Every mishandled opt-out has a price. We developed a causal model that computes that price before the regulator does — and identifies which compliance gaps carry the most exposure.
A mid-size consumer app — 8.3 million California users, precise geolocation data — passed its annual CCPA audit. The opt-out link was present. Requests were logged. Service provider contracts were signed. What the audit missed: a backend defect introduced during a platform migration had silently broken opt-out execution for fourteen months. By the time a CPPA complaint sweep surfaced the defect, 340,000 logged opt-out requests had gone unexecuted and the data had been shared with eleven advertising partners.
Three weeks into the CPPA investigation, an account compromise at one of those partners exposed 180,000 records — all belonging to consumers whose data should not have been there. A class action followed simultaneously. Three questions the compliance checklist could not answer drove the next eight months of legal strategy.
Why a Causal Model
CCPA/CPRA exposes organizations to two simultaneous enforcement paths that a checklist treats as independent but a causal model encodes as sharing a common upstream. CPPA enforcement flows from Consumer Complaints, Service Provider Oversight failures, and Data Breach. Private litigation flows from Data Breach, Data Volume, and Security Safeguards. Both paths share the Data Breach node. That shared structure means the combined exposure cannot be computed by adding two separate legal estimates — it must be read from the joint distribution over a single integrated model.
| Analysis Component | Standard Approach | Causal Approach |
|---|---|---|
| Joint CPPA + class action exposure | Two separate legal estimates; combined total assumed additive | Both paths share the Data Breach node; joint exposure computed from the combined distribution — not additive |
| Effect of strong company security safeguards | Qualitative judgment: “probably reduces exposure”; no separation of company vs. partner causation | do(Security Safeguards = Strong) severs the edge from Org Maturity; shifts causal attribution for the breach to the partner; P(Class Action) drops from 52% to 3.2% |
| Counterfactual cost of the opt-out defect | Cannot answer — the checklist records current state, not counterfactual alternatives | Abduct to actual events, then do(Opt-Out = Compliant): $0.4M vs $4.7M actual; $4.3M attributable specifically to the backend defect |
The Questions
- What would total exposure have been if the opt-out mechanism had worked correctly? — Rung 3 (Counterfactual). The model abducts to the actual conditions (defect active, breach occurred, class action filed), then changes only the Opt-Out Execution node to Compliant — both Data Breach and Private Litigation shift simultaneously, revealing the $4.3M attributable specifically to the defect.
- What happens to class action probability if we invest in Security Safeguards independently of broader organizational maturity? — Rung 2 (Intervention). A do(Security Safeguards = Strong) query severs the edge from Organization Maturity to Security Safeguards, separating the causal effect of the safeguard from the organizational confound and shifting attribution for the breach from the company to the partner.
- What is the joint regulatory and litigation exposure profile — and given that a class action was filed, what does that tell us about Security Safeguards and Data Volume upstream? — Rung 1 (Association). The graph encodes which dependencies exist between Org Maturity, Data Volume, Security Safeguards, Data Breach, and the two consequence nodes; entering observed evidence propagates to every connected node in both directions.
Reading the screenshots: a black check mark on a node means it has been set as observed evidence — a fact entered into the model, acting as a filter. A red check mark means it has been set as a do intervention — a decision applied to the model, severing the influence of its parents.
Reading the spec tables: each Run the Analysis block lists the exact steps to reproduce each screenshot in Bayes Server. The Obs / Do column uses three italic control tokens: clear — reset the model to a blank no-evidence state; abduction step — enter the factual observations that anchor the U nodes to this specific case; use abduction result — apply a do() intervention with the U nodes held from the abduction step.
What Would Total Exposure Have Been with a Functional Opt-Out?
“If the opt-out mechanism had been executing correctly for those fourteen months, what would our combined CPPA and class action exposure have been?”
This is Rung 3 because it conditions on a specific past event — not the average company with a defective opt-out, but this company, this breach, this class action — and asks what would have changed if one decision had been different. The model first anchors to everything that actually happened, then changes only the Opt-Out Execution node. Both enforcement paths update simultaneously because they share the Data Breach node upstream.
The opt-out defect contributed $4.3M of the $4.7M combined exposure. With a functional opt-out, the 340,000 records would not have been at the partner — and legitimately held data is a near-necessary condition for the class action to be viable. P(class action | functional opt-out, same partner breach) drops to 0.04. Expected total exposure: $0.4M. The backend defect is not just a compliance failure — it is a $4.3M quantified causal harm.
| Image | Obs / Do | Node | Set | Result |
|---|---|---|---|---|
| ccpa-cf-prior.png | — | Compliance Culture | 55% Strong / 45% Weak | |
| — | Opt-Out Execution | 52.3% Compliant / 47.7% NonCompliant | ||
| — | Data Breach | 27.4% Yes / 72.6% No | ||
| — | CPPA Enforcement | 32.4% None / 32.8% Warning / 34.9% Fine | ||
| — | Private Litigation | 70.7% None / 15.3% Individual / 14.0% ClassAction — free; query node | ||
| ccpa-cf-abduct.png | obs | Opt-Out Execution | NonCompliant | From investigation execution log |
| obs | Data Breach | Yes | From partner breach notification | |
| obs | Private Litigation | ClassAction | U nodes update — incident background anchored | |
| — | Compliance Culture | 35.0% Strong / 65.0% Weak — infers toward Weak | ||
| — | CPPA Enforcement | 4.0% None / 17.9% Warning / 78.1% Fine | ||
| ccpa-cf-compliant.png | do | Opt-Out Execution | Compliant | Severs Compliance Culture → OOE back-door |
| — | Compliance Culture | Stays anchored — 45.7% Strong / 54.3% Weak | ||
| — | CPPA Enforcement | 10.7% None / 36.9% Warning / 52.3% Fine — drops | ||
| — | Private Litigation | 0% ClassAction — records not at partner; counterfactual exposure |
Prior joint exposure. CPPA fine 22%; class action 18%. Compliance Culture confounder at prior; U_OptOut and U_Breach at 50/50.
What Happens to Class Action Probability If We Implement Strong Security Safeguards?
“If we implement strong security safeguards at the company level, what does that do to our class action exposure — even if the opt-out defect is not yet fixed?”
This is Rung 2 because the goal is to predict the effect of a specific action — not to observe companies that happen to have strong safeguards, but to impose that safeguard level by decision. The problem with observational data is that strong safeguards tend to accompany high organizational maturity, which also tends to reduce breach probability through other paths. The do() operator separates the causal effect of the safeguard from that organizational confound by severing the edge from Org Maturity to Security Safeguards.
do(Security Safeguards = Strong) reduces class action probability from 52% to 3.2%. The private right of action requires that the breach resulted from the company’s own security failure. When company-level safeguards are strong, the causal attribution for the breach shifts to the partner’s inadequate security — which is outside the statutory scope of the private right. CPPA enforcement drops only modestly (78% to 71%) because the opt-out defect still drove consumer complaints through its own path. Combined exposure: $2.1M vs $4.7M — a $2.6M reduction from a safeguard fix rather than an opt-out fix.
| Image | Obs / Do | Node | Set | Result |
|---|---|---|---|---|
| ccpa-int-prior.png | — | Organization Maturity | 28% High / 42% Moderate / 30% Low | |
| — | Security Safeguards | 25.6% Strong / 43.3% Adequate / 31.1% Weak | ||
| — | Data Breach | 27.4% Yes / 72.6% No | ||
| — | CPPA Enforcement | 34.9% Fine | ||
| — | Private Litigation | 14.0% ClassAction | ||
| ccpa-int-strong-safeguards.png | do | Security Safeguards | Strong | OM → SS back-door severed |
| — | Organization Maturity | 28% High — stays at prior | ||
| — | Data Breach | 10.8% Yes — drops from 27.4% | ||
| — | CPPA Enforcement | 35.7% Fine — modest drop; opt-out path persists | ||
| — | Private Litigation | 1.7% ClassAction — drops from 14.0% | ||
| ccpa-int-obs-strong.png | obs | Security Safeguards | Strong | Back-door open — compare to do() |
| — | Organization Maturity | 60.2% High — inferred via back-door | ||
| — | Opt-Out Execution | 64.4% Compliant — improves via OM → OOE | ||
| — | Private Litigation | 1.6% ClassAction — slightly lower than do(); confounding |
Baseline joint exposure. Organization Maturity confounder at prior. Data Breach, CPPA enforcement, and class action at prior marginals.
What Is the Joint Exposure Profile — and What Does a Filed Class Action Reveal Upstream?
“Under our current compliance posture, what is the joint distribution over CPPA enforcement and private litigation? And given that a class action has been filed, what can we infer about our upstream state?”
At Rung 1 the model runs as a filter in both directions. Forward: enter organizational context as observed evidence and read the joint distribution over all consequence nodes. Backward (diagnostic): enter Private Litigation = ClassAction as observed evidence and read the posteriors on upstream nodes — the graph encodes which dependencies exist between Org Maturity, Security Safeguards, Data Volume, and Data Breach, so only nodes genuinely connected to the evidence update. Four slides show additive evidence entry: each additional observation narrows the upstream inference.
Setting Private Litigation = ClassAction as observed evidence pulls Security Safeguards to 68.7% Weak, Data Volume to 47.6% Large, Org Maturity to 54.1% Low, and Data Breach to 92.9% Yes. These are the upstream conditions the graph connects to class action outcomes — and they match exactly what the CPPA investigation found. The forward inference with Org Maturity = Low alone produces P(CPPA Fine) = 48.5%, P(Class Action) = 21.3% — nearly double the prior. This reconstruction is the diagnostic picture defense attorneys need before any deposition.
| Image | Obs / Do | Node | Set | Result |
|---|---|---|---|---|
| ccpa-diag-prior.png | — | CPPA Enforcement | 32.4% None / 32.8% Warning / 34.9% Fine | |
| — | Private Litigation | 70.7% None / 15.3% Individual / 14.0% ClassAction | ||
| ccpa-diag-maturity-low.png | obs | Organization Maturity | Low | |
| — | Security Safeguards | 62.0% Weak — degrades via OM | ||
| — | Data Breach | 41.0% Yes — up from 27.4% | ||
| — | CPPA Enforcement | 53.7% Fine — nearly doubles | ||
| — | Private Litigation | 23.0% ClassAction — up from 14.0% | ||
| ccpa-diag-class-action.png | obs | Private Litigation | ClassAction | Backward inference |
| — | Organization Maturity | 49.3% Low / 38.8% Moderate / 11.9% High | ||
| — | Security Safeguards | 66.4% Weak — infers toward worst | ||
| — | Data Breach | 76.4% Yes — near-certain | ||
| — | Data Volume | 44.9% Large — larger class inferred | ||
| ccpa-diag-both.png | obs | Organization Maturity | Low | |
| obs | Private Litigation | ClassAction | Combined evidence — all upstream at worst-case | |
| — | Security Safeguards | 84.1% Weak | ||
| — | Opt-Out Execution | 79.1% NonCompliant | ||
| — | Data Breach | 81.6% Yes | ||
| — | CPPA Enforcement | 70.8% Fine |
Prior marginals before any observed evidence is entered. All nodes at prior distribution.
Download the Models
All models require Bayes Server (free edition available). See Download Models for the full library.
If your opt-out mechanism has never been tested end-to-end — link to backend to partner — the joint exposure from a CPPA investigation and a simultaneous class action is not currently in your risk register. A causal model computes it before the regulator does.
The models are free. What I provide is the judgment to build the right structure for your specific situation, encode your experts’ knowledge into it, and turn the output into decisions your board can act on. The discipline stays with your team.