CCPA/CPRA Information

Last Updated: January 30, 2023

The California Consumer Privacy Act (CCPA) is a data privacy law that establishes various rights and protections for California state residents’ Personal Information. The CCPA also imposes corresponding obligations on Businesses who handle such Personal Information.

The California Privacy Rights Act (CPRA) amends and expands the scope of the CCPA.

How is Personal Information Defined?

The CCPA/CPRA defines Personal Information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

The CCPA/CPRA does not consider the following to be Personal Information:

  • Publicly available information (but, not including biometric information collected by a business about a consumer without the consumer's knowledge);
  • Information that is lawfully obtained, truthful, and that is a matter of public concern as Personal Information; or,
  • Information that is deidentified or aggregate consumer information.

What Does the CPRA Define As Sensitive Personal Information?

The CPRA defines Sensitive Personal Information (SPI) as information that reveals:

  • a consumer’s social security, driver’s license, state identification card, or passport number;
  • a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • a consumer’s precise geolocation;
  • a consumer‘s racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; or,
  • a consumer’s genetic data.

SPI also includes:

  • The processing of biometric information for the purpose of uniquely identify a consumer;
  • Personal information collected and analyzed concerning a consumer's health; or
  • Personal information collected and analyzed concerning a consumer's sex life or sexual orientation.


The rights bestowed to California consumers include:

Right to Know

The right to know what personal information businesses are collecting about consumers and how that information is being used and shared.

Right to Delete

The right to delete personal information held by businesses.

Right to Stop Sale

The right to stop the sale of personal information by businesses.

Right to Non-Discrimination

The right to nondiscrimination in service and price when exercising privacy rights.

Right to Correct

The right to request correction of Personal Information if it is inaccurate.

Right to Limit Use and Disclosure

The right to limit the use and disclosure of SPI for specific secondary purposes, including disclosure to third parties.

What Is a Business?

A for-profit legal entity that:

  • Does business in the State of California;
  • Collects consumers' personal information on its own or on behalf of which such information is collected;
  • Alone or jointly with others determines the purposes or means of processing of that data; and,
  • Satisfies at least one of the following thresholds:
  1. Has annual gross revenues in excess of $25 million;
  2. Buys or sells the personal information of 100,000 or more consumers, households, or devices; or,
  3. Earns more than half of its annual revenue from selling consumers' personal information.

While is not considered a Business under this definition, we are a Service Provider for customers who are Businesses and store Personal Information on

What Is a Service Provider?

A Service Provider is defined as a for-profit legal entity that processes Personal Information on behalf of a Business pursuant to a written contract for a business purpose. Businesses may use Service Providers and share Personal Information with them. It is not considered a sale of Personal Information if:

  • The sharing of personal information is necessary to perform a business purpose;
  • The Business has provided notice that the information is being used or shared; and,
  • The Service Provider does not further collect, sell or use the personal information of the consumer except as necessary to perform the business purpose.

Service Provider Addendum

For customers who are Businesses and will be storing Personal Information on, we have a standard Service Provider Addendum. Contact us for a copy of this Addendum.

Mandated Data Security Measures

Not only does the CCPA/CPRA highlight privacy concerns, it also mandates “the duty to implement and maintain reasonable security procedures and practices” to protect Personal Information. While the California Attorney General’s office does not require a specific security model, framework, or standard, they published a “Data Breach Report” in 2016 which analyzed the recent history of data breaches across industries and identified security lapses that led to those breaches.

The report listed safeguards that the then-current Attorney General viewed as constituting reasonable security practices, emphasizing a set of twenty data security controls published by the Center for Internet Security (commonly referred to as the “CIS Top 20”). Features Useful for CCPA/CPRA Compliance provides world-class features and tools which allow an organization to meet their own privacy and security policies, procedures, standards, baselines and guidelines.

Below are just a few such features that Businesses concerned with CCPA/CPRA Compliance may find useful, including a relevant CIS Top 20 Control: FeatureCIS Top 20 Control

Security Bug Bounty

Continuous Vulnerability Management

Penetration Testing

Continuous Vulnerability Management

Full management delegation and group administration

Controlled Use of Administrative Privileges

Provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers

Controlled Use of Administrative Privileges

Enterprise Identity Management features even work with our Desktop app, unlike competing products

Controlled Use of Administrative Privileges

Live searchable logs of all operations. Logs are retained in live searchable format for up to 7 years (and can optionally be retained in text format forever)

Controlled Use of Administrative Privileges

Connect via all standard protocols including FTP, SFTP, FTPS, FTPES, WebDAV, Zapier, Microsoft Flow, our REST API, and SDKs available in many languages

Limitation and Control of Network Ports, Protocols and Services

Custom Inboxes allow anyone to securely send your company files even without an account

Limitation and Control of Network Ports, Protocols and Services

Share Links allow your company to share files outbound to anyone without them having account and support expiration dates, notes, descriptions, and individual passwords for security

Limitation and Control of Network Ports, Protocols and Services

Flexible data retention management with custom data retention windows for each user, group, or folder Content type policy enforcement

Data Recovery Capabilities

Encryption-at-rest and support for optional customer-managed GPG keys

Data Protection

Strong encryption in transit with a free custom SSL certificate for your custom domain

Data Protection

REST API and SDKs for many popular programming languages. All features (including 2FA and SSO) are supported in the API

Data Protection

Highly configurable security settings including password policies, session policies, 2FA policies, and brute force rules

Account Monitoring and Control

Wide variety of 2FA support: Yubikey, FIDO/U2F,Google Authenticator, Duo, Authy, and SMS

Account Monitoring and Control

For a full listing of features, please visit our Features page.

Talk to Us

If you have any questions about storing or transferring Personal Information protected under CCPA/CPRA on your account, you can contact us.

The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information and content available on this site are for general informational purposes only. Readers of this website are responsible for making their own independent assessment and should contact their attorney to obtain advice with respect to any particular legal matter, including compliance with any applicable state or local laws or regulations.

Get Instant Access to

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2024 All right reserved


  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact


(800) 286-8372


9am–8pm Eastern