CCPA/CPRA合规专家工具包：自动化隐私检查器与数据映射器，助力加州隐私法案合规

ccpa-cpra-privacy-expert by borghei/claude-skills

1 周安装量

29 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/borghei/claude-skills --skill ccpa-cpra-privacy-expert

自动化法律合规安全

🇨🇳中文介绍

CCPA/CPRA 隐私专家

适用于《加州消费者隐私法案》(CCPA) 和《加州隐私权法案》(CPRA) 合规性的工具和指南。

工具

CCPA 合规性检查器

根据所有 CCPA/CPRA 要求评估组织的准备情况。验证隐私政策、消费者权利处理、技术保障措施和退出机制。

# 从 JSON 配置文件检查合规性
python scripts/ccpa_compliance_checker.py --input company_profile.json

# 生成空白输入模板
python scripts/ccpa_compliance_checker.py --template > company_profile.json

# 用于自动化的 JSON 输出
python scripts/ccpa_compliance_checker.py --input company_profile.json --json

# 将报告导出到文件
python scripts/ccpa_compliance_checker.py --input company_profile.json --output report.json

评估类别：

类别	关键检查项
适用性	收入阈值、消费者数量、数据销售收入
隐私政策

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

CCPA 数据映射器

映射个人信息类别，识别敏感个人信息，跟踪数据在收集、使用、共享和出售过程中的流向。生成数据清单报告。

# 从 JSON 数据清单映射数据
python scripts/ccpa_data_mapper.py --input data_inventory.json

# 生成空白清单模板
python scripts/ccpa_data_mapper.py --template > data_inventory.json

# 导出映射报告
python scripts/ccpa_data_mapper.py --input data_inventory.json --output mapping_report.json

# 生成数据流图（基于文本）
python scripts/ccpa_data_mapper.py --input data_inventory.json --flow-diagram

映射所有 11 个 CCPA 个人信息类别
根据 CPRA 定义识别敏感个人信息 (SPI)
跟踪数据流：收集来源、商业目的、共享/出售接收方
将数据映射到服务提供商、承包商和第三方
生成符合 CCPA 要求的数据清单，用于隐私政策披露
标记跨境数据传输
检测数据保留缺口

跟踪的个人信息类别：

类别	CCPA 章节	示例
标识符	1798.140(v)(1)(A)	姓名、SSN、IP地址、电子邮件
客户记录	1798.140(v)(1)(B)	财务信息、医疗信息
受保护分类	1798.140(v)(1)(C)	种族、性别、年龄、残疾
商业信息	1798.140(v)(1)(D)	购买历史、趋势
生物识别信息	1798.140(v)(1)(E)	指纹、面部几何特征
互联网活动	1798.140(v)(1)(F)	浏览、搜索、互动
地理位置数据	1798.140(v)(1)(G)	精确位置
感官数据	1798.140(v)(1)(H)	音频、视觉、热感
专业信息	1798.140(v)(1)(I)	就业、教育
教育信息	1798.140(v)(1)(J)	非公开教育记录
推断信息	1798.140(v)(1)(K)	画像、偏好

CCPA/CPRA 要求指南

references/ccpa-cpra-requirements-guide.md

完整的法规要求涵盖：

完整的 CCPA/CPRA 文本分析及章节引用
消费者权利实施指南（知情权、删除权、退出权、更正权、可携权、限制 SPI 使用权）
隐私政策内容要求和模板
服务提供商和承包商协议要求
与弗吉尼亚州 VCDPA、科罗拉多州 CPA、康涅狄格州 CTDPA 和 GDPR 的比较
执法和处罚结构

references/ccpa-implementation-playbook.md

分步实施指南：

6个月实施路线图
数据映射方法和模板
隐私政策起草指南
退出机制实施（网站、GPC、通用退出）
消费者请求工作流程设计及 SLA 跟踪
员工和供应商培训计划大纲
年度网络安全审计规划
持续合规性监控

工作流程 1：初始 CCPA/CPRA 合规性评估

Step 1: 确定适用性
        → 检查 2500万美元收入、10万+消费者、50%+ PI 收入阈值
        → 审查豁免情况（HIPAA、GLBA、就业数据）

Step 2: 生成合规性配置文件模板
        → python scripts/ccpa_compliance_checker.py --template > profile.json
        → 填写组织详细信息

Step 3: 运行合规性评估
        → python scripts/ccpa_compliance_checker.py --input profile.json

Step 4: 审查得分和发现项
        → 首先解决关键缺口（退出链接、隐私政策）
        → 按类别规划修复

Step 5: 创建数据清单
        → python scripts/ccpa_data_mapper.py --template > inventory.json
        → 记录所有收集的 PI 类别
        → python scripts/ccpa_data_mapper.py --input inventory.json

Step 6: 制定实施计划
        → 参见 references/ccpa-implementation-playbook.md

工作流程 2：消费者权利请求处理

Step 1: 接收消费者请求
        → 识别请求类型（知情、删除、退出、更正、可携、限制 SPI）

Step 2: 在 10 个工作日内确认（确认收到）
        → 在跟踪系统中记录请求

Step 3: 验证消费者身份
        → 标准请求匹配 2+ 个数据点
        → 敏感数据请求匹配 3+ 个数据点
        → 退出请求无需验证

Step 4: 在 45 个日历日内完成请求
        → 延期：最多可额外延长 45 天并通知
        → 使用数据清单搜索所有系统
        → python scripts/ccpa_data_mapper.py --input inventory.json

Step 5: 交付响应
        → 如果请求，以可移植格式提供信息
        → 记录完成情况和响应

Step 6: 监控合规性
        → 跟踪响应时间和完成率
        → 生成季度合规性报告

工作流程 3：隐私政策更新周期

Step 1: 根据要求审查当前隐私政策
        → python scripts/ccpa_compliance_checker.py --input profile.json
        → 检查 privacy_policy 类别得分

Step 2: 更新数据清单
        → python scripts/ccpa_data_mapper.py --input inventory.json
        → 验证所有 PI 类别均已披露

Step 3: 验证要求的披露内容
        → 收集的 PI 类别（过去 12 个月）
        → PI 来源
        → 商业/商业目的
        → 第三方类别
        → 消费者权利描述
        → "请勿出售或共享"链接
        → "限制使用我的敏感 PI"链接

Step 4: 更新并发布
        → 至少每年更新一次
        → 重大变更后 30 天内更新
        → 维护先前版本存档

日期	里程碑
2020年1月1日	CCPA 生效
2020年7月1日	司法部长开始执法
2020年11月3日	CPRA 通过（第24号提案）
2023年1月1日	CPRA 修正案生效
2023年7月1日	CPPA 开始执行 CPRA
2026年	就业和 B2B 数据豁免状态审查

如果满足以下条件，企业将受 CCPA/CPRA 约束：

年总收入超过 2500万美元
每年购买、出售或共享 10万+ 消费者或家庭 的 PI
年收入的 50% 或更多 来自出售或共享消费者的 PI

实体	定义	义务
企业	确定处理的目的和方式	完全遵守 CCPA/CPRA
服务提供商	代表企业处理 PI（合同约定）	有限使用、删除义务
承包商	通过书面合同处理 PI（CPRA 新增）	认证、有限使用、审计权
第三方	非作为服务提供商/承包商接收 PI	受退出权约束

HIPAA 覆盖实体：受 HIPAA 管辖的健康数据豁免
GLBA：受 GLBA 约束的财务数据豁免
就业数据：员工/申请人 PI（截至 2026 年接受审查）
B2B 数据：B2B 交易中的业务联系人 PI（截至 2026 年接受审查）
FCRA：受《公平信用报告法》约束的数据

权利	CCPA 章节	描述	时间线
知情权	§1798.100, §1798.110	收集的 PI 类别和具体内容	45天
删除权	§1798.105	删除从消费者处收集的 PI	45天
退出权	§1798.120	选择退出 PI 的出售或共享	立即
不受歧视权	§1798.125	不因行使权利而受到报复	持续
更正权	§1798.106	更正不准确的 PI (CPRA)	45天
限制 SPI 使用权	§1798.121	限制敏感 PI 的使用 (CPRA)	立即
数据可携权	§1798.130	以可移植格式接收 PI (CPRA)	45天

敏感个人信息 (CPRA)

根据 CPRA §1798.140(ae) 需要加强保护的 SPI 类别：

社会安全号码、驾照、州身份证、护照号码
账户登录凭据（用户名 + 密码/安全问题）
带有访问凭据的财务账户号码
精确地理位置（1850 英尺/半径范围内）
种族或民族血统
宗教或哲学信仰
工会会员身份
邮件、电子邮件和短信内容（除非企业是预期接收者）
基因数据
用于识别的生物识别数据
健康信息
性生活或性取向数据

违规类型	处罚	执法者
非故意违规	每次违规 2,500 美元	CPPA / 司法部长
故意违规	每次违规 7,500 美元	CPPA / 司法部长
涉及未成年人（16岁以下）的违规	每次违规 7,500 美元	CPPA / 司法部长
数据泄露（私人诉讼）	每位消费者每次事件 100-750 美元	消费者（法院）

加州隐私保护局 (CPPA)：CPRA 下的主要执法者（2023年运作）
加州司法部长：保留执法权
私人诉讼权：仅限于因未能维护合理安全而导致的数据泄露

CCPA 与 GDPR 比较

方面	CCPA/CPRA	GDPR
范围	加州消费者	欧盟/欧洲经济区数据主体
法律基础	选择退出模式	选择加入（同意或法律基础）
涵盖数据	个人信息	个人数据
敏感数据	具有限制使用权的 SPI	需要明确同意的特殊类别
泄露通知	司法部长通知、私人诉讼	72 小时内通知 DPA
DPO 要求	无	某些处理需要
处罚	每次违规 2,500-7,500 美元	最高全球收入的 4% 或 2000 万欧元
私人诉讼权	仅限数据泄露	各成员国不同
跨境传输	无限制	充分性决定、SCCs、BCRs
儿童数据	16岁以下需选择加入，13岁以下需父母同意	16岁以下需父母同意（可变）

基础设施隐私控制

Cookie 同意管理：

为非必要 Cookie 实施 Cookie 同意横幅
遵守全球隐私控制 (GPC) 浏览器信号（法律要求）
维护 Cookie 清单及保留期限
对 Cookie 进行分类：严格必要、功能性、分析、广告

全球隐私控制 (GPC)：

企业必须将 GPC 信号视为有效的退出请求 (§1798.135)
技术实现：检测 Sec-GPC: 1 头信息或 navigator.globalPrivacyControl
将退出应用于 PI 的出售 AND 共享
GPC 无需重新认证

数据最小化：仅收集披露目的所必需的 PI
目的限制：仅将 PI 用于收集时披露的目的
存储限制：仅在必要时保留 PI
默认安全：对静态和传输中的 PI 进行加密

数据清单和映射：

在所有系统中维护全面的 PI 清单
映射数据流：收集 → 处理 → 共享 → 删除
记录每个 PI 类别的保留计划
跟踪跨境数据传输

自动化决策：

披露自动化决策技术的使用
为产生法律或重大影响的画像提供退出选项
CPRA 法规可能要求访问自动化决策的逻辑

第 1-2 个月：发现和评估

确定 CCPA/CPRA 适用性
进行数据清单和映射
根据要求进行差距分析
分配合规性所有权

第 3-4 个月：实施

起草/更新隐私政策
实施"请勿出售或共享"链接
实施"限制 SPI 使用"链接
部署 GPC 信号检测
构建消费者请求接收和履行工作流程
起草服务提供商/承包商协议

第 5-6 个月：运营化

培训员工了解隐私义务
端到端测试消费者请求工作流程
进行初步风险评估
规划年度网络安全审计
建立持续监控和指标
为监管辩护记录合规计划

🇺🇸English

CCPA/CPRA Privacy Expert

Tools and guidance for California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) compliance.

Tools
- CCPA Compliance Checker
- CCPA Data Mapper
Reference Guides
Workflows
Regulatory Overview

Tools

CCPA Compliance Checker

Evaluates organizational readiness against all CCPA/CPRA requirements. Validates privacy policies, consumer rights handling, technical safeguards, and opt-out mechanisms.

# Check compliance from a JSON profile
python scripts/ccpa_compliance_checker.py --input company_profile.json

# Generate a blank input template
python scripts/ccpa_compliance_checker.py --template > company_profile.json

# JSON output for automation
python scripts/ccpa_compliance_checker.py --input company_profile.json --json

# Export report to file
python scripts/ccpa_compliance_checker.py --input company_profile.json --output report.json

Assessment Categories:

Category	Key Checks
Applicability	Revenue threshold, consumer count, data selling revenue
Privacy Policy	Required disclosures, update cadence, accessibility
Consumer Rights	Request handling, verification, timelines
Opt-Out Mechanisms	"Do Not Sell" link, GPC signal, cookie consent
Sensitive PI	SPI categories, use limitation link, handling controls
Technical Safeguards	Encryption, access controls, security measures
Service Providers	Agreement requirements, data processing terms
Risk Assessments	Annual audits, processing risk evaluations

Output:

Overall compliance score (0-100)
Per-category scores with pass/fail/partial status
Prioritized findings with regulatory references
Remediation recommendations

CCPA Data Mapper

Maps personal information categories, identifies sensitive personal information, tracks data flows across collection, use, sharing, and selling. Generates data inventory reports.

# Map data from a JSON data inventory
python scripts/ccpa_data_mapper.py --input data_inventory.json

# Generate a blank inventory template
python scripts/ccpa_data_mapper.py --template > data_inventory.json

# Export mapping report
python scripts/ccpa_data_mapper.py --input data_inventory.json --output mapping_report.json

# Generate data flow diagram (text-based)
python scripts/ccpa_data_mapper.py --input data_inventory.json --flow-diagram

Features:

Maps all 11 CCPA personal information categories
Identifies sensitive personal information (SPI) per CPRA definitions
Tracks data flows: collection sources, business purposes, sharing/selling recipients
Maps data to service providers, contractors, and third parties
Generates CCPA-compliant data inventory for privacy policy disclosures
Flags cross-border data transfers
Detects data retention gaps

Personal Information Categories Tracked:

Category	CCPA Section	Examples
Identifiers	1798.140(v)(1)(A)	Name, SSN, IP address, email
Customer Records	1798.140(v)(1)(B)	Financial info, medical info
Protected Classifications	1798.140(v)(1)(C)	Race, sex, age, disability
Commercial Information	1798.140(v)(1)(D)	Purchase history, tendencies
Biometric Information	1798.140(v)(1)(E)	Fingerprints, face geometry
Internet Activity	1798.140(v)(1)(F)	Browsing, search, interaction
Geolocation Data	1798.140(v)(1)(G)	Precise location
Sensory Data	1798.140(v)(1)(H)	Audio, visual, thermal
Professional Info	1798.140(v)(1)(I)

Reference Guides

CCPA/CPRA Requirements Guide

references/ccpa-cpra-requirements-guide.md

Complete regulatory requirements covering:

Full CCPA/CPRA text analysis with section references
Consumer rights implementation guidance (Right to Know, Delete, Opt-Out, Correct, Portability, Limit SPI Use)
Privacy policy content requirements and templates
Service provider and contractor agreement requirements
Comparison with Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and GDPR
Enforcement and penalty structure

CCPA Implementation Playbook

references/ccpa-implementation-playbook.md

Step-by-step implementation guidance:

6-month implementation roadmap
Data mapping methodology and templates
Privacy policy drafting guide
Opt-out mechanism implementation (website, GPC, universal opt-out)
Consumer request workflow design with SLA tracking
Employee and vendor training program outline
Annual cybersecurity audit planning
Ongoing compliance monitoring

Workflows

Workflow 1: Initial CCPA/CPRA Compliance Assessment

Step 1: Determine applicability
        → Check $25M revenue, 100K+ consumers, 50%+ PI revenue thresholds
        → Review exemptions (HIPAA, GLBA, employment data)

Step 2: Generate compliance profile template
        → python scripts/ccpa_compliance_checker.py --template > profile.json
        → Fill in organizational details

Step 3: Run compliance assessment
        → python scripts/ccpa_compliance_checker.py --input profile.json

Step 4: Review scores and findings
        → Address critical gaps first (opt-out link, privacy policy)
        → Plan remediation by category

Step 5: Create data inventory
        → python scripts/ccpa_data_mapper.py --template > inventory.json
        → Document all PI categories collected
        → python scripts/ccpa_data_mapper.py --input inventory.json

Step 6: Develop implementation plan
        → See references/ccpa-implementation-playbook.md

Workflow 2: Consumer Rights Request Handling

Step 1: Receive consumer request
        → Identify request type (Know, Delete, Opt-Out, Correct, Portability, Limit SPI)

Step 2: Acknowledge within 10 business days (confirm receipt)
        → Document request in tracking system

Step 3: Verify consumer identity
        → Match 2+ data points for standard requests
        → Match 3+ data points for sensitive data requests
        → No verification needed for opt-out requests

Step 4: Fulfill request within 45 calendar days
        → Extension: up to 45 additional days with notice
        → Search all systems using data inventory
        → python scripts/ccpa_data_mapper.py --input inventory.json

Step 5: Deliver response
        → Provide information in portable format if requested
        → Document completion and response

Step 6: Monitor compliance
        → Track response times and completion rates
        → Generate quarterly compliance reports

Workflow 3: Privacy Policy Update Cycle

Step 1: Review current privacy policy against requirements
        → python scripts/ccpa_compliance_checker.py --input profile.json
        → Check privacy_policy category score

Step 2: Update data inventory
        → python scripts/ccpa_data_mapper.py --input inventory.json
        → Verify all PI categories are disclosed

Step 3: Verify required disclosures
        → Categories of PI collected (past 12 months)
        → Sources of PI
        → Business/commercial purposes
        → Categories of third parties
        → Consumer rights description
        → "Do Not Sell or Share" link
        → "Limit the Use of My Sensitive PI" link

Step 4: Update and publish
        → Annual update at minimum
        → Update within 30 days of material changes
        → Maintain prior version archive

Regulatory Overview

CCPA/CPRA Timeline

Date	Milestone
Jan 1, 2020	CCPA effective
Jul 1, 2020	AG enforcement begins
Nov 3, 2020	CPRA passed (Proposition 24)
Jan 1, 2023	CPRA amendments effective
Jul 1, 2023	CPPA enforcement of CPRA begins
2026	Employment and B2B data exemptions status review

Scope and Applicability

A business is subject to CCPA/CPRA if it:

Has annual gross revenue exceeding $25 million
Buys, sells, or shares PI of 100,000+ consumers or households annually
Derives 50% or more of annual revenue from selling or sharing consumers' PI

Entity Types:

Entity	Definition	Obligations
Business	Determines purposes and means of processing	Full CCPA/CPRA compliance
Service Provider	Processes PI on behalf of a business (contractual)	Limited use, deletion obligations
Contractor	Processes PI via written contract (CPRA addition)	Certification, limited use, audit rights
Third Party	Receives PI not as service provider/contractor	Subject to opt-out rights

Exemptions:

HIPAA-covered entities : Health data governed by HIPAA exempt
GLBA : Financial data subject to GLBA exempt
Employment data : Employee/applicant PI (subject to review through 2026)
B2B data : Business contact PI in B2B transactions (subject to review through 2026)
FCRA : Data subject to Fair Credit Reporting Act

Consumer Rights

Right	CCPA Section	Description	Timeline
Right to Know	§1798.100, §1798.110	Categories and specific pieces of PI collected	45 days
Right to Delete	§1798.105	Delete PI collected from the consumer	45 days
Right to Opt-Out	§1798.120	Opt out of sale or sharing of PI	Immediate
Right to Non-Discrimination	§1798.125	No retaliation for exercising rights	Ongoing
Right to Correct	§1798.106	Correct inaccurate PI (CPRA)	45 days
Right to Limit SPI Use	§1798.121	Limit use of sensitive PI (CPRA)	Immediate
Right to Data Portability	§1798.130

Sensitive Personal Information (CPRA)

SPI categories requiring enhanced protections under CPRA §1798.140(ae):

Social Security number, driver's license, state ID, passport number
Account log-in credentials (username + password/security question)
Financial account number with access credentials
Precise geolocation (within 1,850 feet / radius)
Racial or ethnic origin
Religious or philosophical beliefs
Union membership
Contents of mail, email, and text messages (unless business is intended recipient)
Genetic data
Biometric data for identification
Health information
Sex life or sexual orientation data

Enforcement and Penalties

Violation Type	Penalty	Enforcer
Unintentional violation	$2,500 per violation	CPPA / AG
Intentional violation	$7,500 per violation	CPPA / AG
Violations involving minors (under 16)	$7,500 per violation	CPPA / AG
Data breach (private action)	$100-$750 per consumer per incident	Consumer (court)

Enforcement Bodies:

California Privacy Protection Agency (CPPA) : Primary enforcer under CPRA (operational 2023)
California Attorney General : Retains enforcement authority
Private right of action : Limited to data breaches from failure to maintain reasonable security

CCPA vs GDPR Comparison

Aspect	CCPA/CPRA	GDPR
Scope	California consumers	EU/EEA data subjects
Legal basis	Opt-out model	Opt-in (consent or legal basis)
Data covered	Personal information	Personal data
Sensitive data	SPI with limit-use right	Special category with explicit consent
Breach notification	AG notification, private action	72-hour DPA notification
DPO requirement	None	Required for certain processing
Penalties	$2,500-$7,500 per violation	Up to 4% global revenue or €20M
Private right of action	Data breaches only	Varies by member state
Cross-border transfers	No restrictions	Adequacy decisions, SCCs, BCRs

Infrastructure Privacy Controls

Cookie Consent Management:

Implement cookie consent banner for non-essential cookies
Honor Global Privacy Control (GPC) browser signals (legally required)
Maintain cookie inventory with retention periods
Categorize cookies: strictly necessary, functional, analytics, advertising

Global Privacy Control (GPC):

Businesses must treat GPC signal as valid opt-out request (§1798.135)
Technical implementation: detect Sec-GPC: 1 header or navigator.globalPrivacyControl
Apply opt-out to sale AND sharing of PI
No re-authentication required for GPC

Privacy by Design:

Data minimization: collect only PI necessary for disclosed purposes
Purpose limitation: use PI only for purposes disclosed at collection
Storage limitation: retain PI only as long as necessary
Security by default: encrypt PI at rest and in transit

Data Inventory and Mapping:

Maintain comprehensive PI inventory across all systems
Map data flows: collection → processing → sharing → deletion
Document retention schedules per PI category
Track cross-border data transfers

Automated Decision-Making:

Disclose use of automated decision-making technology
Provide opt-out for profiling that produces legal or significant effects
CPRA regulations may require access to logic of automated decisions

Compliance Roadmap

Month 1-2: Discovery and Assessment

Determine CCPA/CPRA applicability
Conduct data inventory and mapping
Gap analysis against requirements
Assign compliance ownership

Month 3-4: Implementation

Draft/update privacy policy
Implement "Do Not Sell or Share" link
Implement "Limit Use of SPI" link
Deploy GPC signal detection
Build consumer request intake and fulfillment workflows
Draft service provider/contractor agreements

Month 5-6: Operationalization

Train employees on privacy obligations
Test consumer request workflows end-to-end
Conduct initial risk assessment
Plan annual cybersecurity audit
Establish ongoing monitoring and metrics
Document compliance program for regulatory defense

Weekly Installs

Repository

borghei/claude-skills

GitHub Stars

First Seen

Today

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

zencoder1

amp1

cline1

openclaw1

opencode1

cursor1

通过 LiteLLM 代理让 Claude Code 对接 GitHub Copilot 运行 | 高级变通方案指南

31,600 周安装