CCPA Compliance
Disclaimer: The information below is not legal advice, and we don't accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding CCPA compliance, please forward this page to your legal team.
What is CCPA?
The California Consumer Privacy Act (CCPA), as amended and strengthened by the California Privacy Rights Act (CPRA) effective January 2023, is the most significant consumer privacy law in the United States. It grants California residents specific rights over their personal information and places obligations on businesses that collect, use, or disclose that information.
The law guarantees the following rights to California consumers:
- Right to know what personal information a business collects about them, how it is used, and with whom it is shared
- Right to delete personal information collected from them (with limited exceptions)
- Right to opt-out of the sale or sharing of their personal information. CPRA extended this to cover "sharing" for cross-context behavioural advertising, regardless of monetary exchange
- Right to non-discrimination for exercising CCPA rights
- Right to correct inaccurate personal information (added by CPRA)
- Right to limit use of sensitive personal information (added by CPRA)
CCPA is a landmark law, and California has historically led the rest of the United States on digital privacy. Similar laws have since passed in Colorado, Virginia, Connecticut, Texas, and other states, with GPC compliance now legally mandated across several of them.
Do I need to comply with CCPA?
CCPA applies to for-profit businesses that do business in California and meet any one of the following thresholds (as amended by CPRA):
- Have $25 million or more in annual gross revenue
- Buy, sell, or receive for commercial purposes the personal information of 100,000 or more California consumers or households per year
- Derive more than 50% of annual revenue from selling or sharing California consumers' personal information
"Doing business in California" is not limited to companies physically located there. If California residents use your service, you may be subject to CCPA regardless of where your company is incorporated. Please check whether CCPA applies to you, and if it does, ensure your analytics provider is compliant.
Is Clerion AI CCPA compliant?
Yes. Here is our full analysis.
Personal information under CCPA
The CCPA defines personal information broadly (Cal. Civ. Code §1798.140(v)): information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular consumer or household.
IP addresses fall within this definition. When a visitor to your website triggers a Clerion tracking event, our server receives their IP address as part of the HTTP request. We therefore process personal information, and we take that responsibility seriously regardless of whether CCPA's thresholds apply to you.
However, CCPA is explicit that its obligations do not apply to de-identified information, and that is the foundation of our compliance analysis.
De-identification: the compliance mechanism
Section 1798.140(m) defines de-identified information as data that cannot reasonably identify, relate to, describe, or be linked to a particular consumer, provided the business:
- Has implemented technical safeguards that prohibit re-identification
- Has implemented business processes that specifically prohibit re-identification
- Has implemented business processes to prevent inadvertent release of de-identified information
- Makes no attempt to re-identify the information
Section 1798.145(a)(5) makes the consequence clear: CCPA's obligations do not restrict a business's ability to collect, use, retain, or disclose consumer information that is de-identified or aggregate consumer information.
Clerion satisfies all four de-identification requirements:
1. Technical safeguards prohibiting re-identification
IP addresses are pseudonymised in-memory using HMAC-SHA256 with a server-side secret (IP_HASH_SECRET). This is a one-way cryptographic transformation: the original IP address cannot be mathematically recovered from the hash, and the hash cannot be reversed without the secret. The secret is held exclusively on our EU infrastructure and is never transmitted, logged, or stored alongside the hashed data.
2. Business processes prohibiting re-identification
Our data pipeline has no mechanism for mapping hashes back to IP addresses. No system query, export function, or operational workflow attempts or permits reverse lookup. Engineering access controls prevent any ad hoc re-identification operation.
3. Business processes preventing inadvertent release
We retain no HTTP access logs containing raw visitor IPs. The raw IP address is handled entirely in-memory and is discarded before any write to persistent storage occurs. There is no export path, data pipeline, or API endpoint that could inadvertently surface raw IP addresses.
4. No attempt to re-identify
We have no commercial incentive, technical capability, or operational process that would motivate or enable re-identification. Clerion AI is a SaaS analytics platform with subscription-based revenue. We do not run advertising networks. We do not sell, broker, or share data for advertising purposes.
No sale or sharing of personal information
The CPRA extended CCPA's opt-out right to cover "sharing", defined as disclosing personal information to a third party for cross-context behavioural advertising, whether or not money changes hands.
Clerion does not sell personal information. Clerion does not share personal information for cross-context behavioural advertising. Our revenue comes entirely from subscription fees paid by website operators. We have no advertising network relationships, no data broker agreements, and no arrangement that constitutes "selling" or "sharing" under CCPA/CPRA.
Our sub-processors receive data under strict contractual terms for the sole purpose of operating the service:
| Sub-processor | Role | Data received | Personal data? |
|---|---|---|---|
| Railway (Netherlands, EU) | Hosts our Node.js backend | Processes all server-side requests | In-transit only; not stored |
| Supabase (AWS eu-central-1, Frankfurt) | PostgreSQL database | Stores analytics events, hashed IPs, country codes | Only de-identified data at rest |
| IPLocate.io (EU endpoint) | IP geolocation | Receives raw IP for country lookup | IP discarded after country code returned |
| Anthropic (US) | AI analytics summaries | Receives aggregate/statistical data only | No personal data forwarded |
Anthropic's Data Processing Addendum explicitly prohibits using customer data for model training or advertising purposes.
Global Privacy Control (GPC)
The California Attorney General has confirmed that Global Privacy Control (navigator.globalPrivacyControl) must be honoured as an opt-out of sale and sharing under CCPA/CPRA. Colorado, Connecticut, and other state privacy laws carry the same requirement.
Clerion's tracking SDK checks for the GPC signal before any data processing takes place:
_checkPrivacySignals() {
if (navigator.globalPrivacyControl === true) {
return true; // Privacy signal active: tracking disabled
}
if (navigator.doNotTrack === '1') {
return true; // DNT active: tracking disabled
}
return false;
}
When GPC is detected, Clerion fires no tracking events, creates no identifiers, and transmits no data to our servers. This check runs before any other SDK logic.
Consumer rights in practice
Right to know: Our privacy policy discloses every category of personal information we collect, the purpose for which it is processed, and which sub-processors receive it. This page provides the underlying technical detail.
Right to delete: California residents who believe Clerion holds personal information about them can contact us at hello@getclerion.com. Website operators can request deletion of all analytics data associated with their site. Our automated daily retention purge job deletes all analytics data outside the applicable retention window (30 days on Free, up to 13 months on Business/Agency plans). Deletion happens systematically, not only on request.
Right to opt-out of sale/sharing: No sale or sharing for advertising occurs. Visitors whose browsers assert GPC are automatically excluded from tracking entirely.
Right to non-discrimination: We do not and will not discriminate against any user or customer for exercising their CCPA rights.
Right to correct: Contact hello@getclerion.com if you believe we hold inaccurate personal information.
Our data handling in the context of CCPA
| Data element | How we handle it | CCPA relevance |
|---|---|---|
| Raw IP address | Discarded after geo lookup and hashing | PI under CCPA, not retained; de-identified via cryptographic hash |
| IP hash (HMAC-SHA256) | Stored; irreversible without server-side secret | Satisfies all four CCPA de-identification requirements |
| Country code | Stored for aggregate geo reporting | Not personal information |
| User-Agent string | Processed server-side; not stored in raw form | Not PI when handled this way |
Session ID (sessionStorage) | Cleared on tab close; same-tab only | Ephemeral, not a persistent identifier across visits |
Persistent visitor ID (localStorage) | Only with explicit consent; never by default | Consent-gated; not created for GPC/DNT visitors |
| Behavioural events (page views, etc.) | Aggregate only; not linked to identified individual | De-identified aggregate consumer information |
Conclusion
Clerion AI was built on the premise that analytics should not require exploiting the people whose data powers it. We are not in the business of profiling individuals, selling data, or running advertising networks, and our architecture reflects that, not just our policy.
For California residents, what this means in practice: your IP address is processed briefly and then discarded, the resulting data is de-identified under CCPA's own statutory definition, your GPC signal is honoured automatically and unconditionally, and we do not sell or share your personal information with anyone for advertising purposes.
We encourage all Clerion customers to reference this page in their own privacy notices and to contact us at hello@getclerion.com with any questions about our data practices.