Learn how to comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) when using Zenovay analytics.
What is CCPA/CPRA?
CCPA (California Consumer Privacy Act)
Effective January 2020, CCPA gives California residents:
- Right to know what data is collected
- Right to delete personal information
- Right to opt-out of data sales
- Right to non-discrimination
CPRA (California Privacy Rights Act)
Effective January 2023, CPRA enhances CCPA with:
- Right to correct inaccurate data
- Right to limit sensitive data use
- Created California Privacy Protection Agency
- Stricter rules for "sharing" data
Does CCPA Apply to You?
CCPA applies if you meet ANY threshold:
| Threshold | Requirement |
|---|---|
| Revenue | $25M+ annual gross revenue |
| Data volume | Buy/sell 100K+ consumer records |
| Data revenue | 50%+ revenue from selling data |
"Consumer" Definition
A California resident, defined as anyone who:
- Is in California for other than temporary purpose
- Lives in California but is temporarily outside
Zenovay and CCPA
Data We Collect
Under CCPA, this is "personal information":
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | IP address, device ID | Optional |
| Internet activity | Browsing history, clicks | Yes |
| Geolocation | Country, city | Yes |
| Inferences | Visitor segments | Optional |
Do We "Sell" Data?
No. Zenovay does not:
- Sell visitor data to third parties
- Share data for cross-context advertising
- Transfer data for monetary consideration
We are a service provider under CCPA.
CCPA Consumer Rights
Right to Know (1798.100)
Consumers can request:
- Categories of data collected
- Specific pieces of data
- Sources of data
- Business purpose
- Third parties shared with
Implementation:
Use the Zenovay dashboard to fulfill data access requests:
- Go to Settings → Privacy → Data Export
- Enter the consumer's identifier (user ID or email)
- Generate and download the export in JSON or CSV format
You can also retrieve analytics data programmatically:
# Retrieve visitor analytics data for a website
curl -X GET "https://api.zenovay.com/api/external/v1/analytics/{websiteId}/visitors" \
-H "X-API-Key: zv_YOUR_API_KEY"
Right to Delete (1798.105)
Consumers can request deletion of their data.
Implementation:
Use the Zenovay dashboard to process deletion requests:
- Go to Settings → Security → Data Deletion
- Enter the consumer's identifier (user ID or email)
- Review the data to be deleted
- Confirm deletion
Right to Opt-Out (1798.120)
Consumers can opt-out of data "sales."
While Zenovay doesn't sell data, honor opt-outs:
// Respect opt-out signal
if (navigator.globalPrivacyControl) {
// Don't load analytics or use minimal tracking
console.log('GPC signal detected');
}
Right to Non-Discrimination (1798.125)
Cannot treat consumers differently for exercising rights:
- No different prices
- No different service quality
- No denial of service
Privacy Notice Requirements
Required Disclosures
Your privacy policy must include:
## Information We Collect
We collect the following categories of personal information:
| Category | Examples | Source |
|----------|----------|--------|
| Identifiers | IP address, cookies | Directly |
| Internet activity | Pages visited, clicks | Automatically |
| Geolocation | City, country | Derived from IP |
## How We Use Information
- Analyze website traffic
- Improve user experience
- Detect and prevent fraud
## Third Party Service Providers
We use Zenovay Analytics to process website usage data.
Zenovay acts as a service provider under CCPA and does
not sell your personal information.
## Your Rights
California residents have the right to:
- Know what data we collect
- Delete your data
- Opt-out of data sales (we don't sell data)
- Not be discriminated against
To exercise these rights, contact us at: privacy@example.com
"Do Not Sell My Personal Information" Link
Even if you don't sell data, consider adding:
<footer>
<a href="/privacy#do-not-sell">
Do Not Sell or Share My Personal Information
</a>
</footer>
Global Privacy Control (GPC)
What is GPC?
A browser signal indicating opt-out preference:
- Supported by Firefox, Brave, DuckDuckGo
- CCPA and CPRA recognize GPC signals
- Must be honored for California consumers
Detecting GPC
// Check for GPC signal
if (navigator.globalPrivacyControl) {
// User has opted out
handleOptOut();
}
function handleOptOut() {
// Option 1: Don't load analytics at all
// Option 2: Load analytics (privacy mode can be enabled in dashboard Settings)
const script = document.createElement('script');
script.src = 'https://api.zenovay.com/z.js';
script.setAttribute('data-tracking-code', 'YOUR_TRACKING_CODE');
document.head.appendChild(script);
}
Zenovay GPC Support
Zenovay respects GPC signals by default. No special attribute is needed:
<script
defer
data-tracking-code="YOUR_TRACKING_CODE"
src="https://api.zenovay.com/z.js"
></script>
When a GPC signal is detected, tracking is automatically adjusted to respect the opt-out preference.
Request Handling Process
Verification
Before processing requests:
- Verify consumer identity
- Confirm California residency (reasonable belief)
- Match to data in system
Timeline
| Action | Deadline |
|---|---|
| Confirm receipt | 10 business days |
| Respond to request | 45 calendar days |
| Extension if needed | +45 days (notify consumer) |
Request Methods
Accept requests via:
- Toll-free number (if you have one)
- Website form
- Email address
- Designated portal
Service Provider Agreement
Requirements
Zenovay acts as a service provider, meaning:
- We process data on your behalf
- We don't use data for our own purposes
- We follow your instructions
- We maintain confidentiality
Agreement Contents
Our service provider agreement includes:
- Definition of business purpose
- Prohibition on selling data
- Obligation to assist with requests
- Subcontractor requirements
- Deletion obligations
Obtaining Agreement
- Go to Settings → Legal
- Click Service Provider Agreement
- Review and sign
- Download copy
Opt-Out Implementation
Cookie Banner
// CCPA-compliant cookie notice
function showCCPANotice() {
const notice = document.createElement('div');
notice.innerHTML = `
<div class="ccpa-notice">
<p>We use analytics to understand how visitors use our site.</p>
<button onclick="acceptCCPA()">Accept</button>
<button onclick="optOutCCPA()">Opt-Out</button>
<a href="/privacy">Learn More</a>
</div>
`;
document.body.appendChild(notice);
}
function optOutCCPA() {
localStorage.setItem('ccpa_opt_out', 'true');
// Reload without analytics or switch to privacy mode
}
"Do Not Track" Signals
CCPA doesn't require honoring DNT, but Zenovay respects DNT by default. No attribute is needed. If you want to override DNT and track anyway, use:
<script
defer
data-tracking-code="YOUR_TRACKING_CODE"
data-ignore-dnt="true"
src="https://api.zenovay.com/z.js"
></script>
Data Retention
Requirements
- Collect only what's needed
- Retain only as long as necessary
- Disclose retention periods
Configuration
Set retention in Zenovay:
- Go to Settings → Privacy
- Set retention period
- Data auto-deletes after period
Employee Training
Train staff on:
- Recognizing CCPA requests
- Verification procedures
- Response timelines
- Escalation process
Penalties
Enforcement
California Attorney General can impose:
| Violation Type | Fine per Violation |
|---|---|
| Unintentional | $2,500 |
| Intentional | $7,500 |
Private Right of Action
For data breaches, consumers can sue for:
- $100-$750 per incident
- Actual damages (if greater)
- Injunctive relief
Compliance Checklist
Documentation
- Update privacy policy with CCPA disclosures
- Create "Do Not Sell" link (recommended)
- Document data collection practices
- Sign service provider agreement
Technical
- Implement GPC detection
- Create request handling workflow
- Set up data export capability
- Configure data deletion
Organizational
- Train customer service team
- Designate privacy contact
- Create request tracking system
- Document verification procedures
CCPA vs GDPR Comparison
| Aspect | CCPA | GDPR |
|---|---|---|
| Scope | California consumers | EU residents |
| Lawful basis | Opt-out model | Opt-in consent |
| Fines | Per violation | % of revenue |
| Private action | Data breaches only | Limited |
| Regulator | CA Attorney General | DPAs |
Best Practices
- Honor GPC signals - Required under CPRA
- Easy opt-out - Don't make it difficult
- Clear disclosures - Plain language
- Prompt responses - Meet deadlines
- Document everything - Keep records