CCPA / CPRA Compliance
Last updated: April 2026
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), grant California residents specific rights over their personal information. This guide explains how FeatureSignals supports your organization's CCPA/CPRA compliance obligations.
Service Provider Role
Under CCPA/CPRA, FeatureSignals acts as a service provider (equivalent to a processor under GDPR). We process personal information only for the purpose of providing the feature flag service and do not sell, share, or use personal information for any other purpose.
CCPA vs. CPRA: Key Differences
| Aspect | CCPA (2020) | CPRA (2023 Amendment) |
|---|---|---|
| Sensitive PI | Not separately regulated | New category with opt-out right |
| Enforcement | Attorney General only | California Privacy Protection Agency (CPPA) |
| Correction right | Not included | Right to correct inaccurate PI |
| Data minimization | Not explicit | Explicit requirement |
| Risk assessments | Not required | Required for high-risk processing |
| Threshold | 50,000+ consumers or 50%+ revenue from data sales | 100,000+ consumers or derive 50%+ revenue from sharing |
Consumer Rights Under CCPA/CPRA
Right to Know (CCPA §1798.100 / CPRA §1798.100)
Consumers can request disclosure of the categories and specific pieces of personal information collected. FeatureSignals:
- Maintains a data inventory mapping all personal information categories
- Provides API-based data export (JSON/CSV) within 45 days
- Records all data access requests for compliance documentation
Right to Delete (CCPA §1798.105 / CPRA §1798.105)
Consumers can request deletion of personal information, with limited exceptions (e.g., legal obligations, security). FeatureSignals:
- Implements immediate soft deletion with permanent purge after 30 days
- Anonymizes audit log references to preserve integrity
- Provides deletion confirmation and compliance record
Right to Opt-Out of Sale/Sharing (CPRA §1798.120)
Consumers can opt out of the sale or sharing of their personal information. FeatureSignals:
- Does not sell personal information — we have never sold PI and never will
- Does not share PI for cross-context behavioral advertising
- Publishes a clear “Do Not Sell or Share My Personal Information” notice
- Maintains an opt-out preference signal detection mechanism (GPC)
Right to Correct (CPRA §1798.106)
Consumers can request correction of inaccurate personal information. FeatureSignals:
- Enables self-service profile corrections via the dashboard
- Supports admin-initiated corrections through team management
- Records all corrections in the audit trail with before/after state
Right to Limit Use of Sensitive PI (CPRA §1798.121)
Consumers can limit the use of sensitive personal information to specific business purposes. FeatureSignals:
- Does not collect sensitive PI as defined by CPRA (SSN, precise geolocation, biometric data, etc.)
- Processes only the minimum data necessary for flag evaluation
- Evaluation context is under your control — we don't inspect or profile it
Data Inventory & Mapping
CCPA/CPRA requires businesses to maintain a data inventory. As a service provider, FeatureSignals provides transparency into what data we process on your behalf:
| Data Category | Examples | Purpose | Retention |
|---|---|---|---|
| Identifiers | Name, email, IP address | Account management, audit trail | Account lifetime + 30 days |
| Commercial information | Subscription tier, billing history | Billing, license enforcement | 7 years (tax requirements) |
| Internet activity | API request logs, evaluation history | Performance, debugging | 90 days (logs), 1 year (audit) |
| Professional information | Organization, role | Team management, RBAC | Account lifetime + 30 days |
Opt-Out Mechanisms
FeatureSignals provides multiple mechanisms for consumers to exercise their opt-out rights:
- Global Privacy Control (GPC): We honor the GPC browser signal as a valid opt-out request
- Email request: privacy@featuresignals.com
- Privacy request form: Online privacy request portal
- Toll-free number: Available to Enterprise customers for consumer-facing compliance support
Consumer Request Verification
To prevent fraudulent requests, FeatureSignals verifies the identity of consumers making CCPA/CPRA requests:
- Account-holder requests: verified through existing authentication
- Non-account requests: verified through email confirmation + identity challenge
- Authorized agent requests: verified through written authorization + direct consumer confirmation
- All verification is documented for compliance evidence
Non-Discrimination
In accordance with CCPA §1798.125, FeatureSignals does not discriminate against consumers who exercise their CCPA/CPRA rights. Exercising your privacy rights will not result in denial of service, different pricing, or degraded quality of service.
Privacy Contact
For CCPA/CPRA inquiries, data subject requests, or privacy concerns: privacy@featuresignals.com