CCPA Compliance

Field	Value
Document ID	ASCEND-DATA-001
Version	1.0.0
Last Updated	December 19, 2025
Author	Ascend Engineering Team
Publisher	OW-KAI Technologies Inc.
Classification	Enterprise Client Documentation
Compliance	SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4

Reading Time: 7 minutes | Skill Level: Intermediate

Overview

ASCEND provides comprehensive CCPA/CPRA compliance features including consumer rights management, opt-out handling, and automated request processing for California residents.

Consumer Rights

Right to Know (§1798.100)

Consumers can request information about data collection and use.

curl -X POST "https://pilot.owkai.app/api/data-rights/access/request" \
  -H "Authorization: Bearer <admin_jwt>" \
  -H "Content-Type: application/json" \
  -d '{
    "data_subject_id": "user_12345",
    "data_subject_email": "user@example.com",
    "request_type": "access",
    "legal_basis": "ccpa_1798.100",
    "verification_method": "email",
    "include_categories": [
      "categories_collected",
      "sources",
      "business_purpose",
      "third_party_sharing",
      "specific_pieces"
    ]
  }'

Disclosure Requirements:

Categories of personal information collected
Sources of personal information
Business/commercial purposes
Categories shared with third parties
Specific pieces of data (upon request)

Right to Delete (§1798.105)

Consumers can request deletion of their personal information.

curl -X POST "https://pilot.owkai.app/api/data-rights/erasure/request" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "request_type": "erasure",
    "legal_basis": "ccpa_1798.105",
    "verification_required": true,
    "notify_service_providers": true
  }'

Deletion Exceptions:

Complete transaction
Security purposes
Legal obligations
Internal research
Free speech

Right to Opt-Out (§1798.120)

Consumers can opt out of the sale/sharing of personal information.

curl -X POST "https://pilot.owkai.app/api/data-rights/opt-out" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "opt_out_type": "sale",
    "scope": "all_categories",
    "effective_immediately": true
  }'

Opt-Out Types:

sale - Opt out of sale of PI
sharing - Opt out of sharing for cross-context advertising
all - Opt out of both

Right to Correct (§1798.106)

Consumers can request correction of inaccurate information.

curl -X POST "https://pilot.owkai.app/api/data-rights/rectification/request" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "request_type": "rectification",
    "legal_basis": "ccpa_1798.106",
    "corrections": [
      {
        "field": "address",
        "current_value": "123 Old St",
        "corrected_value": "456 New Ave"
      }
    ],
    "supporting_documentation": "utility_bill_upload_id"
  }'

Right to Limit Use (§1798.121)

Consumers can limit use of sensitive personal information.

curl -X POST "https://pilot.owkai.app/api/data-rights/limit-use" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "sensitive_categories": [
      "precise_geolocation",
      "racial_ethnic_origin",
      "religious_beliefs",
      "genetic_data",
      "biometric_data"
    ],
    "limit_to": "service_provision_only"
  }'

Verification Requirements

CCPA requires verification of consumer identity before processing requests.

Configure Verification

curl -X PUT "https://pilot.owkai.app/api/data-rights/verification/config" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "request_types": {
      "access": {
        "verification_level": "reasonable",
        "methods": ["email", "account_login"],
        "max_attempts": 3
      },
      "deletion": {
        "verification_level": "heightened",
        "methods": ["email", "knowledge_based", "id_document"],
        "max_attempts": 3
      }
    }
  }'

Verification Levels

Level	Use Case	Methods
`reasonable`	Categories/sources	Email, account login
`heightened`	Specific pieces, deletion	Email + KBA or ID document

Do Not Sell/Share

Configure DNSS Signal

curl -X POST "https://pilot.owkai.app/api/data-rights/dnss/configure" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "honor_gpc_signal": true,
    "default_opt_out_sale": false,
    "default_opt_out_sharing": false,
    "cookie_consent_required": true,
    "third_party_notification": {
      "enabled": true,
      "service_providers": ["analytics_vendor", "marketing_vendor"]
    }
  }'

Check DNSS Status

curl "https://pilot.owkai.app/api/data-rights/dnss/user_12345/status" \
  -H "Authorization: Bearer <jwt_token>"

Response:

{
  "data_subject_id": "user_12345",
  "sale_opt_out": true,
  "sharing_opt_out": true,
  "opt_out_date": "2025-12-15T10:00:00Z",
  "gpc_detected": true,
  "categories_affected": [
    "advertising_identifiers",
    "browsing_history",
    "purchase_history"
  ]
}

Financial Incentive Programs

Track financial incentive program participation.

Register Program

curl -X POST "https://pilot.owkai.app/api/data-rights/incentive-programs" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "program_id": "loyalty_rewards",
    "name": "Loyalty Rewards Program",
    "description": "10% discount for data sharing",
    "value_calculation_method": "discount_percentage",
    "opt_in_required": true,
    "data_categories_collected": ["purchase_history", "preferences"]
  }'

Consumer Opt-In

curl -X POST "https://pilot.owkai.app/api/data-rights/incentive-programs/loyalty_rewards/opt-in" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "consent_given": true,
    "consent_method": "explicit_checkbox"
  }'

Request Processing Timeline

Day 0       Day 10      Day 45
│           │           │
▼           ▼           ▼
┌─────────────────────────────────────────────┐
│  Acknowledge │ Complete   │ Extended       │
│  Receipt     │ Request    │ Deadline       │
│  (Within 10d)│ (Standard) │ (If notified)  │
└─────────────────────────────────────────────┘

SLA Configuration

curl -X PUT "https://pilot.owkai.app/api/data-rights/sla/config" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "acknowledgment_deadline_days": 10,
    "completion_deadline_days": 45,
    "extension_allowed": true,
    "extension_max_days": 45,
    "extension_requires_notification": true
  }'

Authorized Agent Support

Allow authorized agents to submit requests on behalf of consumers.

Register Authorized Agent

curl -X POST "https://pilot.owkai.app/api/data-rights/authorized-agents" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "agent_name": "Privacy Rights Advocacy",
    "agent_email": "requests@privacyrights.org",
    "verification_requirements": {
      "power_of_attorney": true,
      "consumer_verification": true
    }
  }'

Submit Request via Agent

curl -X POST "https://pilot.owkai.app/api/data-rights/access/request" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "request_type": "access",
    "legal_basis": "ccpa_1798.100",
    "authorized_agent": {
      "agent_id": "agent_pra_001",
      "power_of_attorney_verified": true,
      "consumer_verification_completed": true
    }
  }'

Minor's Data (Under 16)

Configure Minor Protections

curl -X PUT "https://pilot.owkai.app/api/data-rights/minors/config" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "default_opt_out_under_16": true,
    "require_opt_in_under_16": true,
    "parental_consent_under_13": true,
    "age_verification_required": true
  }'

CCPA Metrics & Reporting

Generate CCPA Report

curl -X POST "https://pilot.owkai.app/api/compliance-export/exports" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "framework": "ccpa",
    "report_type": "annual_metrics",
    "year": 2025,
    "include_sections": [
      "request_statistics",
      "response_times",
      "denial_reasons",
      "opt_out_statistics"
    ]
  }'

Required Annual Metrics:

Requests received by type
Requests completed within 45 days
Average response time
Requests denied and reasons

Dashboard Metrics

curl "https://pilot.owkai.app/api/data-rights/metrics?period=ytd" \
  -H "Authorization: Bearer <admin_jwt>"

Response:

{
  "period": "2025-01-01 to 2025-12-15",
  "requests": {
    "total": 450,
    "by_type": {
      "access": 200,
      "deletion": 150,
      "opt_out": 80,
      "correction": 20
    }
  },
  "response_times": {
    "avg_days": 12,
    "within_45_days_percent": 98.5
  },
  "opt_outs": {
    "sale": 1200,
    "sharing": 950
  }
}

Best Practices

1. Easy Opt-Out Methods

Provide multiple opt-out mechanisms:

"Do Not Sell/Share My Personal Information" link
Global Privacy Control (GPC) signal support
Toll-free number

2. Service Provider Contracts

Ensure service provider agreements include:

Purpose limitations
Notification obligations
Deletion requirements

3. Training

Train staff on:

Recognizing CCPA requests
Verification procedures
Response timelines

Next Steps

GDPR Compliance - EU privacy law
Data Rights Overview - Full capabilities
Consent Management - Manage consent

Document Version: 1.0.0 | Last Updated: December 2025

Overview​

Consumer Rights​

Right to Know (§1798.100)​

Right to Delete (§1798.105)​

Right to Opt-Out (§1798.120)​

Right to Correct (§1798.106)​

Right to Limit Use (§1798.121)​

Verification Requirements​

Configure Verification​

Verification Levels​

Do Not Sell/Share​

Configure DNSS Signal​

Check DNSS Status​

Financial Incentive Programs​

Register Program​

Consumer Opt-In​

Request Processing Timeline​

SLA Configuration​

Authorized Agent Support​

Register Authorized Agent​

Submit Request via Agent​

Minor's Data (Under 16)​

Configure Minor Protections​

CCPA Metrics & Reporting​

Generate CCPA Report​

Dashboard Metrics​

Best Practices​

1. Easy Opt-Out Methods​

2. Service Provider Contracts​

3. Training​

Next Steps​