CCPA Compliance

Field	Value
Document ID	ASCEND-DATA-001
Version	2026.04
Last Updated	April 2026
Author	Ascend Engineering Team
Publisher	OW-KAI Technologies Inc.
Classification	Enterprise Client Documentation
Compliance	SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4

Reading Time: 7 minutes | Skill Level: Intermediate

Overview

ASCEND provides comprehensive CCPA/CPRA compliance features including consumer rights management, opt-out handling, and automated request processing for California residents.

note

CCPA compliance features apply to California residents' personal information processed by ASCEND. Verify that your organization's privacy policy references ASCEND's data processing activities when applicable.

Consumer Rights

Right to Know (§1798.100)

Consumers can request information about data collection and use.

curl -X POST "https://pilot.owkai.app/api/data-rights/access/request" \
  -H "Authorization: Bearer <admin_jwt>" \
  -H "Content-Type: application/json" \
  -d '{
    "data_subject_id": "user_12345",
    "data_subject_email": "user@example.com",
    "request_type": "access",
    "legal_basis": "ccpa_1798.100",
    "verification_method": "email",
    "include_categories": [
      "categories_collected",
      "sources",
      "business_purpose",
      "third_party_sharing",
      "specific_pieces"
    ]
  }'

Disclosure Requirements:

• Categories of personal information collected
• Sources of personal information
• Business/commercial purposes
• Categories shared with third parties
• Specific pieces of data (upon request)

Right to Delete (§1798.105)

Consumers can request deletion of their personal information.

curl -X POST "https://pilot.owkai.app/api/data-rights/erasure/request" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "request_type": "erasure",
    "legal_basis": "ccpa_1798.105",
    "verification_required": true,
    "notify_service_providers": true
  }'

Deletion Exceptions:

• Complete transaction
• Security purposes
• Legal obligations
• Internal research
• Free speech

Right to Opt-Out (§1798.120)

Consumers can opt out of the sale/sharing of personal information.

curl -X POST "https://pilot.owkai.app/api/data-rights/opt-out" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "opt_out_type": "sale",
    "scope": "all_categories",
    "effective_immediately": true
  }'

Opt-Out Types:

• sale - Opt out of sale of PI
• sharing - Opt out of sharing for cross-context advertising
• all - Opt out of both

Right to Correct (§1798.106)

Consumers can request correction of inaccurate information.

curl -X POST "https://pilot.owkai.app/api/data-rights/rectification/request" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "request_type": "rectification",
    "legal_basis": "ccpa_1798.106",
    "corrections": [
      {
        "field": "address",
        "current_value": "123 Old St",
        "corrected_value": "456 New Ave"
      }
    ],
    "supporting_documentation": "utility_bill_upload_id"
  }'

Right to Limit Use (§1798.121)

Consumers can limit use of sensitive personal information.

curl -X POST "https://pilot.owkai.app/api/data-rights/limit-use" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "sensitive_categories": [
      "precise_geolocation",
      "racial_ethnic_origin",
      "religious_beliefs",
      "genetic_data",
      "biometric_data"
    ],
    "limit_to": "service_provision_only"
  }'

Verification Requirements

CCPA requires verification of consumer identity before processing requests.

Configure Verification

curl -X PUT "https://pilot.owkai.app/api/data-rights/verification/config" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "request_types": {
      "access": {
        "verification_level": "reasonable",
        "methods": ["email", "account_login"],
        "max_attempts": 3
      },
      "deletion": {
        "verification_level": "heightened",
        "methods": ["email", "knowledge_based", "id_document"],
        "max_attempts": 3
      }
    }
  }'

Verification Levels

Level	Use Case	Methods
reasonable	Categories/sources	Email, account login
heightened	Specific pieces, deletion	Email + KBA or ID document

Do Not Sell/Share

Configure DNSS Signal

curl -X POST "https://pilot.owkai.app/api/data-rights/dnss/configure" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "honor_gpc_signal": true,
    "default_opt_out_sale": false,
    "default_opt_out_sharing": false,
    "cookie_consent_required": true,
    "third_party_notification": {
      "enabled": true,
      "service_providers": ["analytics_vendor", "marketing_vendor"]
    }
  }'

Check DNSS Status

curl "https://pilot.owkai.app/api/data-rights/dnss/user_12345/status" \
  -H "Authorization: Bearer <jwt_token>"

Response:

{
  "data_subject_id": "user_12345",
  "sale_opt_out": true,
  "sharing_opt_out": true,
  "opt_out_date": "2025-12-15T10:00:00Z",
  "gpc_detected": true,
  "categories_affected": [
    "advertising_identifiers",
    "browsing_history",
    "purchase_history"
  ]
}

Financial Incentive Programs

Track financial incentive program participation.

Register Program

curl -X POST "https://pilot.owkai.app/api/data-rights/incentive-programs" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "program_id": "loyalty_rewards",
    "name": "Loyalty Rewards Program",
    "description": "10% discount for data sharing",
    "value_calculation_method": "discount_percentage",
    "opt_in_required": true,
    "data_categories_collected": ["purchase_history", "preferences"]
  }'

Consumer Opt-In

curl -X POST "https://pilot.owkai.app/api/data-rights/incentive-programs/loyalty_rewards/opt-in" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "consent_given": true,
    "consent_method": "explicit_checkbox"
  }'

Request Processing Timeline

Day 0       Day 10      Day 45
│           │           │
▼           ▼           ▼
┌─────────────────────────────────────────────┐
│  Acknowledge │ Complete   │ Extended       │
│  Receipt     │ Request    │ Deadline       │
│  (Within 10d)│ (Standard) │ (If notified)  │
└─────────────────────────────────────────────┘

SLA Configuration

curl -X PUT "https://pilot.owkai.app/api/data-rights/sla/config" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "acknowledgment_deadline_days": 10,
    "completion_deadline_days": 45,
    "extension_allowed": true,
    "extension_max_days": 45,
    "extension_requires_notification": true
  }'

Authorized Agent Support

Allow authorized agents to submit requests on behalf of consumers.

Register Authorized Agent

curl -X POST "https://pilot.owkai.app/api/data-rights/authorized-agents" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "agent_name": "Privacy Rights Advocacy",
    "agent_email": "requests@privacyrights.org",
    "verification_requirements": {
      "power_of_attorney": true,
      "consumer_verification": true
    }
  }'

Submit Request via Agent

curl -X POST "https://pilot.owkai.app/api/data-rights/access/request" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "data_subject_id": "user_12345",
    "request_type": "access",
    "legal_basis": "ccpa_1798.100",
    "authorized_agent": {
      "agent_id": "agent_pra_001",
      "power_of_attorney_verified": true,
      "consumer_verification_completed": true
    }
  }'

Minor's Data (Under 16)

Configure Minor Protections

curl -X PUT "https://pilot.owkai.app/api/data-rights/minors/config" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "default_opt_out_under_16": true,
    "require_opt_in_under_16": true,
    "parental_consent_under_13": true,
    "age_verification_required": true
  }'

CCPA Metrics & Reporting

Generate CCPA Report

curl -X POST "https://pilot.owkai.app/api/compliance-export/exports" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "framework": "ccpa",
    "report_type": "annual_metrics",
    "year": 2025,
    "include_sections": [
      "request_statistics",
      "response_times",
      "denial_reasons",
      "opt_out_statistics"
    ]
  }'

Required Annual Metrics:

• Requests received by type
• Requests completed within 45 days
• Average response time
• Requests denied and reasons

Dashboard Metrics

curl "https://pilot.owkai.app/api/data-rights/metrics?period=ytd" \
  -H "Authorization: Bearer <admin_jwt>"

Response:

{
  "period": "2025-01-01 to 2025-12-15",
  "requests": {
    "total": 450,
    "by_type": {
      "access": 200,
      "deletion": 150,
      "opt_out": 80,
      "correction": 20
    }
  },
  "response_times": {
    "avg_days": 12,
    "within_45_days_percent": 98.5
  },
  "opt_outs": {
    "sale": 1200,
    "sharing": 950
  }
}

Best Practices

1. Opt-Out Methods

Provide multiple opt-out mechanisms:

• "Do Not Sell/Share My Personal Information" link
• Global Privacy Control (GPC) signal support
• Toll-free number

2. Service Provider Contracts

Ensure service provider agreements include:

• Purpose limitations
• Notification obligations
• Deletion requirements

3. Training

Train staff on:

• Recognizing CCPA requests
• Verification procedures
• Response timelines

Next Steps

• GDPR Compliance - EU privacy law
• Data Rights Overview - Full capabilities
• Consent Management - Manage consent

---

Document Version: 2026.04 | Last Updated: April 2026