CCPA / CPRA compliance
California Consumer Privacy Act and California Privacy Rights Act
The California Consumer Privacy Act (CCPA, 2020), amended by the California Privacy Rights Act (CPRA, 2023), grants California residents rights over their personal information.
Scope
Applies to businesses that:
- Have annual revenue > $25M, OR
- Buy/sell/share PI of >100k consumers, OR
- Derive >50% of revenue from selling PI.
Many small SaaS apps are below the threshold; check yours.
Olympus support per right
| Right | How Olympus supports |
|---|---|
| Right to know | DSR export, see Cookbook, GDPR DSR export. CCPA's "right to know" is similar in shape. |
| Right to delete | Cookbook, Self-service account deletion. |
| Right to correct | Kratos settings flow lets users update their data. |
| Right to opt out of sale/sharing | Olympus doesn't "sell" data. If you do (your business), implement via opt-out flag in your app DB. |
| Right to limit use of sensitive PI | Sensitive PI (SSN, geolocation, etc.), Olympus doesn't collect by default. If your schema does, add an opt-out trait. |
| Right to non-discrimination | Don't charge different prices for users who exercise rights. Operational/legal control, not technical. |
"Sell" and "share" definitions
CPRA expanded the original CCPA definitions:
- Sell, exchange PI for monetary or other value.
- Share, disclose PI for cross-context behavioral advertising.
Most Olympus deployments don't "sell" (auth data isn't typically sold) or "share" (auth data isn't ad-targeted). But if your app uses tracking pixels, CCPA-style "Do Not Sell" toggles apply outside Olympus.
Privacy policy requirements
Your privacy policy must include:
- Categories of PI collected.
- Sources of PI.
- Purposes of collection.
- Categories of recipients (your sub-processors).
- Retention periods.
- Rights and how to exercise them.
Olympus doesn't generate your privacy policy, that's a legal document. But the data inventory above helps you complete it accurately.
"Limit Use of Sensitive Personal Information"
CPRA introduced this for sensitive categories. If Olympus collects sensitive PI (e.g. precise geolocation via locations, health data via a custom trait), users can opt out.
For Olympus's locations table: consider geolocating only to country/region (less precise) by default; precise IP-geolocation only with consent.
Reasonable security
CCPA Section 1798.150, security obligations. AES-256-GCM at rest + TLS in flight covers this.
Verifiable consumer requests
Before responding to a DSR, verify the request. CCPA requires verification proportional to the risk:
- For data access: authenticate the user (logged-in session is sufficient).
- For deletion: re-authenticate (require AAL2 step-up).
- For requests by an authorised agent: more verification.
Don't act on emailed deletion requests without re-auth.
Children's privacy
For users under 13: COPPA applies (federal, not CCPA). For 13-16: opt-in to "sale" required.
Olympus's traits.age or traits.dob (if you add them) feeds your minor-detection logic.
Related
- Security, Compliance, GDPR, many overlapping concerns.
- Cookbook, GDPR DSR export
- Cookbook, Self-service account deletion