Security and Privacy for Local AI

13. CCPA Considerations

Chapter 13 of 16 · 15 min

The California Consumer Privacy Act applies to businesses that collect personal information of California residents and meet revenue or data volume thresholds. Even small local AI deployments serving California customers may need to comply.

CCPA rights for California residents:

Right to know: Consumers can request what personal information is collected, including: categories of data, specific data points, sources, purposes, and third parties.

Right to delete: Consumers can request deletion of their personal information, with exceptions for legal obligations and fraud prevention.

Right to opt-out: Consumers can opt out of sale of their personal information. If your AI vendor shares data or you use third-party services that monetize data, this matters.

Right to non-discrimination: Businesses cannot penalize consumers for exercising CCPA rights.

CCPA compliance checklist for AI systems:

  1. Inventory personal information: What data does your AI collect and store? Create a data map.

  2. Implement consumer requests: Build mechanisms for consumers to submit access and deletion requests.

  3. Update privacy notices: If you have a website or customer-facing service, document AI data processing in your privacy policy.

  4. Verify vendor contracts: If using third-party AI services, confirm they provide CCPA-compliant data handling.

  5. Train staff: Ensure employees handling consumer requests understand CCPA requirements.

Technical controls:

# Consumer data access response
def handle_ccpa_know_request(consumer_id: str) -> dict:
    """Return all personal information about a consumer."""
    records = db.query(
        "SELECT * FROM interactions WHERE user_id = ?",
        [consumer_id]
    )
    
    return {
        "categories_collected": ["identifiers", "internet_activity"],
        "specific_data": records,
        "purpose": "AI-powered customer support",
        "third_parties": ["none"],  # Or list actual third parties
        "retention_period": "90 days"
    }

# Consumer data deletion
def handle_ccpa_delete_request(consumer_id: str) -> dict:
    """Delete all personal information for a consumer."""
    deleted_count = db.execute(
        "DELETE FROM interactions WHERE user_id = ?",
        [consumer_id]
    )
    
    # Also check downstream systems
    vector_db.delete_by_metadata("user_id", consumer_id)
    
    return {"records_deleted": deleted_count}
EXERCISE

Determine if CCPA applies to your deployment (do you have California users?). If yes, create a written policy for handling consumer data requests within the 45-day response window.