical |
| Contact Information | email, phone, address | High |
| Financial Information | credit_card, bank_account | Critical |
| Geolocation Data | ip_address, address | High |
| Biometric Information | biometric | Critical |
| Professional/Employment | Context-based detection | Medium |
CPRA Sensitive Personal Information
CPRA (effective 2023) added enhanced protections for sensitive personal information:
- Social Security numbers
- Driver’s license and state ID numbers
- Financial account credentials
- Precise geolocation
- Racial/ethnic origin
- Religious beliefs
- Biometric data
- Health information
- Sexual orientation
Configuration
Basic Configuration
[policies]
enabled_policies = ["ccpa"]
Advanced Configuration
[policies.policy_configs.ccpa]
settings = { california_business = "true", sensitivity_level = "2", detect_sensitive_pi = "true", confidence_threshold = "0.7" }
Configuration Options
| Option | Description | Default |
|---|---|---|
california_business | Whether organization does business in California | true |
sensitivity_level | Compliance strictness (1=basic, 2=standard, 3=strict) | 2 |
detect_sensitive_pi | Detect CPRA sensitive personal information | true |
detect_consumer_data | Detect commercial/behavioral data | true |
confidence_threshold | Minimum scanner confidence (0.0-1.0) | 0.7 |
Context Detection
The CCPA policy uses context signals to determine applicability and severity:
California Context Keywords
- Location terms: California, CA, Calif
- Regulation terms: CCPA, CPRA, consumer privacy
- Business terms: consumer, customer, resident
Consumer Context Keywords
- Consumer terms: consumer, customer, subscriber, member
- Commercial terms: purchase, transaction, order, account
- Marketing terms: profile, preference, behavioral, targeting
Violation Metadata
Each CCPA violation includes:
{
"policy": "CCPA",
"severity": "high",
"pi_category": "direct_identifier",
"cpra_sensitive": true,
"consumer_rights": ["right_to_know", "right_to_delete"],
"section": "1798.100"
}
Compliance Reporting
Query Consumer PI Exposures
-- All CCPA findings
SELECT path, scanner, severity, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'CCPA'
ORDER BY timestamp DESC;
Sensitive PI Detection
-- Critical findings (sensitive PI under CPRA)
SELECT path, scanner, severity, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'CCPA'
AND severity = 'critical';
Best Practices
Consumer Rights Support
CCPA grants consumers specific rights. Aquilon DLP findings help you:
Right to Know (1798.100):
- Identify what personal information you’ve collected
- Document categories of PI by data type
Right to Delete (1798.105):
- Locate all instances of a consumer’s data
- Verify deletion completeness
Right to Opt-Out (1798.120):
- Identify data used for sales/sharing
- Track third-party data exposure
Monitoring Strategy
- Alert on Critical immediately: SSN, financial data, biometrics
- Daily review of High: Contact information, geolocation
- Weekly audit of Medium: Professional/employment context
Remediation Workflow
- Identify: Aquilon DLP detects PI exposure
- Classify: Determine PI category and CPRA sensitivity
- Assess: Evaluate consumer rights implications
- Remediate: Secure or delete exposed data
- Document: Record for compliance audit
CCPA vs GDPR
Both policies protect personal data but have different scopes:
| Aspect | CCPA | GDPR |
|---|---|---|
| Scope | California residents | EU residents |
| Threshold | Revenue/data volume based | Any processing |
| Consent | Opt-out model | Opt-in model |
| Penalties | Up to $7,500/violation | Up to 4% revenue |
Organizations serving both jurisdictions should enable both policies:
[policies]
enabled_policies = ["gdpr", "ccpa"]
Related Resources
- Compliance Overview
- GDPR - EU data protection
- Configuration Guide