Lilly Tech Systems
CCPA/CPRA for AI Systems
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), establish significant privacy obligations for businesses using AI and machine learning with California residents' data.
CCPA vs CPRA Overview
The CPRA (effective January 2023) amended and expanded the original CCPA (2020). Key differences relevant to AI:
| Feature | CCPA (Original) | CPRA (Amendment) |
|---|---|---|
| Sensitive data | Not specifically defined | New category with additional protections |
| Data minimization | Not required | Collection must be proportionate to purpose |
| Automated decisions | Limited provisions | Right to opt out of automated decision-making |
| Enforcement | AG office | Dedicated California Privacy Protection Agency |
| Purpose limitation | Basic requirements | Stronger restrictions on secondary use |
Key Rights Affecting AI Systems
Right to Know
Consumers can request to know what personal information a business collects about them and how it is used. For AI systems, this includes disclosing whether their data is used for model training or profiling.
Right to Delete
Consumers can request deletion of their personal data. Similar to GDPR's right to erasure, this poses challenges for ML models trained on that data.
Right to Opt Out of Sale/Sharing
Consumers can opt out of the sale or sharing of their personal data. If training data is shared with third parties for model training, this right applies.
Right to Limit Use of Sensitive Data
CPRA introduces the concept of sensitive personal information (Social Security numbers, precise geolocation, biometric data, health data, etc.) and gives consumers the right to limit how it is used.
Automated Decision-Making under CPRA
CPRA grants consumers the right to opt out of automated decision-making technology, including profiling. Businesses must:
- Provide notice before using automated decision-making
- Offer a mechanism to opt out
- Provide information about the logic used in the decision
- Allow consumers to request human review of decisions
CCPA/CPRA vs GDPR for AI
Key differences that matter for ML practitioners:
- Opt-out vs. opt-in: GDPR generally requires opt-in consent; CCPA/CPRA uses an opt-out model for most processing.
- Scope: CCPA/CPRA applies to businesses meeting revenue or data volume thresholds; GDPR applies to all organizations processing EU data.
- Private right of action: CCPA allows private lawsuits only for data breaches; GDPR allows complaints to supervisory authorities for any violation.
- De-identified data: CCPA has a specific definition and safe harbor for de-identified data that differs from GDPR's anonymization standard.
Compliance Checklist for AI Systems
# CCPA/CPRA Compliance for ML Systems 1. Data Inventory - Catalog all personal information used for training - Identify sources (collected, purchased, third-party) - Map data flows through ML pipeline 2. Privacy Notice - Disclose categories of data collected - State purpose of collection (including ML training) - List categories of third parties data is shared with 3. Consumer Rights Infrastructure - Implement data access request handling - Build deletion pipeline (including model impact) - Create opt-out mechanism for data sale/sharing - Provide automated decision-making opt-out 4. Data Minimization (CPRA) - Document why each data category is necessary - Implement retention schedules - Review and purge unnecessary data regularly 5. Vendor Management - Audit third-party data providers - Include AI-specific terms in data processing agreements - Verify downstream use restrictions