Browse Skills

CCPA/CPRA Privacy Program — Compliance Documentation Package

    CCPA CPRA Privacy California Compliance Data Protection DSAR
    Get Started with This Skill

    Overview

    Draft and validate the core privacy compliance documentation package required under the California Consumer Privacy Act as amended by CPRA. Covers the privacy policy, DSAR procedures, data inventory, privacy impact assessment, opt-out mechanisms, and service provider/contractor agreements.

    Example Conversation

    You: We’re an e-commerce company doing business in California and need a CCPA-compliant privacy policy and DSAR procedures. We collect customer PI through our website and app. Can you draft and validate?

    Agent: I’ll draft the privacy policy with all 12 mandatory CCPA/CPRA disclosures (categories of PI collected, sources, business purposes, categories shared, consumer rights including know/delete/correct/opt-out, non-discrimination, and retention), add “Do Not Sell or Share” and “Limit Use of Sensitive PI” mechanisms, then write the DSAR fulfillment procedures with verification tiers and the 45-day response timeline. I’ll run ccpa_disclosure_checker when done.

    Agent: Created privacy-policy-draft.md. Running ccpa_disclosure_checker

    Agent: Check FAIL — the “Limit Use of Sensitive PI” mechanism is missing, and the retention period disclosure is not present. I’ll add a “Limit Use of Sensitive Personal Information” link/section and retention period table.

    Agent: Updated and re-ran ccpa_disclosure_checker: PASS — all 12 mandatory disclosures present, both opt-out mechanisms found, 45-day DSAR timeline with extension, verification process described.

    What the Tools Validate

    The skill includes one extension tool:

    ccpa_disclosure_checker scans the privacy policy and DSAR documentation across five areas:

    • Mandatory disclosures (12 items) — Categories of PI collected, sources, business/commercial purpose, categories shared, categories of third parties, right to know, right to delete, right to correct, right to opt-out, non-discrimination, and retention periods.
    • Opt-out mechanisms — “Do Not Sell or Share” mechanism and “Limit Use of Sensitive PI” mechanism must both be described.
    • DSAR response timeline — 45-day response deadline and response/fulfillment process must be stated; 45-day extension provision recommended.
    • Verification process — Identity verification process for consumer requestors must be described.
    • Financial incentive disclosure — If a financial incentive or loyalty program is offered, material terms must be disclosed.

    Output: PASS if all mandatory checks are satisfied; otherwise FAIL with per-section findings showing what is found and what is missing. Run after drafting; fix gaps and re-run until the check passes.

    Output Excerpt

    Excerpt from a generated privacy policy and sample checker report.

    Privacy policy (excerpt):

    ## Categories of Personal Information Collected

We collect the following categories of personal information: identifiers, commercial information, internet activity, geolocation, and inferences. Sources include direct collection from consumers, automatic collection via cookies, and third-party data providers.

## Your Rights Under CCPA/CPRA

- **Right to know/access** — Request the categories and specific pieces of PI we collected.
- **Right to delete** — Request deletion of PI we collected.
- **Right to correct** — Request correction of inaccurate PI.
- **Right to opt-out** — Opt out of the sale or sharing of your PI via our "Do Not Sell or Share My Personal Information" link.
- **Limit Use of Sensitive PI** — Limit the use and disclosure of sensitive personal information via the "Limit the Use of My Sensitive Personal Information" link.
- **Non-discrimination** — We will not discriminate against you for exercising your rights.

## DSAR Procedures

Requests are verified via identity verification (matching account email + government ID for non-account holders). Response within 45 calendar days; extension of an additional 45 days if reasonably necessary.

## Retention

We retain personal information for as long as necessary to fulfill the business purpose for which it was collected.

    ccpa_disclosure_checker report (excerpt):

    === CCPA/CPRA DISCLOSURE CHECK ===
Result: PASS

Document: privacy-policy-draft.md

--- Mandatory Privacy Policy Disclosures (12 items) ---
  ✓ Categories of PI collected
  ✓ Sources of PI
  ✓ Business/commercial purpose
  ✓ Categories of PI shared/disclosed
  ✓ Categories of third parties
  ✓ Right to know/access
  ✓ Right to delete
  ✓ Right to correct
  ✓ Right to opt-out of sale/sharing
  ✓ Non-discrimination
  ✓ Retention periods
  Score: 11/11

--- Opt-Out Mechanisms ---
  "Do Not Sell or Share" mechanism: FOUND
  "Limit Use of Sensitive PI" mechanism: FOUND

--- DSAR Response Timeline ---
  45-day response deadline: FOUND
  45-day extension provision: FOUND
  Response/fulfillment process: FOUND

--- Verification Process ---
  Verification process described: FOUND

    Getting Started

    Add your source materials to the project workspace (current privacy policy, data inventory, DSAR workflows), then activate the CCPA/CPRA Privacy Program — Compliance Documentation Package skill. The agent will guide you through data inventory, privacy policy drafting, DSAR procedures, risk assessment, contracts, and running ccpa_disclosure_checker to validate compliance.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started