DQHubdqhub.io
Back to packs

CCPA / CPRA US Multi-State Privacy

CCPAfree

Validate consumer privacy data — correction/deletion SLAs, opt-out enforcement, sensitive PI tagging, minor consent, and retention limits per CCPA/CPRA and US state privacy laws.

10 rules 1992 downloads4.7 avg (108)
ccpacpraprivacyconsumer-rightsdeletionopt-outsensitive-pius-privacy
4.7(108 ratings)

Sign in to rate this pack

Test this pack with your data

Download the template, fill in your data, and see quality results instantly.

Test This Pack

Download & Install

Choose your tool — get a ready-to-run file

Run this on your data? Upload your CSV — we'll auto-map the columns, validate, and report the bad rows.Test my data
Or use the CLI
$ npx dqhub install ccpa-cpra-us-privacy --format soda --table YOUR_TABLE

About this pack

Data quality checks for US consumer privacy compliance across multiple state laws. Covers: - Data correction request SLA tracking (45 days) - Deletion propagation completeness across systems - Opt-out/do-not-sell enforcement validation - Sensitive personal information tagging - Minor data consent (age <16 parental consent) - Privacy notice version tracking - Data retention limit enforcement - Consumer request logging completeness - Sale/sharing disclosure documentation Standards: CCPA (Cal. Civ. Code §1798), CPRA, VCDPA, CPA (Colorado), +17 state laws

Sources & References

CCPA — Cal. Civ. Code 1798.106 — Right to Correction

Consumers have the right to request correction of inaccurate personal information

CPRA — Cal. Civ. Code 1798.106(c) — Response Timing

Businesses must respond to correction requests within 45 days, extendable by an additional 45 days

VCDPA — Va. Code 59.1-577(A)(4) — Right to Correct

Virginia consumers may request correction of inaccurate personal data

CPA — C.R.S. 6-1-1306(1)(a)(IV) — Right to Correct

Colorado consumers may request correction of inaccurate personal data

CCPA — Cal. Civ. Code 1798.105 — Right to Deletion

Consumers have the right to request deletion of personal information collected by the business

CPRA — Cal. Civ. Code 1798.105(c) — Service Provider Notification

Businesses must notify service providers and contractors to delete the consumer's personal information

VCDPA — Va. Code 59.1-577(A)(3) — Right to Delete

Virginia consumers may request deletion of personal data provided by or obtained about them

CPA — C.R.S. 6-1-1306(1)(a)(III) — Right to Delete

Colorado consumers may request deletion of personal data

CCPA — Cal. Civ. Code 1798.120 — Right to Opt-Out of Sale

Consumers have the right to direct a business not to sell their personal information

CPRA — Cal. Civ. Code 1798.120/1798.121 — Right to Opt-Out of Sale and Sharing

Expanded to include sharing of personal information for cross-context behavioral advertising

VCDPA — Va. Code 59.1-577(A)(5) — Right to Opt Out

Consumers may opt out of the sale of personal data and targeted advertising

CPA — C.R.S. 6-1-1306(1)(a)(I) — Right to Opt Out

Consumers may opt out of the sale of personal data

CPRA — Cal. Civ. Code 1798.140(ae) — Sensitive Personal Information Definition

Defines categories of sensitive PI including SSN, financial accounts, geolocation, biometric, health, race/ethnicity, and more

CPRA — Cal. Civ. Code 1798.121 — Right to Limit Use of Sensitive PI

Consumers may direct businesses to limit the use and disclosure of their sensitive personal information

VCDPA — Va. Code 59.1-575 — Sensitive Data Definition

Virginia defines sensitive data including racial origin, health diagnosis, biometric data, and geolocation

CPA — C.R.S. 6-1-1303(24) — Sensitive Data

Colorado defines sensitive data categories requiring opt-in consent

CCPA — Cal. Civ. Code 1798.120(c) — Minors Under 16

Businesses must not sell personal information of consumers under 16 without affirmative authorization

CPRA — Cal. Civ. Code 1798.120(c) — Enhanced Minor Protections

Businesses must not sell or share personal information of minors; treble penalties for violations involving children

VCDPA — Va. Code 59.1-578(A)(5) — Children's Data

Processing personal data of known children requires consent under COPPA standards

CPA — C.R.S. 6-1-1308(7) — Children's Data

Processing personal data of known children is considered processing of sensitive data

CCPA — Cal. Civ. Code 1798.100(b) — Notice at Collection

Businesses must inform consumers at or before collection about the categories of PI collected and purposes

CPRA — Cal. Civ. Code 1798.100(a) — Enhanced Notice Requirements

Privacy notice must include retention periods, right to correct, and sensitive PI categories

VCDPA — Va. Code 59.1-578(D) — Privacy Notice

Controllers must provide a reasonably accessible privacy notice

CPA — C.R.S. 6-1-1308(1) — Transparency

Controllers must provide a reasonably accessible privacy notice

CPRA — Cal. Civ. Code 1798.100(a)(3) — Retention Disclosure

Businesses must inform consumers of the length of time they intend to retain each category of personal information

CCPA — Cal. Civ. Code 1798.100 — Right to Know

Businesses must not retain personal information longer than necessary for the disclosed purposes

VCDPA — Va. Code 59.1-578(A)(2) — Data Minimization

Controllers shall limit collection to what is adequate, relevant, and reasonably necessary

CPA — C.R.S. 6-1-1308(3) — Purpose Limitation

Controllers shall not process personal data beyond what is reasonably necessary

CCPA — Cal. Civ. Code 1798.130 — Business Obligations

Businesses must maintain records of consumer requests and responses for 24 months

CPRA — 11 CCR 7101 — Record-Keeping Requirements

Businesses must maintain records of consumer requests including type, date received, and manner of response

VCDPA — Va. Code 59.1-578 — Controller Responsibilities

Controllers must establish and describe mechanisms for consumers to exercise their rights

CPA — C.R.S. 6-1-1308 — Controller Duties

Controllers must establish mechanisms for consumers to exercise rights and maintain records

CCPA — Cal. Civ. Code 1798.115 — Right to Know About Disclosures

Consumers have the right to know the categories of third parties to whom their PI was sold or disclosed

CPRA — Cal. Civ. Code 1798.110/1798.115 — Enhanced Disclosure Requirements

Businesses must disclose specific pieces of PI sold or shared, along with categories of third parties

VCDPA — Va. Code 59.1-578(D)(4) — Third Party Disclosure

Privacy notice must include categories of third parties with whom data is shared

CPA — C.R.S. 6-1-1308(1)(a)(IV) — Third Party Transparency

Controllers must disclose categories of third parties with whom personal data is shared

CPRA — Cal. Civ. Code 1798.135 — Do Not Sell or Share Link

Businesses must provide a Do Not Sell or Share My Personal Information link on their website

VCDPA — Va. Code 59.1-577(A)(5) — Opt-Out Right

Consumers have the right to opt out of the sale of personal data

CPA — C.R.S. 6-1-1306(1)(a)(I) — Opt-Out Right

Consumers may opt out of the sale of their personal data

What's included

6completeness rules
2freshness rules
2consistency rules

Checks included (10)

CCPA Deletion Propagation Completeness(propagation_complete)

Validates that consumer deletion requests have been fully propagated to all downstream systems. When a consumer exercises their right to delete, the business must ensure deletion is carried out across all systems and service providers that hold the consumer's personal information.

CCPA Sensitive Personal Information Tagging(sensitive_pi_flag)

Validates that records containing sensitive personal information (SPI) are properly tagged. CPRA introduced a special category of sensitive PI including SSN, financial account numbers, geolocation, biometric data, health information, and race/ethnicity. Records containing these data elements must have the sensitive_pi_flag set to true for proper consent management and use limitation.

CCPA Privacy Notice Version Validity(privacy_notice_version)

Validates that each data record references a valid, non-expired privacy notice version. Under CCPA/CPRA, businesses must inform consumers about data collection practices at or before the point of collection. Each record must link to the privacy notice version that was in effect when the data was collected, and that version must not be expired or revoked.

CCPA Consumer Request Logging Completeness

Validates that every consumer privacy request is fully logged with all required fields. CCPA/CPRA requires businesses to maintain records of consumer requests (access, delete, correct, opt-out) for at least 24 months. Each request must include the request type, submission date, consumer identifier, and current processing status.

CCPA Sale/Sharing Disclosure Completeness

Validates that records of personal information shared with or sold to third parties have complete disclosure metadata. Every sale or sharing transaction must include the third party name, the business purpose for sharing, and the disclosure date. This supports the CCPA/CPRA requirement to disclose the categories of third parties and purposes.

CCPA Do Not Sell Flag Presence(do_not_sell)

Validates that all consumer records include a non-null do_not_sell flag (true or false). Under CCPA/CPRA, businesses must provide a mechanism for consumers to opt out of the sale of their personal information. The do_not_sell flag must be explicitly set on every consumer record to ensure the business can honor opt-out preferences and demonstrate compliance.

CCPA Correction Request SLA Compliance

Validates that consumer data correction requests are resolved within the statutory SLA. Under CPRA, businesses must respond to correction requests within 45 calendar days of receipt, with a possible 45-day extension if reasonably necessary. This rule checks the gap between request_date and resolution_date.

CCPA Data Retention Period Limit

Validates that personal data records do not exceed their stated retention period from the collection date. Under CPRA, businesses must disclose retention periods and must not retain personal information longer than reasonably necessary for the disclosed purpose. Records past their retention limit must be flagged for deletion.

CCPA Opt-Out of Sale/Sharing Honored

Validates that when a consumer has opted out of the sale or sharing of their personal information, no records for that consumer appear in sale or sharing transaction tables after the opt-out date. This ensures businesses honor the consumer's right to say no to data monetization.

CCPA Minor Data Consent Requirements

Validates consent requirements for minors under CCPA/CPRA. Children under 13 require verifiable parental consent before any sale or sharing of personal information. Minors aged 13-15 must provide affirmative opt-in consent themselves. No sale or sharing is permitted without the appropriate consent in place.