CCPA Implementation¶
The California Consumer Privacy Act (CCPA) gives California residents specific rights over their personal information. Dxtra supports CCPA compliance through rights request tracking and consent management.
CCPA Scope
Applies to: Businesses serving California residents that meet any threshold: $25M+ annual revenue, 50,000+ consumers' data annually, or 50%+ revenue from selling personal information.
Key Timelines: 45 days to respond to consumer requests (extendable to 90 days), 15 business days for opt-out requests.
Consumer Rights¶
CCPA provides four primary consumer rights, mapped to Dxtra request types:
Right to Know¶
Dxtra Request Types: Access, Data Copy
Consumers can request information about what personal information is collected, used, and shared.
Information disclosed:
- Categories of personal information collected
- Sources of personal information
- Business purposes for collection
- Third parties who receive personal information
- Specific pieces of personal information (via Data Copy)
Right to Delete¶
Dxtra Request Type: Erasure
Consumers can request deletion of their personal information.
Exceptions (when deletion may not apply):
- Transaction completion
- Legal compliance requirements
- Internal research use
- Free speech protections
Right to Opt-Out of Sale¶
Dxtra Request Type: No Sale
Consumers can request that businesses stop selling their personal information.
- 15 business day processing requirement
- Preference propagation to integrations
CCPA Definition of Sale
Under CCPA, "sell" includes sharing data for valuable consideration beyond monetary payment, including advertising revenue sharing, data licensing, and cross-promotional partnerships.
Right to Non-Discrimination¶
Businesses cannot discriminate against consumers who exercise CCPA rights.
- Rights requests tracked with timestamps for audit purposes
- Service delivery not linked to rights exercise
Request Types Mapping¶
| CCPA Right | Dxtra Request Type | Timeline |
|---|---|---|
| Right to Know (categories) | Access | 45 days |
| Right to Know (specific data) | Data Copy | 45 days |
| Right to Delete | Erasure | 45 days |
| Right to Opt-Out | No Sale | 15 business days |
| Non-Discrimination | N/A (tracked via audit) | N/A |
Identity Verification¶
CCPA requires verification of consumer identity before processing requests.
Verification Process¶
- Consumer submits request via Transparency Center
- Request logged with verification status as pending
- Verification steps documented
- Verification confirmed upon identity validation
- Request processed within timeline
Verification by Request Type¶
| Request Type | Verification Level |
|---|---|
| Know (categories) | Email confirmation |
| Know (specific data) | Multi-factor verification |
| Delete | Multi-factor verification |
| Opt-Out | Basic verification |
Timeline Management¶
CCPA requires:
- 45 days for most requests (extendable to 90 days with notice to consumer)
- 15 business days for opt-out requests
The dashboard shows request creation date and current status. Monitor response deadlines based on request creation timestamps.
Personal Information Categories¶
CCPA defines specific categories of personal information:
| Category | Examples |
|---|---|
| Identifiers | Name, email, account ID |
| Commercial information | Purchase history, payment info |
| Internet activity | Website usage, search history |
| Geolocation | IP address, device location |
| Professional information | Employment details |
| Education information | School records |
Handling Minors¶
CCPA has special requirements for minors:
| Age Group | Requirement |
|---|---|
| Under 13 | Parental consent required for collection |
| 13-15 | Opt-in consent required (no opt-out default) |
| 16+ | Standard CCPA rights apply |
Implementation Checklist¶
- Enable rights request submission via Transparency Center
- Configure No Sale request type handling
- Set up identity verification workflow
- Configure processor integrations for deletion
- Train staff on 15/45 day response requirements
- Document verification procedures
- Test opt-out preference propagation
Common Questions¶
Does CCPA apply to our business?¶
CCPA applies if you do business in California AND meet any of:
- $25+ million annual revenue
- Buy/sell personal info of 50,000+ CA residents annually
- 50%+ revenue from selling personal information
How do we handle verification failures?¶
Document verification attempts made. If verification fails, deny the request with clear explanation and offer alternative verification methods.
What about requests from authorized agents?¶
Verify both the agent's authority and the consumer's identity. Document the authorization in the request description.
Related Documentation¶
- GDPR Implementation -- European data protection
- Data Subject Rights -- Rights request processing
- Data Retention -- Retention policy management
- Data Controller Setup -- Initial configuration