Learn how to comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) when using Zenovay analytics.
What is CCPA/CPRA?
CCPA (California Consumer Privacy Act)
Effective January 2020, CCPA gives California residents:
- Right to know what data is collected
- Right to delete personal information
- Right to opt-out of data sales
- Right to non-discrimination
CPRA (California Privacy Rights Act)
Effective January 2023, CPRA enhances CCPA with:
- Right to correct inaccurate data
- Right to limit sensitive data use
- Created California Privacy Protection Agency
- Stricter rules for "sharing" data
Does CCPA Apply to You?
CCPA applies if you meet ANY threshold:
| Threshold | Requirement |
|---|---|
| Revenue | $25M+ annual gross revenue |
| Data volume | Buy/sell 100K+ consumer records |
| Data revenue | 50%+ revenue from selling data |
"Consumer" Definition
A California resident, defined as anyone who:
- Is in California for other than temporary purpose
- Lives in California but is temporarily outside
Zenovay and CCPA
Data We Collect
Under CCPA, this is "personal information":
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | IP address, device ID | Optional |
| Internet activity | Browsing history, clicks | Yes |
| Geolocation | Country, city | Yes |
| Inferences | Visitor segments | Optional |
Do We "Sell" Data?
No. Zenovay does not:
- Sell visitor data to third parties
- Share data for cross-context advertising
- Transfer data for monetary consideration
We are a service provider under CCPA.
CCPA Consumer Rights
Right to Know (1798.100)
Consumers can request:
- Categories of data collected
- Specific pieces of data
- Sources of data
- Business purpose
- Third parties shared with
Implementation:
Most Zenovay analytics is aggregated and not tied to a named individual, so a "specific pieces of data" request usually maps to the records associated with a visitor.
To retrieve visitor records programmatically, use the REST API (available on Pro and above):
# Retrieve visitor records for a website
curl -X GET "https://api.zenovay.com/api/external/v1/analytics/{websiteId}/visitors" \
-H "X-API-Key: zv_YOUR_API_KEY"
If you also need a copy of your own Zenovay account data (your profile, websites, team memberships, and audit trail), open your Profile and use Download my data to generate a JSON export — this is available on every plan.
Right to Delete (1798.105)
Consumers can request deletion of their data.
Implementation:
Most Zenovay analytics is anonymous and aggregated, so a consumer's deletion request usually maps to the records associated with their visits rather than a named profile. Zenovay does not currently offer a self-serve "delete a single visitor" action, so to action a per-visitor erasure request, contact Zenovay support at [email protected] with the relevant details and we'll process it.
To delete your entire Zenovay account and all of its associated data, open your Profile, find Delete account, type DELETE to confirm, and submit. This permanently removes your account, your tracked websites, and the analytics data Zenovay holds for them.
Right to Opt-Out (1798.120)
Consumers can opt-out of data "sales."
While Zenovay doesn't sell data, honor opt-outs:
// Respect opt-out signal
if (navigator.globalPrivacyControl) {
// Don't load analytics or use minimal tracking
console.log('GPC signal detected');
}
Right to Non-Discrimination (1798.125)
Cannot treat consumers differently for exercising rights:
- No different prices
- No different service quality
- No denial of service
Privacy Notice Requirements
Required Disclosures
Your privacy policy must include:
## Information We Collect
We collect the following categories of personal information:
| Category | Examples | Source |
|----------|----------|--------|
| Identifiers | IP address, cookies | Directly |
| Internet activity | Pages visited, clicks | Automatically |
| Geolocation | City, country | Derived from IP |
## How We Use Information
- Analyze website traffic
- Improve user experience
- Detect and prevent fraud
## Third Party Service Providers
We use Zenovay Analytics to process website usage data.
Zenovay acts as a service provider under CCPA and does
not sell your personal information.
## Your Rights
California residents have the right to:
- Know what data we collect
- Delete your data
- Opt-out of data sales (we don't sell data)
- Not be discriminated against
To exercise these rights, contact us at: [email protected]
"Do Not Sell My Personal Information" Link
Even if you don't sell data, consider adding:
<footer>
<a href="/privacy#do-not-sell">
Do Not Sell or Share My Personal Information
</a>
</footer>
Global Privacy Control (GPC)
What is GPC?
A browser signal indicating opt-out preference:
- Supported by Firefox, Brave, DuckDuckGo
- CCPA and CPRA recognize GPC signals
- Must be honored for California consumers
Detecting GPC
// Check for GPC signal
if (navigator.globalPrivacyControl) {
// User has opted out
handleOptOut();
}
function handleOptOut() {
// Option 1: Don't load analytics at all
// Option 2: Load Zenovay normally — it honors the GPC signal automatically
const script = document.createElement('script');
script.src = 'https://api.zenovay.com/z.js';
script.setAttribute('data-tracking-code', 'YOUR_TRACKING_CODE');
document.head.appendChild(script);
}
Zenovay GPC Support
Zenovay respects GPC signals by default. No special attribute is needed:
<script
defer
data-tracking-code="YOUR_TRACKING_CODE"
src="https://api.zenovay.com/z.js"
></script>
When a GPC signal is detected, tracking is automatically adjusted to respect the opt-out preference.
Request Handling Process
Verification
Before processing requests:
- Verify consumer identity
- Confirm California residency (reasonable belief)
- Match to data in system
Timeline
| Action | Deadline |
|---|---|
| Confirm receipt | 10 business days |
| Respond to request | 45 calendar days |
| Extension if needed | +45 days (notify consumer) |
Request Methods
Accept requests via:
- Toll-free number (if you have one)
- Website form
- Email address
- Designated portal
Service Provider Agreement
Requirements
Zenovay acts as a service provider, meaning:
- We process data on your behalf
- We don't use data for our own purposes
- We follow your instructions
- We maintain confidentiality
Agreement Contents
Our service provider agreement includes:
- Definition of business purpose
- Prohibition on selling data
- Obligation to assist with requests
- Subcontractor requirements
- Deletion obligations
Obtaining the Agreement
Zenovay's Data Processing Agreement (which covers our role as a service provider) is published on the legal pages at zenovay.com/legal. If you need a countersigned copy for your records, contact us at [email protected].
Opt-Out Implementation
Cookie Banner
// CCPA-compliant cookie notice
function showCCPANotice() {
const notice = document.createElement('div');
notice.innerHTML = `
<div class="ccpa-notice">
<p>We use analytics to understand how visitors use our site.</p>
<button onclick="acceptCCPA()">Accept</button>
<button onclick="optOutCCPA()">Opt-Out</button>
<a href="/privacy">Learn More</a>
</div>
`;
document.body.appendChild(notice);
}
function optOutCCPA() {
localStorage.setItem('ccpa_opt_out', 'true');
// Reload without analytics or switch to privacy mode
}
"Do Not Track" Signals
CCPA doesn't require honoring DNT, but Zenovay respects DNT by default. No attribute is needed. If you want to override DNT and track anyway, use:
<script
defer
data-tracking-code="YOUR_TRACKING_CODE"
data-ignore-dnt="true"
src="https://api.zenovay.com/z.js"
></script>
Data Retention
Requirements
- Collect only what's needed
- Retain only as long as necessary
- Disclose retention periods
Retention in Zenovay
Analytics data retention is set by your plan, and older data is purged automatically:
| Plan | Analytics retention |
|---|---|
| Free | 1 year |
| Pro | 2 years |
| Scale | 4 years |
| Enterprise | Custom |
Enterprise plans can request a custom retention window. To shorten retention on the other plans, delete the relevant website or your account, which removes its data.
Employee Training
Train staff on:
- Recognizing CCPA requests
- Verification procedures
- Response timelines
- Escalation process
Penalties
Enforcement
California Attorney General can impose:
| Violation Type | Fine per Violation |
|---|---|
| Unintentional | $2,500 |
| Intentional | $7,500 |
Private Right of Action
For data breaches, consumers can sue for:
- $100-$750 per incident
- Actual damages (if greater)
- Injunctive relief
Compliance Checklist
Documentation
- Update privacy policy with CCPA disclosures
- Create "Do Not Sell" link (recommended)
- Document data collection practices
- Sign service provider agreement
Technical
- Implement GPC detection
- Create request handling workflow
- Set up data export capability
- Configure data deletion
Organizational
- Train customer service team
- Designate privacy contact
- Create request tracking system
- Document verification procedures
CCPA vs GDPR Comparison
| Aspect | CCPA | GDPR |
|---|---|---|
| Scope | California consumers | EU residents |
| Lawful basis | Opt-out model | Opt-in consent |
| Fines | Per violation | % of revenue |
| Private action | Data breaches only | Limited |
| Regulator | CA Attorney General | DPAs |
Best Practices
- Honor GPC signals - Required under CPRA
- Easy opt-out - Don't make it difficult
- Clear disclosures - Plain language
- Prompt responses - Meet deadlines
- Document everything - Keep records