Do Not Sell
Required opt-out mechanism for data sales
Consumer Rights
Handle access, deletion, and correction requests
GPC Support
Automatic Global Privacy Control signal handling
Compliance Tools
Built-in APIs for CCPA requirements
CCPA Overview
The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), gives California residents significant rights over their personal information. It applies to businesses that meet certain thresholds.
CCPA Applies If You:
- Have gross annual revenue over $25 million
- Buy, sell, or share personal info of 100,000+ consumers/households
- Derive 50%+ of revenue from selling/sharing personal info
Penalties
Unintentional Violations
Up to $2,500 per violation
Intentional Violations
Up to $7,500 per violation
Violations Involving Minors
Up to $7,500 per violation (CPRA)
What is 'Personal Information' under CCPA?
Consumer Rights
CCPA grants California consumers specific rights. Your business must have processes to handle these requests within 45 days (extendable to 90 days).
Right to Know
Consumers can request what personal information you collect and how it is used
Right to Delete
Consumers can request deletion of their personal information
Right to Opt-Out
Consumers can opt out of the "sale" or "sharing" of their personal information
Right to Non-Discrimination
Cannot discriminate against consumers who exercise their privacy rights
Do Not Sell My Personal Information
CCPA requires a clear "Do Not Sell or Share My Personal Information" link on your website. This opt-out must be easy to find and use.
What counts as "Selling"?
'use client'
import { useConsent } from '@sylphx/sdk/react'
import Link from 'next/link'
export function Footer() {
const { showPreferences } = useConsent()
return (
<footer className="border-t py-8">
<div className="flex gap-6 text-sm text-muted-foreground">
<Link href="/privacy">Privacy Policy</Link>
<Link href="/terms">Terms of Service</Link>
{/* Required CCPA link */}
<button
onClick={showPreferences}
className="hover:text-foreground transition-colors"
>
Do Not Sell or Share My Personal Information
</button>
</div>
</footer>
)
}import { platform } from '@/lib/platform'
// Handle opt-out of sale/sharing
export async function handleDoNotSell(userId: string) {
await platform.consent.setConsents(userId, {
// Disable data sharing categories
marketing: false,
targeting: false,
thirdPartySharing: false,
})
// Record the opt-out for compliance
await platform.consent.recordOptOut({
userId,
type: 'do_not_sell',
timestamp: new Date().toISOString(),
source: 'footer_link',
})
// Notify downstream partners to stop processing
await platform.webhooks.trigger('consent.opt_out', {
userId,
categories: ['marketing', 'targeting', 'thirdPartySharing'],
})
}
// Check opt-out status before sharing data
export async function canShareData(userId: string): Promise<boolean> {
const optOut = await platform.consent.getOptOutStatus(userId)
return !optOut.doNotSell && !optOut.gpcEnabled
}Right to Know
Consumers can request disclosure of what personal information you collect, the sources, the purposes, and any third parties with whom you share it.
import { platform } from '@/lib/platform'
// Handle "Right to Know" request
export async function handleRightToKnow(userId: string) {
// Verify consumer identity (required by CCPA)
const verified = await verifyConsumerIdentity(userId)
if (!verified) {
throw new Error('Unable to verify identity')
}
// Gather all required disclosure information
const disclosure = await platform.consent.generateDisclosure(userId)
// Returns structured disclosure:
// {
// categories: [
// { category: 'Identifiers', examples: ['name', 'email', 'IP address'], source: 'Direct from consumer' },
// { category: 'Commercial Info', examples: ['purchase history'], source: 'Direct from consumer' },
// { category: 'Internet Activity', examples: ['browsing history', 'search queries'], source: 'Automatic collection' },
// ],
// purposes: [
// 'To provide our services',
// 'To personalize your experience',
// 'To communicate with you',
// ],
// thirdParties: [
// { name: 'Analytics Provider', categories: ['Internet Activity'] },
// { name: 'Payment Processor', categories: ['Identifiers', 'Commercial Info'] },
// ],
// retentionPeriod: '3 years',
// }
// Optionally include specific pieces of data
const personalData = await platform.consent.exportUserData(userId, {
format: 'json',
includeInferred: true,
})
return { disclosure, personalData }
}Right to Delete
Consumers can request deletion of their personal information. You must also notify any service providers to delete the data.
import { platform } from '@/lib/platform'
// Handle deletion request
export async function handleDeletionRequest(userId: string) {
// Verify consumer identity
const verified = await verifyConsumerIdentity(userId)
if (!verified) {
throw new Error('Unable to verify identity')
}
// Check for exceptions
const exceptions = await checkDeletionExceptions(userId)
// CCPA allows keeping data for:
// - Completing transactions
// - Detecting security incidents
// - Legal compliance
// - Internal uses compatible with consumer expectations
// Request deletion (excluding excepted data)
const result = await platform.consent.requestDeletion({
userId,
scope: 'all',
excludeRetained: exceptions,
})
// Notify service providers to delete data
await platform.webhooks.trigger('consent.deletion_request', {
userId,
requestId: result.requestId,
excludedCategories: exceptions,
})
// Send confirmation to consumer
await platform.email.send({
to: user.email,
template: 'deletion-confirmed',
data: {
requestId: result.requestId,
completionDate: result.estimatedCompletion,
retainedData: exceptions.length > 0 ? exceptions : null,
},
})
return result
}
async function checkDeletionExceptions(userId: string) {
const exceptions = []
// Check for pending transactions
const pendingOrders = await getPendingOrders(userId)
if (pendingOrders.length > 0) {
exceptions.push('transaction_records')
}
// Check for legal hold
const legalHold = await checkLegalHold(userId)
if (legalHold) {
exceptions.push('legal_records')
}
return exceptions
}GDPR vs CCPA: Key Differences
While both laws protect consumer privacy, they have important differences in approach.
| Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Consent Model | Opt-in required | Opt-out (except for minors) |
| Lawful Basis | Six lawful bases required | No lawful basis requirement |
| Data Sales | Part of general consent | Specific opt-out required |
| Response Time | 30 days | 45 days (up to 90) |
| Private Right of Action | Limited | Yes (data breaches only) |
| Cookie Consent | Required for tracking | Not specifically required |
Compliance Strategy
CPRA Updates (Effective 2023)
The California Privacy Rights Act (CPRA) amended CCPA with additional requirements and consumer rights.
Right to Correct
Consumers can request correction of inaccurate personal information
Right to Limit
Limit use and disclosure of sensitive personal information
Expanded "Sharing"
Cross-context behavioral advertising now requires opt-out
Data Minimization
Collect only necessary data, retention limits required
CPPA Enforcement
New California Privacy Protection Agency with enforcement powers
Higher Penalties
Triple penalties for violations involving minors
import { platform } from '@/lib/platform'
// Handle correction request (CPRA)
export async function handleCorrectionRequest(
userId: string,
corrections: Record<string, unknown>
) {
// Verify consumer identity
const verified = await verifyConsumerIdentity(userId)
if (!verified) {
throw new Error('Unable to verify identity')
}
// Apply corrections
const result = await platform.users.update(userId, corrections)
// Log the correction for audit trail
await platform.consent.logCorrection({
userId,
fields: Object.keys(corrections),
timestamp: new Date().toISOString(),
requestSource: 'consumer_request',
})
// Notify service providers of the correction
await platform.webhooks.trigger('user.corrected', {
userId,
fields: Object.keys(corrections),
})
return result
}// CPRA defines sensitive personal information that requires extra protection
const sensitiveCategories = [
'social_security_number',
'financial_account',
'geolocation',
'racial_ethnic_origin',
'religious_beliefs',
'union_membership',
'mail_email_text_content',
'genetic_data',
'biometric_data',
'health_data',
'sex_life_sexual_orientation',
]
// Limit use of sensitive data
export async function limitSensitiveDataUse(userId: string) {
await platform.consent.setConsents(userId, {
sensitiveDataUse: 'necessary_only', // Limit to service provision only
})
// This prevents:
// - Cross-context behavioral advertising with sensitive data
// - Sharing sensitive data with third parties
// - Using sensitive data for profiling
}Global Privacy Control (GPC)
CCPA requires honoring the Global Privacy Control signal as a valid opt-out request for data sales/sharing.
'use client'
import { useConsent } from '@sylphx/sdk/react'
import { useEffect } from 'react'
export function GPCHandler() {
const { gpcEnabled, setConsents } = useConsent()
useEffect(() => {
// GPC is automatically detected by the SDK
if (gpcEnabled) {
// Automatically treat as opt-out of sale/sharing
setConsents({
marketing: false,
targeting: false,
thirdPartySharing: false,
})
console.log('GPC signal detected - applying opt-out preferences')
}
}, [gpcEnabled, setConsents])
// Show indicator if GPC is enabled
if (gpcEnabled) {
return (
<div className="text-sm text-muted-foreground flex items-center gap-2">
<Shield className="w-4 h-4 text-success" />
Global Privacy Control enabled
</div>
)
}
return null
}GPC is Legally Binding
Implementation Checklist
Add "Do Not Sell or Share" LinkRequired
Prominently display in website footer and privacy policy
Implement Opt-Out MechanismRequired
Allow consumers to opt out of data sales/sharing
Handle Consumer RequestsRequired
Set up processes for access, deletion, and correction requests
Verify Consumer IdentityRequired
Implement reasonable verification for requests
Honor GPC SignalsRequired
Automatically detect and respect Global Privacy Control
Update Privacy PolicyRequired
Include CCPA-required disclosures
Train StaffRequired
Ensure customer service can handle privacy requests
Notify Service ProvidersRequired
Pass opt-out requests to downstream processors
Track Request Metrics
Maintain records of requests received and response times
Need a custom preference center?
Build a branded privacy preference center that handles both GDPR and CCPA requirements.
Build Preference Center