RUNLOCALAIv38
->Will it run?Best GPUCompareTroubleshootStartLearnPulseModelsHardwareToolsBench
Run check
RUNLOCALAI

Independently operated catalog for local-AI hardware and software. Hand-written verdicts. Source-cited claims. Reproducible commands when we have them.

OP·Eruo Fredoline
DIR
  • Models
  • Hardware
  • Tools
  • Benchmarks
TOOLS
  • Will it run?
  • Compare hardware
  • Cost vs cloud
  • Choose my GPU
  • Prompting kits
  • Quick answers
REF
  • All buyer guides
  • Learn local AI
  • Methodology
  • Glossary
  • Errors KB
  • Trust
EDITOR
  • About
  • Author
  • How we make money
  • Editorial policy
  • Contact
LEGAL
  • Privacy
  • Terms
  • Sitemap
MAIL · MONTHLY DIGEST
Get monthly local AI changes
Monthly recap. No spam.
DISCLOSURE

Some links on this site are affiliate links (Amazon Associates and other first-class retailers). When you buy through them, we earn a small commission at no extra cost to you. Affiliate links do not influence our verdicts — there are cards we rate highly that we don't have affiliate relationships with, and cards that sell well that we refuse to recommend. Read more →

© 2026 runlocalai.coIndependently operated
RUNLOCALAI · v38
  1. >
  2. Home
  3. /Learn
  4. /Courses
  5. /Security and Privacy for Local AI
  6. /Ch. 13
Security and Privacy for Local AI

13. CCPA Considerations

Chapter 13 of 16 · 15 min
KEY INSIGHT

CCPA applies based on who your users are, not where your servers are. If you serve California residents, you likely need CCPA controls. The operational burden is manageable: document what you collect, provide deletion mechanisms, and update notices.

The California Consumer Privacy Act applies to businesses that collect personal information of California residents and meet revenue or data volume thresholds. Even small local AI deployments serving California customers may need to comply.

CCPA rights for California residents:

Right to know: Consumers can request what personal information is collected, including: categories of data, specific data points, sources, purposes, and third parties.

Right to delete: Consumers can request deletion of their personal information, with exceptions for legal obligations and fraud prevention.

Right to opt-out: Consumers can opt out of sale of their personal information. If your AI vendor shares data or you use third-party services that monetize data, this matters.

Right to non-discrimination: Businesses cannot penalize consumers for exercising CCPA rights.

CCPA compliance checklist for AI systems:

  1. Inventory personal information: What data does your AI collect and store? Create a data map.

  2. Implement consumer requests: Build mechanisms for consumers to submit access and deletion requests.

  3. Update privacy notices: If you have a website or customer-facing service, document AI data processing in your privacy policy.

  4. Verify vendor contracts: If using third-party AI services, confirm they provide CCPA-compliant data handling.

  5. Train staff: Ensure employees handling consumer requests understand CCPA requirements.

Technical controls:

# Consumer data access response
def handle_ccpa_know_request(consumer_id: str) -> dict:
    """Return all personal information about a consumer."""
    records = db.query(
        "SELECT * FROM interactions WHERE user_id = ?",
        [consumer_id]
    )
    
    return {
        "categories_collected": ["identifiers", "internet_activity"],
        "specific_data": records,
        "purpose": "AI-powered customer support",
        "third_parties": ["none"],  # Or list actual third parties
        "retention_period": "90 days"
    }

# Consumer data deletion
def handle_ccpa_delete_request(consumer_id: str) -> dict:
    """Delete all personal information for a consumer."""
    deleted_count = db.execute(
        "DELETE FROM interactions WHERE user_id = ?",
        [consumer_id]
    )
    
    # Also check downstream systems
    vector_db.delete_by_metadata("user_id", consumer_id)
    
    return {"records_deleted": deleted_count}
EXERCISE

Determine if CCPA applies to your deployment (do you have California users?). If yes, create a written policy for handling consumer data requests within the 45-day response window.

← Chapter 12
GDPR Compliance
Chapter 14 →
Audit Logging