CCPA Compliance for ChatGPT Apps: Privacy Implementation Guide
The California Consumer Privacy Act (CCPA) fundamentally changed how businesses handle consumer data in the United States. For ChatGPT app developers, CCPA compliance isn't optional if you serve California residents—it's a legal requirement with penalties up to $7,500 per intentional violation. This comprehensive guide provides everything you need to implement CCPA-compliant data practices in your ChatGPT applications.
ChatGPT apps present unique CCPA challenges. Conversational AI systems collect extensive personal information through natural language interactions, share data with OpenAI's infrastructure, and often integrate third-party services. Each touchpoint creates compliance obligations: consumer rights requests, opt-out mechanisms, data mapping, and transparent privacy notices.
Whether you're building a customer service chatbot, personal assistant app, or industry-specific AI solution, this guide delivers production-ready code examples and architectural patterns for CCPA compliance. We'll cover the four core consumer rights, technical implementation strategies, consent management systems, and audit logging frameworks. By the end, you'll have a complete blueprint for California privacy law compliance.
The stakes are high: Non-compliance can result in civil penalties, class action lawsuits, and reputational damage. But with proper implementation, CCPA compliance becomes a competitive advantage that builds consumer trust and demonstrates data stewardship.
Understanding CCPA Requirements for ChatGPT Apps
What CCPA Covers
The CCPA applies to for-profit businesses that collect California residents' personal information and meet at least one threshold: annual gross revenues exceeding $25 million, buy/sell personal information of 50,000+ consumers annually, or derive 50% or more of annual revenues from selling personal information.
Personal information under CCPA is broadly defined as information that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household. For ChatGPT apps, this includes:
- Conversation histories and message content
- User identifiers (email, user ID, session tokens)
- Usage data (timestamps, feature interactions, preferences)
- Device information (IP address, browser fingerprint)
- Inferences drawn from AI interactions (predicted interests, behavior patterns)
Four Core Consumer Rights
CCPA grants California consumers four fundamental rights that ChatGPT apps must support:
1. Right to Know: Consumers can request disclosure of personal information collected, sources, business purposes, third-party sharing, and specific pieces of data collected about them. You must respond within 45 days (90-day extension allowed with notice).
2. Right to Delete: Consumers can request deletion of their personal information, subject to certain exceptions (legal compliance, fraud detection, internal uses). You must delete from active systems and instruct service providers to delete.
3. Right to Opt-Out of Sale: If you sell personal information (broadly defined as sharing for monetary or other valuable consideration), consumers must be able to opt out. A "Do Not Sell My Personal Information" link must be prominently displayed.
4. Right to Non-Discrimination: You cannot discriminate against consumers who exercise CCPA rights by denying services, charging different prices, or providing different service levels, unless the difference is reasonably related to value provided by consumer data.
Business Obligations
Beyond consumer rights, CCPA imposes affirmative obligations:
- Privacy Notice: At or before collection, provide notice of categories of personal information collected and purposes of use
- Privacy Policy: Maintain a comprehensive privacy policy describing CCPA rights, data practices, and contact information
- Verification: Implement reasonable methods to verify consumer identity for rights requests
- Record-Keeping: Maintain records of consumer requests and responses for 24 months
- Training: Ensure personnel who handle consumer inquiries are trained on CCPA requirements
For ChatGPT apps using OpenAI's infrastructure, you're likely a "business" under CCPA, while OpenAI acts as your "service provider." This relationship requires a contract that restricts OpenAI's use of personal information to services specified in your agreement.
Data Mapping: Building Your Privacy Inventory
Before implementing CCPA rights, you must understand what personal information you collect, where it flows, and who accesses it. Data mapping creates this visibility.
Personal Information Inventory
Create a comprehensive inventory of all personal information your ChatGPT app collects:
// data-inventory.ts
export interface PersonalInformationCategory {
category: string;
ccpaCategory: CCPACategory;
examples: string[];
sources: DataSource[];
purposes: BusinessPurpose[];
retentionPeriod: string;
thirdPartySharing: ThirdPartyRecipient[];
}
export enum CCPACategory {
IDENTIFIERS = 'identifiers',
COMMERCIAL_INFO = 'commercial_information',
INTERNET_ACTIVITY = 'internet_activity',
GEOLOCATION = 'geolocation_data',
PROFESSIONAL_INFO = 'professional_information',
INFERENCES = 'inferences',
SENSITIVE_PERSONAL_INFO = 'sensitive_personal_information'
}
export const dataInventory: PersonalInformationCategory[] = [
{
category: 'User Account Data',
ccpaCategory: CCPACategory.IDENTIFIERS,
examples: ['Email address', 'User ID', 'Account creation date'],
sources: ['Direct collection during signup', 'OAuth providers'],
purposes: ['Account management', 'Authentication', 'Service delivery'],
retentionPeriod: 'Account lifetime + 90 days',
thirdPartySharing: [
{ name: 'OpenAI', purpose: 'ChatGPT infrastructure', category: 'Service Provider' },
{ name: 'SendGrid', purpose: 'Email delivery', category: 'Service Provider' }
]
},
{
category: 'Conversation Data',
ccpaCategory: CCPACategory.INTERNET_ACTIVITY,
examples: ['Chat messages', 'AI responses', 'Conversation context'],
sources: ['User interactions with ChatGPT interface'],
purposes: ['Service delivery', 'Model improvement', 'Quality assurance'],
retentionPeriod: '12 months from last interaction',
thirdPartySharing: [
{ name: 'OpenAI', purpose: 'AI processing', category: 'Service Provider' }
]
},
{
category: 'Usage Analytics',
ccpaCategory: CCPACategory.INTERNET_ACTIVITY,
examples: ['Feature usage', 'Session duration', 'Click paths'],
sources: ['Application telemetry', 'Analytics SDKs'],
purposes: ['Product improvement', 'Performance optimization'],
retentionPeriod: '24 months',
thirdPartySharing: [
{ name: 'Google Analytics', purpose: 'Analytics', category: 'Third Party' }
]
},
{
category: 'Inferred Preferences',
ccpaCategory: CCPACategory.INFERENCES,
examples: ['Topic interests', 'Usage patterns', 'Feature preferences'],
sources: ['Derived from user interactions'],
purposes: ['Personalization', 'Recommendations'],
retentionPeriod: '18 months from derivation',
thirdPartySharing: []
}
];
// Data flow mapper
export class DataFlowMapper {
private inventory: PersonalInformationCategory[];
constructor(inventory: PersonalInformationCategory[]) {
this.inventory = inventory;
}
// Generate data flow diagram data
generateFlowMap(): DataFlow[] {
const flows: DataFlow[] = [];
this.inventory.forEach(category => {
category.sources.forEach(source => {
flows.push({
from: source,
to: 'Application Database',
dataCategory: category.category,
ccpaCategory: category.ccpaCategory
});
});
category.thirdPartySharing.forEach(recipient => {
flows.push({
from: 'Application Database',
to: recipient.name,
dataCategory: category.category,
ccpaCategory: category.ccpaCategory,
recipientType: recipient.category
});
});
});
return flows;
}
// Identify data sales (CCPA definition)
identifyDataSales(): DataSale[] {
const sales: DataSale[] = [];
this.inventory.forEach(category => {
category.thirdPartySharing
.filter(recipient => recipient.category === 'Third Party')
.forEach(recipient => {
sales.push({
category: category.category,
ccpaCategory: category.ccpaCategory,
recipient: recipient.name,
purpose: recipient.purpose,
isOptedOut: false // User-specific, default false
});
});
});
return sales;
}
// Generate privacy notice content
generatePrivacyNotice(): PrivacyNotice {
const categories = this.inventory.map(cat => ({
category: cat.ccpaCategory,
purposes: cat.purposes,
retention: cat.retentionPeriod
}));
const thirdParties = this.inventory
.flatMap(cat => cat.thirdPartySharing)
.filter((recipient, index, self) =>
self.findIndex(r => r.name === recipient.name) === index
);
return {
categoriesCollected: categories,
thirdPartyRecipients: thirdParties,
dataRetentionPolicies: this.inventory.map(cat => ({
category: cat.category,
period: cat.retentionPeriod
}))
};
}
}
interface DataFlow {
from: string;
to: string;
dataCategory: string;
ccpaCategory: CCPACategory;
recipientType?: string;
}
interface DataSale {
category: string;
ccpaCategory: CCPACategory;
recipient: string;
purpose: string;
isOptedOut: boolean;
}
interface PrivacyNotice {
categoriesCollected: Array<{
category: CCPACategory;
purposes: string[];
retention: string;
}>;
thirdPartyRecipients: ThirdPartyRecipient[];
dataRetentionPolicies: Array<{
category: string;
period: string;
}>;
}
interface ThirdPartyRecipient {
name: string;
purpose: string;
category: 'Service Provider' | 'Third Party';
}
type DataSource = string;
type BusinessPurpose = string;
This data mapping framework creates a single source of truth for your privacy practices, essential for responding to consumer rights requests and maintaining compliance documentation.
Consent Management and Opt-Out Mechanisms
CCPA requires clear, conspicuous mechanisms for consumers to exercise their rights, particularly the right to opt out of data sales.
Do Not Sell My Personal Information
If your ChatGPT app shares personal information with third parties for valuable consideration (broadly interpreted under CCPA), you must provide a "Do Not Sell My Personal Information" link:
// ccpa-consent-manager.ts
import { v4 as uuidv4 } from 'uuid';
export interface ConsentPreferences {
userId: string;
doNotSell: boolean;
limitedUseDisclosure: boolean; // CPRA addition
consentTimestamp: Date;
consentMethod: 'explicit' | 'implicit';
ipAddress: string;
userAgent: string;
}
export interface OptOutRequest {
requestId: string;
userId: string;
email: string;
requestDate: Date;
processedDate?: Date;
status: 'pending' | 'verified' | 'processed' | 'rejected';
verificationToken?: string;
verificationExpiry?: Date;
}
export class CCPAConsentManager {
private db: DatabaseConnection;
private emailService: EmailService;
constructor(db: DatabaseConnection, emailService: EmailService) {
this.db = db;
this.emailService = emailService;
}
// Handle "Do Not Sell" opt-out request
async createOptOutRequest(
userId: string,
email: string,
ipAddress: string
): Promise<OptOutRequest> {
const requestId = uuidv4();
const verificationToken = this.generateVerificationToken();
const verificationExpiry = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours
const request: OptOutRequest = {
requestId,
userId,
email,
requestDate: new Date(),
status: 'pending',
verificationToken,
verificationExpiry
};
await this.db.query(
`INSERT INTO ccpa_opt_out_requests
(request_id, user_id, email, request_date, status, verification_token, verification_expiry)
VALUES ($1, $2, $3, $4, $5, $6, $7)`,
[requestId, userId, email, request.requestDate, request.status, verificationToken, verificationExpiry]
);
// Send verification email
await this.sendVerificationEmail(email, verificationToken);
// Log request
await this.auditLog('OPT_OUT_REQUEST_CREATED', userId, { requestId });
return request;
}
// Verify and process opt-out
async verifyOptOut(verificationToken: string): Promise<boolean> {
const result = await this.db.query(
`SELECT * FROM ccpa_opt_out_requests
WHERE verification_token = $1
AND verification_expiry > NOW()
AND status = 'pending'`,
[verificationToken]
);
if (result.rows.length === 0) {
return false;
}
const request = result.rows[0];
// Update request status
await this.db.query(
`UPDATE ccpa_opt_out_requests
SET status = 'verified', processed_date = NOW()
WHERE request_id = $1`,
[request.request_id]
);
// Apply opt-out preference
await this.applyOptOutPreference(request.user_id);
// Notify third parties
await this.notifyThirdParties(request.user_id, 'OPT_OUT');
// Log completion
await this.auditLog('OPT_OUT_PROCESSED', request.user_id, {
requestId: request.request_id
});
return true;
}
// Apply opt-out preference to user profile
private async applyOptOutPreference(userId: string): Promise<void> {
const consent: ConsentPreferences = {
userId,
doNotSell: true,
limitedUseDisclosure: true,
consentTimestamp: new Date(),
consentMethod: 'explicit',
ipAddress: '', // Captured at request time
userAgent: ''
};
await this.db.query(
`INSERT INTO user_consent_preferences
(user_id, do_not_sell, limited_use_disclosure, consent_timestamp, consent_method)
VALUES ($1, $2, $3, $4, $5)
ON CONFLICT (user_id)
DO UPDATE SET
do_not_sell = EXCLUDED.do_not_sell,
limited_use_disclosure = EXCLUDED.limited_use_disclosure,
consent_timestamp = EXCLUDED.consent_timestamp`,
[userId, consent.doNotSell, consent.limitedUseDisclosure, consent.consentTimestamp, consent.consentMethod]
);
}
// Notify third-party service providers of opt-out
private async notifyThirdParties(userId: string, action: 'OPT_OUT' | 'OPT_IN'): Promise<void> {
// Example: Notify analytics provider
try {
await fetch('https://analytics-provider.com/api/privacy-preferences', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.ANALYTICS_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
userId,
doNotSell: action === 'OPT_OUT',
timestamp: new Date().toISOString()
})
});
} catch (error) {
console.error('Failed to notify third party:', error);
// Log failure for manual follow-up
await this.auditLog('THIRD_PARTY_NOTIFICATION_FAILED', userId, {
action,
error: error.message
});
}
}
// Check if user has opted out
async hasOptedOut(userId: string): Promise<boolean> {
const result = await this.db.query(
`SELECT do_not_sell FROM user_consent_preferences WHERE user_id = $1`,
[userId]
);
return result.rows.length > 0 && result.rows[0].do_not_sell === true;
}
// Generate secure verification token
private generateVerificationToken(): string {
return uuidv4() + '-' + Date.now().toString(36);
}
// Send verification email
private async sendVerificationEmail(email: string, token: string): Promise<void> {
const verificationUrl = `${process.env.APP_URL}/privacy/verify-opt-out?token=${token}`;
await this.emailService.send({
to: email,
subject: 'Verify Your "Do Not Sell" Request',
html: `
<h2>Verify Your Privacy Request</h2>
<p>You requested to opt out of the sale of your personal information.</p>
<p>To complete this request, please click the link below within 24 hours:</p>
<p><a href="${verificationUrl}">Verify Opt-Out Request</a></p>
<p>If you did not make this request, you can safely ignore this email.</p>
`
});
}
// Audit logging
private async auditLog(action: string, userId: string, metadata: any): Promise<void> {
await this.db.query(
`INSERT INTO ccpa_audit_log (action, user_id, metadata, timestamp)
VALUES ($1, $2, $3, NOW())`,
[action, userId, JSON.stringify(metadata)]
);
}
}
This consent manager handles the complete opt-out workflow: request creation, verification, preference application, and third-party notification—all with comprehensive audit logging.
Consumer Rights Portal: Access and Deletion Requests
CCPA requires verifiable consumer rights request mechanisms. Here's a production-ready implementation:
// consumer-rights-portal.ts
export interface AccessRequest {
requestId: string;
userId: string;
email: string;
requestType: 'access' | 'deletion' | 'portability';
requestDate: Date;
verificationMethod: 'email' | 'account_login' | 'manual';
verificationStatus: 'pending' | 'verified' | 'failed';
processingStatus: 'received' | 'in_progress' | 'completed' | 'rejected';
completionDate?: Date;
rejectionReason?: string;
deliveryMethod?: 'email' | 'download_portal' | 'mail';
}
export class ConsumerRightsPortal {
private db: DatabaseConnection;
private emailService: EmailService;
private dataExporter: DataExporter;
// Submit access request (Right to Know)
async submitAccessRequest(
userId: string,
email: string,
requestType: 'access' | 'deletion' | 'portability'
): Promise<AccessRequest> {
const requestId = uuidv4();
const request: AccessRequest = {
requestId,
userId,
email,
requestType,
requestDate: new Date(),
verificationMethod: 'email',
verificationStatus: 'pending',
processingStatus: 'received'
};
await this.db.query(
`INSERT INTO ccpa_access_requests
(request_id, user_id, email, request_type, request_date, verification_status, processing_status)
VALUES ($1, $2, $3, $4, $5, $6, $7)`,
[requestId, userId, email, requestType, request.requestDate,
request.verificationStatus, request.processingStatus]
);
// Send verification email
await this.sendAccessRequestVerification(email, requestId, requestType);
// Log request
await this.auditLog('ACCESS_REQUEST_SUBMITTED', userId, { requestId, requestType });
// Send confirmation to user (separate from verification)
await this.sendRequestConfirmation(email, requestId, requestType);
return request;
}
// Verify consumer identity
async verifyIdentity(requestId: string, verificationToken: string): Promise<boolean> {
const result = await this.db.query(
`SELECT * FROM ccpa_access_requests WHERE request_id = $1`,
[requestId]
);
if (result.rows.length === 0) {
return false;
}
const request = result.rows[0];
// Verify token (stored separately in verification_tokens table)
const tokenResult = await this.db.query(
`SELECT * FROM verification_tokens
WHERE request_id = $1
AND token = $2
AND expiry > NOW()
AND used = false`,
[requestId, verificationToken]
);
if (tokenResult.rows.length === 0) {
await this.db.query(
`UPDATE ccpa_access_requests
SET verification_status = 'failed'
WHERE request_id = $1`,
[requestId]
);
return false;
}
// Mark token as used
await this.db.query(
`UPDATE verification_tokens SET used = true WHERE request_id = $1`,
[requestId]
);
// Update request status
await this.db.query(
`UPDATE ccpa_access_requests
SET verification_status = 'verified', processing_status = 'in_progress'
WHERE request_id = $1`,
[requestId]
);
// Trigger processing based on request type
if (request.request_type === 'access' || request.request_type === 'portability') {
await this.processAccessRequest(requestId);
} else if (request.request_type === 'deletion') {
await this.processDeletionRequest(requestId);
}
await this.auditLog('IDENTITY_VERIFIED', request.user_id, { requestId });
return true;
}
// Process access request - collect all personal information
private async processAccessRequest(requestId: string): Promise<void> {
const request = await this.getRequest(requestId);
try {
// Collect personal information from all sources
const personalData = await this.collectPersonalInformation(request.userId);
// Generate report
const report = await this.dataExporter.generateAccessReport(personalData);
// Store report securely
const reportUrl = await this.storeReport(requestId, report);
// Update request status
await this.db.query(
`UPDATE ccpa_access_requests
SET processing_status = 'completed',
completion_date = NOW(),
delivery_method = 'download_portal'
WHERE request_id = $1`,
[requestId]
);
// Notify consumer
await this.sendReportAvailableNotification(request.email, reportUrl, requestId);
await this.auditLog('ACCESS_REQUEST_COMPLETED', request.userId, {
requestId,
reportUrl
});
} catch (error) {
await this.db.query(
`UPDATE ccpa_access_requests
SET processing_status = 'rejected',
rejection_reason = $2
WHERE request_id = $1`,
[requestId, error.message]
);
await this.auditLog('ACCESS_REQUEST_FAILED', request.userId, {
requestId,
error: error.message
});
}
}
// Collect all personal information for user
private async collectPersonalInformation(userId: string): Promise<PersonalDataReport> {
const [account, conversations, preferences, usage, inferences] = await Promise.all([
this.db.query('SELECT * FROM users WHERE user_id = $1', [userId]),
this.db.query('SELECT * FROM conversations WHERE user_id = $1', [userId]),
this.db.query('SELECT * FROM user_preferences WHERE user_id = $1', [userId]),
this.db.query('SELECT * FROM usage_analytics WHERE user_id = $1', [userId]),
this.db.query('SELECT * FROM user_inferences WHERE user_id = $1', [userId])
]);
return {
accountInformation: account.rows[0],
conversationHistory: conversations.rows,
preferences: preferences.rows,
usageAnalytics: usage.rows,
inferences: inferences.rows,
thirdPartySharing: await this.getThirdPartySharing(userId),
dataRetention: await this.getRetentionPolicies(),
collectionSources: await this.getCollectionSources(userId)
};
}
// Process deletion request
private async processDeletionRequest(requestId: string): Promise<void> {
const request = await this.getRequest(requestId);
try {
// Check for deletion exceptions
const exceptions = await this.checkDeletionExceptions(request.userId);
if (exceptions.length > 0) {
await this.db.query(
`UPDATE ccpa_access_requests
SET processing_status = 'rejected',
rejection_reason = $2
WHERE request_id = $1`,
[requestId, `Deletion cannot be completed due to: ${exceptions.join(', ')}`]
);
await this.sendDeletionRejectionNotice(request.email, exceptions);
return;
}
// Delete personal information from all systems
await this.deletePersonalInformation(request.userId);
// Notify service providers to delete
await this.notifyServiceProvidersToDelete(request.userId);
// Update request status
await this.db.query(
`UPDATE ccpa_access_requests
SET processing_status = 'completed', completion_date = NOW()
WHERE request_id = $1`,
[requestId]
);
// Send confirmation
await this.sendDeletionConfirmation(request.email, requestId);
await this.auditLog('DELETION_REQUEST_COMPLETED', request.userId, { requestId });
} catch (error) {
await this.db.query(
`UPDATE ccpa_access_requests
SET processing_status = 'rejected', rejection_reason = $2
WHERE request_id = $1`,
[requestId, error.message]
);
await this.auditLog('DELETION_REQUEST_FAILED', request.userId, {
requestId,
error: error.message
});
}
}
// Delete personal information (with exceptions)
private async deletePersonalInformation(userId: string): Promise<void> {
await this.db.query('BEGIN');
try {
// Delete from primary tables
await this.db.query('DELETE FROM conversations WHERE user_id = $1', [userId]);
await this.db.query('DELETE FROM user_preferences WHERE user_id = $1', [userId]);
await this.db.query('DELETE FROM usage_analytics WHERE user_id = $1', [userId]);
await this.db.query('DELETE FROM user_inferences WHERE user_id = $1', [userId]);
// Anonymize rather than delete user account (to maintain referential integrity)
await this.db.query(
`UPDATE users
SET email = $2,
first_name = 'DELETED',
last_name = 'DELETED',
deleted_at = NOW(),
deletion_reason = 'CCPA_REQUEST'
WHERE user_id = $1`,
[userId, `deleted_${userId}@example.com`]
);
await this.db.query('COMMIT');
} catch (error) {
await this.db.query('ROLLBACK');
throw error;
}
}
// Check for deletion exceptions (CCPA allows certain exceptions)
private async checkDeletionExceptions(userId: string): Promise<string[]> {
const exceptions: string[] = [];
// Check for active transactions
const transactions = await this.db.query(
'SELECT COUNT(*) FROM transactions WHERE user_id = $1 AND status = $2',
[userId, 'pending']
);
if (parseInt(transactions.rows[0].count) > 0) {
exceptions.push('Active transactions requiring completion');
}
// Check for legal hold
const legalHold = await this.db.query(
'SELECT COUNT(*) FROM legal_holds WHERE user_id = $1 AND active = true',
[userId]
);
if (parseInt(legalHold.rows[0].count) > 0) {
exceptions.push('Legal obligation to retain data');
}
// Check for security/fraud detection needs
const securityFlags = await this.db.query(
'SELECT COUNT(*) FROM security_incidents WHERE user_id = $1 AND resolved = false',
[userId]
);
if (parseInt(securityFlags.rows[0].count) > 0) {
exceptions.push('Security incident investigation in progress');
}
return exceptions;
}
// Helper methods
private async getRequest(requestId: string): Promise<any> {
const result = await this.db.query(
'SELECT * FROM ccpa_access_requests WHERE request_id = $1',
[requestId]
);
return result.rows[0];
}
private async sendAccessRequestVerification(
email: string,
requestId: string,
requestType: string
): Promise<void> {
const token = uuidv4();
const expiry = new Date(Date.now() + 24 * 60 * 60 * 1000);
await this.db.query(
`INSERT INTO verification_tokens (request_id, token, expiry, used)
VALUES ($1, $2, $3, false)`,
[requestId, token, expiry]
);
const verificationUrl = `${process.env.APP_URL}/privacy/verify?request=${requestId}&token=${token}`;
await this.emailService.send({
to: email,
subject: `Verify Your CCPA ${requestType} Request`,
html: `
<h2>Verify Your Privacy Rights Request</h2>
<p>You requested to ${requestType} your personal information.</p>
<p>To verify your identity and complete this request, click the link below:</p>
<p><a href="${verificationUrl}">Verify Identity</a></p>
<p>This link expires in 24 hours.</p>
<p>Request ID: ${requestId}</p>
`
});
}
private async auditLog(action: string, userId: string, metadata: any): Promise<void> {
await this.db.query(
`INSERT INTO ccpa_audit_log (action, user_id, metadata, timestamp)
VALUES ($1, $2, $3, NOW())`,
[action, userId, JSON.stringify(metadata)]
);
}
}
interface PersonalDataReport {
accountInformation: any;
conversationHistory: any[];
preferences: any[];
usageAnalytics: any[];
inferences: any[];
thirdPartySharing: any[];
dataRetention: any[];
collectionSources: any[];
}
This rights portal handles the complete workflow for access, deletion, and portability requests with identity verification, exception handling, and comprehensive audit trails.
Technical Implementation and Database Design
Database Schema for CCPA Compliance
-- User consent preferences
CREATE TABLE user_consent_preferences (
user_id UUID PRIMARY KEY,
do_not_sell BOOLEAN DEFAULT false,
limited_use_disclosure BOOLEAN DEFAULT false,
consent_timestamp TIMESTAMP NOT NULL,
consent_method VARCHAR(20) CHECK (consent_method IN ('explicit', 'implicit')),
ip_address INET,
user_agent TEXT,
updated_at TIMESTAMP DEFAULT NOW()
);
-- Opt-out requests
CREATE TABLE ccpa_opt_out_requests (
request_id UUID PRIMARY KEY,
user_id UUID NOT NULL,
email VARCHAR(255) NOT NULL,
request_date TIMESTAMP NOT NULL,
processed_date TIMESTAMP,
status VARCHAR(20) CHECK (status IN ('pending', 'verified', 'processed', 'rejected')),
verification_token VARCHAR(255),
verification_expiry TIMESTAMP,
created_at TIMESTAMP DEFAULT NOW()
);
-- Access/deletion requests
CREATE TABLE ccpa_access_requests (
request_id UUID PRIMARY KEY,
user_id UUID NOT NULL,
email VARCHAR(255) NOT NULL,
request_type VARCHAR(20) CHECK (request_type IN ('access', 'deletion', 'portability')),
request_date TIMESTAMP NOT NULL,
verification_method VARCHAR(20),
verification_status VARCHAR(20) CHECK (verification_status IN ('pending', 'verified', 'failed')),
processing_status VARCHAR(20) CHECK (processing_status IN ('received', 'in_progress', 'completed', 'rejected')),
completion_date TIMESTAMP,
rejection_reason TEXT,
delivery_method VARCHAR(20),
created_at TIMESTAMP DEFAULT NOW()
);
-- Verification tokens
CREATE TABLE verification_tokens (
token_id SERIAL PRIMARY KEY,
request_id UUID NOT NULL,
token VARCHAR(255) UNIQUE NOT NULL,
expiry TIMESTAMP NOT NULL,
used BOOLEAN DEFAULT false,
created_at TIMESTAMP DEFAULT NOW(),
FOREIGN KEY (request_id) REFERENCES ccpa_access_requests(request_id)
);
-- CCPA audit log (required 24-month retention)
CREATE TABLE ccpa_audit_log (
log_id SERIAL PRIMARY KEY,
action VARCHAR(100) NOT NULL,
user_id UUID,
metadata JSONB,
timestamp TIMESTAMP NOT NULL,
ip_address INET,
user_agent TEXT
);
CREATE INDEX idx_audit_log_user ON ccpa_audit_log(user_id);
CREATE INDEX idx_audit_log_timestamp ON ccpa_audit_log(timestamp);
CREATE INDEX idx_audit_log_action ON ccpa_audit_log(action);
-- Data inventory tracking
CREATE TABLE data_inventory (
category_id SERIAL PRIMARY KEY,
category_name VARCHAR(100) NOT NULL,
ccpa_category VARCHAR(50) NOT NULL,
examples TEXT[],
sources TEXT[],
purposes TEXT[],
retention_period VARCHAR(100),
third_party_sharing JSONB,
last_updated TIMESTAMP DEFAULT NOW()
);
-- Third-party data sharing log
CREATE TABLE third_party_sharing_log (
log_id SERIAL PRIMARY KEY,
user_id UUID NOT NULL,
recipient_name VARCHAR(100) NOT NULL,
data_category VARCHAR(100) NOT NULL,
purpose TEXT NOT NULL,
sharing_date TIMESTAMP NOT NULL,
opt_out_status BOOLEAN DEFAULT false
);
CREATE INDEX idx_sharing_log_user ON third_party_sharing_log(user_id);
Data Export Generator
// data-export-generator.ts
import { createObjectCsvWriter } from 'csv-writer';
import PDFDocument from 'pdfkit';
import { S3Client, PutObjectCommand } from '@aws-sdk/client-s3';
export class DataExporter {
private s3Client: S3Client;
constructor() {
this.s3Client = new S3Client({ region: process.env.AWS_REGION });
}
// Generate comprehensive access report
async generateAccessReport(personalData: PersonalDataReport): Promise<string> {
const reportId = uuidv4();
const timestamp = new Date().toISOString();
// Create PDF report
const pdfBuffer = await this.generatePDFReport(personalData, reportId, timestamp);
// Create CSV exports for structured data
const csvFiles = await this.generateCSVExports(personalData, reportId);
// Create ZIP archive
const zipBuffer = await this.createZipArchive(pdfBuffer, csvFiles, reportId);
// Upload to secure storage
const reportUrl = await this.uploadReport(zipBuffer, reportId);
return reportUrl;
}
// Generate PDF summary report
private async generatePDFReport(
data: PersonalDataReport,
reportId: string,
timestamp: string
): Promise<Buffer> {
return new Promise((resolve, reject) => {
const doc = new PDFDocument();
const buffers: Buffer[] = [];
doc.on('data', buffers.push.bind(buffers));
doc.on('end', () => resolve(Buffer.concat(buffers)));
doc.on('error', reject);
// Title page
doc.fontSize(24).text('CCPA Personal Information Report', { align: 'center' });
doc.moveDown();
doc.fontSize(12).text(`Report ID: ${reportId}`);
doc.text(`Generated: ${timestamp}`);
doc.moveDown(2);
// Account information section
doc.fontSize(18).text('Account Information');
doc.moveDown();
doc.fontSize(12);
doc.text(`Email: ${data.accountInformation.email}`);
doc.text(`Account Created: ${data.accountInformation.created_at}`);
doc.text(`Account Status: ${data.accountInformation.status}`);
doc.moveDown(2);
// Data categories collected
doc.fontSize(18).text('Categories of Personal Information Collected');
doc.moveDown();
doc.fontSize(12);
doc.list([
'Identifiers (email, user ID)',
'Internet activity (conversation history, usage analytics)',
'Inferences (derived preferences and interests)',
'Commercial information (subscription details)'
]);
doc.moveDown(2);
// Third-party sharing
doc.fontSize(18).text('Third-Party Data Sharing');
doc.moveDown();
doc.fontSize(12);
data.thirdPartySharing.forEach(recipient => {
doc.text(`• ${recipient.name} - ${recipient.purpose}`);
});
doc.moveDown(2);
// Data retention
doc.fontSize(18).text('Data Retention Policies');
doc.moveDown();
doc.fontSize(12);
data.dataRetention.forEach(policy => {
doc.text(`• ${policy.category}: ${policy.period}`);
});
doc.moveDown(2);
// Consumer rights
doc.fontSize(18).text('Your Privacy Rights');
doc.moveDown();
doc.fontSize(12);
doc.text('You have the right to:');
doc.list([
'Request access to your personal information (this report)',
'Request deletion of your personal information',
'Opt out of the sale of your personal information',
'Non-discrimination for exercising your rights'
]);
doc.moveDown();
doc.text('To exercise these rights, visit: https://makeaihq.com/privacy/consumer-rights');
doc.end();
});
}
// Generate CSV exports for structured data
private async generateCSVExports(
data: PersonalDataReport,
reportId: string
): Promise<Map<string, Buffer>> {
const csvFiles = new Map<string, Buffer>();
// Conversation history CSV
const conversationsCsv = await this.generateConversationsCSV(data.conversationHistory);
csvFiles.set('conversations.csv', conversationsCsv);
// Usage analytics CSV
const analyticsCsv = await this.generateAnalyticsCSV(data.usageAnalytics);
csvFiles.set('usage_analytics.csv', analyticsCsv);
// Inferences CSV
const inferencesCsv = await this.generateInferencesCSV(data.inferences);
csvFiles.set('inferences.csv', inferencesCsv);
return csvFiles;
}
private async generateConversationsCSV(conversations: any[]): Promise<Buffer> {
const csvWriter = createObjectCsvWriter({
path: '/tmp/conversations.csv',
header: [
{ id: 'conversation_id', title: 'Conversation ID' },
{ id: 'created_at', title: 'Date' },
{ id: 'message_count', title: 'Messages' },
{ id: 'topic', title: 'Topic' }
]
});
await csvWriter.writeRecords(conversations);
return fs.readFileSync('/tmp/conversations.csv');
}
// Upload report to secure storage with expiring URL
private async uploadReport(zipBuffer: Buffer, reportId: string): Promise<string> {
const key = `ccpa-reports/${reportId}.zip`;
await this.s3Client.send(new PutObjectCommand({
Bucket: process.env.REPORTS_BUCKET,
Key: key,
Body: zipBuffer,
ContentType: 'application/zip',
ServerSideEncryption: 'AES256',
Metadata: {
reportType: 'ccpa_access',
generatedAt: new Date().toISOString()
}
}));
// Generate presigned URL (valid for 7 days)
const url = await getSignedUrl(this.s3Client, new GetObjectCommand({
Bucket: process.env.REPORTS_BUCKET,
Key: key
}), { expiresIn: 7 * 24 * 60 * 60 });
return url;
}
}
Compliance Monitoring and Reporting
// ccpa-compliance-reporter.ts
export class CCPAComplianceReporter {
private db: DatabaseConnection;
// Generate monthly compliance report
async generateMonthlyReport(month: Date): Promise<ComplianceReport> {
const startDate = new Date(month.getFullYear(), month.getMonth(), 1);
const endDate = new Date(month.getFullYear(), month.getMonth() + 1, 0);
const [accessRequests, deletionRequests, optOutRequests, auditStats] = await Promise.all([
this.getAccessRequestStats(startDate, endDate),
this.getDeletionRequestStats(startDate, endDate),
this.getOptOutRequestStats(startDate, endDate),
this.getAuditLogStats(startDate, endDate)
]);
return {
period: { start: startDate, end: endDate },
accessRequests,
deletionRequests,
optOutRequests,
auditStats,
complianceScore: this.calculateComplianceScore({
accessRequests,
deletionRequests,
optOutRequests
})
};
}
// Calculate compliance score based on response times
private calculateComplianceScore(stats: any): number {
let score = 100;
// Deduct points for late responses (>45 days)
if (stats.accessRequests.averageResponseDays > 45) {
score -= 20;
}
if (stats.deletionRequests.averageResponseDays > 45) {
score -= 20;
}
// Deduct points for high rejection rate
if (stats.accessRequests.rejectionRate > 0.1) {
score -= 10;
}
return Math.max(0, score);
}
// Check for requests approaching deadline
async getRequestsNearingDeadline(): Promise<any[]> {
const result = await this.db.query(
`SELECT * FROM ccpa_access_requests
WHERE processing_status IN ('received', 'in_progress')
AND request_date < NOW() - INTERVAL '40 days'
ORDER BY request_date ASC`
);
return result.rows;
}
}
interface ComplianceReport {
period: { start: Date; end: Date };
accessRequests: any;
deletionRequests: any;
optOutRequests: any;
auditStats: any;
complianceScore: number;
}
Conclusion: Building Consumer Trust Through Privacy
CCPA compliance for ChatGPT apps requires technical infrastructure, operational processes, and cultural commitment to privacy. The frameworks presented in this guide—data mapping, consent management, consumer rights portals, and audit logging—create a complete compliance foundation.
Key implementation priorities:
- Data mapping first: You cannot comply with rights requests without knowing what data you collect and where it lives
- Automate verification: Manual identity verification doesn't scale; use email verification and account login
- Build audit trails: 24-month audit log retention is mandatory; comprehensive logging protects your business
- Test deletion workflows: Ensure deletion cascades properly across all systems and service providers
- Monitor deadlines: 45-day response window is strict; implement deadline tracking and alerts
CCPA compliance isn't just legal obligation—it's competitive advantage. Consumers increasingly choose privacy-respecting services, and demonstrating robust data stewardship builds trust that translates to customer loyalty.
Ready to build CCPA-compliant ChatGPT apps without legal headaches? MakeAIHQ provides built-in privacy infrastructure with automated consent management, one-click data export, and comprehensive audit logging. Our no-code platform handles the technical complexity so you can focus on creating value for your users.
Start building privacy-first ChatGPT apps today with our 7-day free trial—no credit card required.
Further reading:
- GDPR Compliance for ChatGPT Apps: EU Privacy Implementation
- ChatGPT App Privacy Policies: Legal Requirements Guide
- Data Security for ChatGPT Apps: Encryption and Protection
- California Privacy Rights Act (CPRA): 2023 Updates for ChatGPT Apps
- OAuth 2.1 Authentication for ChatGPT Apps: Security Best Practices
- ChatGPT App Terms of Service: Legal Templates and Compliance
- Healthcare ChatGPT Apps: HIPAA Compliance Implementation
External resources: