CCPA Compliance

Learn how to comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) when using Zenovay analytics.

What is CCPA/CPRA?

CCPA (California Consumer Privacy Act)

Effective January 2020, CCPA gives California residents:

• Right to know what data is collected
• Right to delete personal information
• Right to opt-out of data sales
• Right to non-discrimination

CPRA (California Privacy Rights Act)

Effective January 2023, CPRA enhances CCPA with:

• Right to correct inaccurate data
• Right to limit sensitive data use
• Created California Privacy Protection Agency
• Stricter rules for "sharing" data

Does CCPA Apply to You?

CCPA applies if you meet ANY threshold:

Threshold	Requirement
Revenue	$25M+ annual gross revenue
Data volume	Buy/sell 100K+ consumer records
Data revenue	50%+ revenue from selling data

"Consumer" Definition

A California resident, defined as anyone who:

• Is in California for other than temporary purpose
• Lives in California but is temporarily outside

Zenovay and CCPA

Data We Collect

Under CCPA, this is "personal information":

Category	Examples	Collected?
Identifiers	IP address, device ID	Optional
Internet activity	Browsing history, clicks	Yes
Geolocation	Country, city	Yes
Inferences	Visitor segments	Optional

Do We "Sell" Data?

No. Zenovay does not:

• Sell visitor data to third parties
• Share data for cross-context advertising
• Transfer data for monetary consideration

We are a service provider under CCPA.

CCPA Consumer Rights

Right to Know (1798.100)

Consumers can request:

• Categories of data collected
• Specific pieces of data
• Sources of data
• Business purpose
• Third parties shared with

Implementation:

Use the Zenovay dashboard to fulfill data access requests:

1. Go to Settings → Privacy → Data Export
2. Enter the consumer's identifier (user ID or email)
3. Generate and download the export in JSON or CSV format

You can also retrieve analytics data programmatically:

# Retrieve visitor analytics data for a website
curl -X GET "https://api.zenovay.com/api/external/v1/analytics/{websiteId}/visitors" \
  -H "X-API-Key: zv_YOUR_API_KEY"

Right to Delete (1798.105)

Consumers can request deletion of their data.

Implementation:

Use the Zenovay dashboard to process deletion requests:

1. Go to Settings → Security → Data Deletion
2. Enter the consumer's identifier (user ID or email)
3. Review the data to be deleted
4. Confirm deletion

Right to Opt-Out (1798.120)

Consumers can opt-out of data "sales."

While Zenovay doesn't sell data, honor opt-outs:

// Respect opt-out signal
if (navigator.globalPrivacyControl) {
  // Don't load analytics or use minimal tracking
  console.log('GPC signal detected');
}

Right to Non-Discrimination (1798.125)

Cannot treat consumers differently for exercising rights:

• No different prices
• No different service quality
• No denial of service

Privacy Notice Requirements

Required Disclosures

Your privacy policy must include:

## Information We Collect

We collect the following categories of personal information:

| Category | Examples | Source |
|----------|----------|--------|
| Identifiers | IP address, cookies | Directly |
| Internet activity | Pages visited, clicks | Automatically |
| Geolocation | City, country | Derived from IP |

## How We Use Information

- Analyze website traffic
- Improve user experience
- Detect and prevent fraud

## Third Party Service Providers

We use Zenovay Analytics to process website usage data.
Zenovay acts as a service provider under CCPA and does
not sell your personal information.

## Your Rights

California residents have the right to:
- Know what data we collect
- Delete your data
- Opt-out of data sales (we don't sell data)
- Not be discriminated against

To exercise these rights, contact us at: privacy@example.com

"Do Not Sell My Personal Information" Link

Even if you don't sell data, consider adding:

<footer>
  <a href="/privacy#do-not-sell">
    Do Not Sell or Share My Personal Information
  </a>
</footer>

Global Privacy Control (GPC)

What is GPC?

A browser signal indicating opt-out preference:

• Supported by Firefox, Brave, DuckDuckGo
• CCPA and CPRA recognize GPC signals
• Must be honored for California consumers

Detecting GPC

// Check for GPC signal
if (navigator.globalPrivacyControl) {
  // User has opted out
  handleOptOut();
}

function handleOptOut() {
  // Option 1: Don't load analytics at all
  // Option 2: Load analytics (privacy mode can be enabled in dashboard Settings)
  const script = document.createElement('script');
  script.src = 'https://api.zenovay.com/z.js';
  script.setAttribute('data-tracking-code', 'YOUR_TRACKING_CODE');
  document.head.appendChild(script);
}

Zenovay GPC Support

Zenovay respects GPC signals by default. No special attribute is needed:

<script
  defer
  data-tracking-code="YOUR_TRACKING_CODE"
  src="https://api.zenovay.com/z.js"
></script>

When a GPC signal is detected, tracking is automatically adjusted to respect the opt-out preference.

Request Handling Process

Verification

Before processing requests:

1. Verify consumer identity
2. Confirm California residency (reasonable belief)
3. Match to data in system

Timeline

Action	Deadline
Confirm receipt	10 business days
Respond to request	45 calendar days
Extension if needed	+45 days (notify consumer)

Request Methods

Accept requests via:

• Toll-free number (if you have one)
• Website form
• Email address
• Designated portal

Service Provider Agreement

Requirements

Zenovay acts as a service provider, meaning:

• We process data on your behalf
• We don't use data for our own purposes
• We follow your instructions
• We maintain confidentiality

Agreement Contents

Our service provider agreement includes:

• Definition of business purpose
• Prohibition on selling data
• Obligation to assist with requests
• Subcontractor requirements
• Deletion obligations

Obtaining Agreement

1. Go to Settings → Legal
2. Click Service Provider Agreement
3. Review and sign
4. Download copy

Opt-Out Implementation

Cookie Banner

// CCPA-compliant cookie notice
function showCCPANotice() {
  const notice = document.createElement('div');
  notice.innerHTML = `
    <div class="ccpa-notice">
      <p>We use analytics to understand how visitors use our site.</p>
      <button onclick="acceptCCPA()">Accept</button>
      <button onclick="optOutCCPA()">Opt-Out</button>
      <a href="/privacy">Learn More</a>
    </div>
  `;
  document.body.appendChild(notice);
}

function optOutCCPA() {
  localStorage.setItem('ccpa_opt_out', 'true');
  // Reload without analytics or switch to privacy mode
}

"Do Not Track" Signals

CCPA doesn't require honoring DNT, but Zenovay respects DNT by default. No attribute is needed. If you want to override DNT and track anyway, use:

<script
  defer
  data-tracking-code="YOUR_TRACKING_CODE"
  data-ignore-dnt="true"
  src="https://api.zenovay.com/z.js"
></script>

Data Retention

Requirements

• Collect only what's needed
• Retain only as long as necessary
• Disclose retention periods

Configuration

Set retention in Zenovay:

1. Go to Settings → Privacy
2. Set retention period
3. Data auto-deletes after period

Employee Training

Train staff on:

• Recognizing CCPA requests
• Verification procedures
• Response timelines
• Escalation process

Penalties

Enforcement

California Attorney General can impose:

Violation Type	Fine per Violation
Unintentional	$2,500
Intentional	$7,500

Private Right of Action

For data breaches, consumers can sue for:

• $100-$750 per incident
• Actual damages (if greater)
• Injunctive relief

Compliance Checklist

Documentation

• Update privacy policy with CCPA disclosures
• Create "Do Not Sell" link (recommended)
• Document data collection practices
• Sign service provider agreement

Technical

• Implement GPC detection
• Create request handling workflow
• Set up data export capability
• Configure data deletion

Organizational

• Train customer service team
• Designate privacy contact
• Create request tracking system
• Document verification procedures

CCPA vs GDPR Comparison

Aspect	CCPA	GDPR
Scope	California consumers	EU residents
Lawful basis	Opt-out model	Opt-in consent
Fines	Per violation	% of revenue
Private action	Data breaches only	Limited
Regulator	CA Attorney General	DPAs

Best Practices

1. Honor GPC signals - Required under CPRA
2. Easy opt-out - Don't make it difficult
3. Clear disclosures - Plain language
4. Prompt responses - Meet deadlines
5. Document everything - Keep records

Next Steps

• GDPR Compliance
• Data Collection Practices
• Privacy Mode