CCPA + AI
The California Consumer Privacy Act (CCPA), as amended by the CPRA, applies to AI systems that process personal information of California residents and grants rights including access, deletion, and opt-out of automated decision-making.
What is CCPA + AI?
The CCPA gives California residents rights similar in spirit to GDPR, with notable differences in scope (commercial activity threshold, sale and sharing definitions). The CPPA's 2024 automated decision-making rules add specific obligations for systems making 'significant decisions' about consumers, including pre-use risk assessments, transparency notices, and access and opt-out rights.
How does CCPA + AI apply to enterprise AI?
US enterprises with California customers and AI-driven decisions must publish ADM disclosures, support opt-out and access requests, and document risk assessments. Many vendors design once for GDPR and reuse the controls for CCPA with minor adaptations.
Related terms
- GDPR - The General Data Protection Regulation (GDPR) is the EU's data-protection regulation, governing the processing of personal data of people in the EU and EEA.
- Transparency Notice - A transparency notice is a clear disclosure to users that they are interacting with an AI system, what it is doing with their data, and what its limits are.
- AI Risk Management - AI risk management is the discipline of identifying, assessing, mitigating, and monitoring the harms an AI system can cause across its lifecycle.
- Data Residency - Data residency is the requirement that personal or regulated data stays within a specified geographic region throughout processing, storage, and backup.
External references
Need help applying CCPA + AI to your enterprise? Submit a short brief and we reply within one business day.