Stats
Actions
Tags
From qa-compliance
Reference catalog of CCPA + CPRA-aligned test patterns - do-not-sell-or-share opt-out via Global Privacy Control (GPC) signal; data-disclosure category tests per Cal. Civ. Code §1798.110; sensitive personal information (SPI) handling per CPRA §1798.121; deletion-request workflows per §1798.105; CPRA's right to correct (§1798.106) + limit-use (§1798.121). Use when authoring CCPA/CPRA-readiness tests for any product processing California consumer data.
How this skill is triggered — by the user, by Claude, or both
Slash command
/qa-compliance:ccpa-test-patternsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Per [oag.ca.gov/privacy/ccpa][ccpa-oag] (California Attorney General
Per oag.ca.gov/privacy/ccpa (California Attorney General authoritative source):
CCPA (California Consumer Privacy Act, in force 2020-01-01) and CPRA (California Privacy Rights Act, in force 2023-01-01) apply to businesses meeting one of three thresholds:
Failure carries civil penalties up to $7,500 per intentional violation + $2,500 per non-intentional violation; private right of action for data breaches.
This is a reference skill - defines the test-pattern
catalog by Cal. Civ. Code section. Pair with gdpr-test-patterns
for international compliance footprint.
CPRA mandates honoring the GPC browser signal (per globalprivacycontrol.org):
def test_gpc_signal_blocks_sale_and_share():
response = client.get('/page', headers={'Sec-GPC': '1'})
# Page MUST treat the visitor as opted-out:
assert 'do-not-sell-cookie' in response.cookies
# Tracking pixels for sale/share must NOT fire:
assert 'analytics-share.js' not in response.text
assert 'ads-third-party.js' not in response.text
# Status MUST be recorded for compliance evidence:
assert OptOutRecord.objects.filter(visitor_id=session_id).exists()
def test_consumer_request_returns_all_pi_categories():
response = client.post('/privacy/right-to-know', json={
'consumer_email': '[email protected]'
})
body = response.json()
# CCPA Cat. 11 personal info categories:
expected = {
'identifiers',
'commercial_info',
'biometric_info',
'internet_activity',
'geolocation_data',
'professional_or_employment',
'inferences',
}
# Test asserts every category present in response (NULL acceptable):
for cat in expected:
assert cat in body
def test_deletion_request_completes_within_45_days():
request = DeletionRequest.create(consumer_email='[email protected]')
# CCPA: 45 days, extendable by 45 more (90 max) with notice
deadline = request.received_at + timedelta(days=45)
completion = DeletionRequest.objects.get(id=request.id)
assert completion.status == 'completed'
assert completion.completed_at <= deadline
def test_limit_sensitive_pi_use():
# Consumer requests limit on sensitive PI (per CPRA SPI categories)
submit_limit_request(consumer='[email protected]')
# Subsequent processing MUST NOT use SPI for inference / advertising:
response = client.get('/recommendations', headers={'X-Consumer-Email': '[email protected]'})
# Recommendations engine MUST NOT use SPI (geolocation, racial, religious, etc.):
used_features = response.json()['feature_attribution']
forbidden_spi = {'precise_geolocation', 'racial_ethnic', 'religious', 'union_membership'}
for feature in used_features:
assert feature not in forbidden_spi
def test_correction_request_updates_records_within_45_days():
submit_correction(consumer='[email protected]', field='name', value='Alice Smith')
deadline = timezone.now() + timedelta(days=45)
# All systems must reflect the correction:
assert User.objects.get(email='[email protected]').name == 'Alice Smith'
assert BillingRecord.objects.get(user_email='[email protected]').name == 'Alice Smith'
# Third parties that received the prior incorrect value must be notified:
assert NotificationLog.objects.filter(
type='correction_propagation',
recipient='[email protected]',
).exists()
def test_privacy_policy_disclosed_at_collection():
# Every PI collection point must disclose categories + purposes
response = client.get('/signup')
assert 'privacy-notice' in response.text
assert any(link in response.text for link in [
'/do-not-sell-or-share',
'/limit-sensitive-pi-use',
])
# Disclosed categories MUST match what's actually collected
disclosed = parse_privacy_notice(response.text)
actual = analyze_signup_form(response.text)
assert disclosed >= actual # disclosure is superset of collection
| Category | Examples |
|---|---|
| Government IDs | SSN, driver's license, passport, alien registration |
| Account login + credentials | Username + password / security questions |
| Precise geolocation | <1850 ft / 564 m radius |
| Racial / ethnic origin | Self-reported demographics |
| Religious / philosophical beliefs | Religious affiliation |
| Union membership | Trade union status |
| Communication content | Email body, SMS body, message content |
| Genetic data | DNA test results |
| Biometric for unique identification | Faceprint, voiceprint, fingerprint |
| Health info | Medical history, medications |
| Sexual orientation / sex life | Self-reported orientation |
Test patterns above (§1798.121) protect these categories specifically.
| Anti-pattern | Why it fails | Fix |
|---|---|---|
| Honor opt-out cookie but ignore GPC header | CPRA mandates GPC support | Step §1798.135 GPC test |
| Right-to-know returns only main app data | Misses analytics, CRM | Multi-system response (Step §1798.110) |
| Correction propagated only locally | Third parties retain incorrect data | Notification log assertion (Step §1798.106) |
| SPI categorical restriction tested only at API edge | Inference engines bypass | Feature-attribution-level test (Step §1798.121) |
| Test fixtures use real California PII | CCPA violation in tests | synthetic-pii-generator |
gdpr-test-patterns - sister: EU analoguesynthetic-pii-generator -
safe test data generationaudit-trail-test-author - audit log requirementscompliance-readiness-reviewer - agentnpx claudepluginhub testland/qa --plugin qa-complianceProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.