California Consumer Privacy Act (CCPA/CPRA)
The CCPA (effective 2020-01-01, amended by the CPRA) grants California residents rights over their personal information, including the right to know, delete, correct, access, opt out, and limit use. Ledgix evidences each right with signed Data Subject Request (DSR) records, subject-id-indexed ledger events, and versioned policy snapshots.
Status: Full — every control resolves to an artifact Ledgix produces today following the Phase 5 DSR workflow.
Scope
CCPA/CPRA applies to businesses that collect the personal information of California residents and meet specified revenue or data-volume thresholds. Coverage spans consumer rights (§§ 1798.100–.121), notice requirements (§ 1798.130, .135), response timelines (45 days, extensible by 45), recordkeeping (24 months), and security obligations (§ 1798.150).
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| CCPA-1798.100 | dsr_records / events_jsonl | Right to Know — categories of personal information | Signed Right-to-Know intake records with 45-day deadline tracking plus subject_id-indexed ledger. |
| CCPA-1798.105 | dsr_records | Right to Delete | Signed Right-to-Delete records with redaction_mapping for immutable-ledger compatibility. |
| CCPA-1798.106 | dsr_records | Right to Correct Inaccurate Personal Information (CPRA) | Signed Right-to-Correct intake records. |
| CCPA-1798.110 | dsr_records / events_jsonl | Right to Access Specific Pieces of Information | Signed Right-to-Access records plus subject-indexed ledger supplying the specific pieces. |
| CCPA-1798.120 | dsr_records / policy_snapshots | Right to Opt Out of Sale or Sharing | Signed opt-out records plus versioned sharing-policy snapshots. |
| CCPA-1798.121 | dsr_records | Right to Limit Use and Disclosure of Sensitive PI (CPRA) | Signed Right-to-Limit-Use intake records. |
| CCPA-1798.130 | dsr_records | Notice, response timelines, and recordkeeping | All CCPA DSR records with received_at, deadline, verified_at, response_uri — retained for § 1798.130(a)(3)(A). |
| CCPA-1798.135 | policy_snapshots | Notice at Collection and Opt-Out Mechanisms | Versioned notice and collection policy documents. |
| CCPA-1798.150 | key_history / signatures / checkpoint_chain | Security and Data Breach Accountability | Cryptographic custody, tamper-evidence, and Merkle checkpoint chain. |
Evidence types referenced
- dsr_records — signed DSR intake records with 45-day deadline tracking, per-type filters, and fulfillment metadata.
- events_jsonl — subject_id-indexed processing records underlying the disclosure and access responses.
- policy_snapshots — versioned notice and sharing-policy documents.
- key_history — cryptographic key custody history.
- signatures — export integrity signature.
- checkpoint_chain — Merkle checkpoint chain demonstrating record integrity.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today. Subject-id indexing on events requires tenants to populate subject_id on their requests; the CCPA regime automatically applies a 45-day deadline and 24-month retention to DSR records.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting California Consumer Privacy Act (CCPA/CPRA) and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/ccpa.json - Canonical source: California Consumer Privacy Act — oag.ca.gov