What is CCPA/CPRA?
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give California residents control over their personal information.
CCPA (2020)
- • Right to know what data is collected
- • Right to delete personal information
- • Right to opt-out of data sale
- • Applies to businesses with $25M+ revenue or 50K+ consumers' data
CPRA (2023)
- • Added "sensitive personal information" category
- • Right to correct inaccurate data
- • Right to limit use of sensitive data
- • Created California Privacy Protection Agency
CCPA Personal Information Categories
CCPA defines 11 categories of personal information. SafeRedact's AI detects most text-based categories automatically.
Identifiers
Name, alias, SSN, driver's license, passport, postal address, email, account name
Financial Information
Bank account, credit card, debit card numbers, financial history
Protected Characteristics
Age, race, gender, religion, national origin, disability, citizenship
Commercial Information
Purchase records, purchasing histories, consuming tendencies
Biometric Information
Fingerprints, face, voice (non-text - manual review)
Internet Activity
Browsing history, search history, IP addresses, device IDs
Geolocation Data
Physical location, GPS coordinates, addresses
Audio/Visual Data
Audio, video, photos (non-text - manual review)
Professional/Employment
Job title, employer, salary, work history
Education Information
Enrollment records, grades, transcripts, student IDs
Inferences
Profiles, preferences, characteristics derived from data
AI-detected | Non-text (manual review needed)
CPRA Sensitive Personal Information
CPRA added a new "sensitive personal information" category with additional protections. SafeRedact can detect most of these.
SSN, Driver's License, Passport
Government-issued identification numbers
Financial Account Information
Account + security codes or passwords
Precise Geolocation
Location within 1,850 feet
Race, Ethnicity, Religion
Protected demographic information
Health Information
Medical conditions, diagnoses, treatments
Sexual Orientation / Gender ID
Gender identity, sexual orientation
Consumer Rights That Trigger Redaction
CCPA/CPRA grants California residents specific rights. Fulfilling these rights often requires precise document redaction.
Right to Access (§ 1798.100)
Consumers can request copies of all personal information collected about them. When fulfilling these requests, you must redact any third-party personal information contained in the same documents — employee names, vendor contacts, other customers' data.
Right to Delete (§ 1798.105)
Consumers can request deletion of their personal information. For documents that contain both the consumer's data and business-critical information, redaction is often more practical than full deletion — you remove the personal information while preserving the business record.
Right to Limit Use of Sensitive PI (§ 1798.121, CPRA)
CPRA added the right for consumers to limit the use of sensitive personal information — including SSNs, driver's license numbers, financial account details, and precise geolocation. When these data points appear in shared documents, they must be redacted unless a specific business purpose exemption applies.
Right to Non-Discrimination (§ 1798.125)
Businesses cannot discriminate against consumers who exercise their privacy rights. This means your redaction processes need to be efficient enough that honoring requests doesn't create operational friction that discourages future requests.
CCPA/CPRA Penalty Structure
Enforced by the California Attorney General and the California Privacy Protection Agency (CPPA).
$2,500
Per Unintentional Violation
Each affected consumer record counts as a separate violation. A breach involving 10,000 records = potential $25M exposure.
$7,500
Per Intentional Violation
Knowingly failing to comply with consumer requests or mishandling personal information. CPRA also applies this rate to violations involving minors' data.
$100–$750
Per Consumer (Private Action)
Consumers can sue directly under § 1798.150 if their unredacted/unencrypted personal information is exposed in a data breach. Class actions can reach tens of millions.
CCPA vs CPRA: What Changed
CPRA (effective January 2023) significantly expanded CCPA's scope. Key changes affecting redaction workflows:
CCPA (Original, 2020)
- • Applied to businesses with 50,000+ consumer records
- • No distinction between personal and sensitive personal information
- • 30-day cure period before AG enforcement
- • Enforced by California Attorney General only
CPRA (Amended, 2023)
- ● Threshold raised to 100,000+ consumer records
- ● New "sensitive PI" category with additional protections and higher penalties
- ● 30-day cure period eliminated
- ● New enforcement body: California Privacy Protection Agency (CPPA)
- ● Right to correct inaccurate personal information
- ● Right to limit use of sensitive personal information
Bottom line for redaction: CPRA's elimination of the cure period means there's no grace period to fix problems after a complaint. Your redaction processes need to be correct from the start. Automated PII detection reduces the risk of human error in high-volume document processing.
CCPA Redaction Use Cases
Consumer Data Requests
Redact third-party information before fulfilling "right to know" requests.
HR & Employee Records
Remove personal information from employment documents before sharing.
Vendor Contracts
Redact personal information before sending contracts to third parties.
Customer Records
De-identify customer data for analytics or reporting purposes.
Legal Discovery
Redact non-relevant personal information from discovery documents.
Audit Preparation
Prepare documents for CCPA compliance audits.
Privacy-First Architecture
When redacting personal information, how your tool handles files is critical.
Browser-Based Processing
Your files stay in your browser. Only extracted text is sent AES-256 encrypted for AI detection. Nothing stored.
Text-Only AI Analysis
Only extracted text is sent AES-256 encrypted for AI analysis. We never see your original files — only text snippets for detection.
Local Redaction
Redactions are applied locally. The clean PDF is created in your browser and downloaded directly.
Pricing
Pay when you need it
Try free with watermark. Remove it when you're ready.
24 hours from purchase
Get Day PassUnlimited documents
One-time purchase
Cancel anytime
Subscribe — $29/moUnlimited documents
Cancel or change anytime
Bulk DSAR & compliance for teams that process thousands of documents.
Or try free with watermark — no signup required.
CCPA Redaction FAQ
Who needs to comply with CCPA?
CCPA applies to for-profit businesses that collect California residents' personal information AND meet one of these criteria: (1) $25M+ annual revenue, (2) buy/sell/share data of 100K+ consumers, or (3) derive 50%+ of revenue from selling personal information.
What's the penalty for CCPA violations?
Intentional violations can result in fines up to $7,500 per violation. Unintentional violations can result in fines up to $2,500 per violation after a 30-day cure period. Consumers can also sue for data breaches ($100-$750 per consumer per incident).
Does SafeRedact help with CCPA requirements?
SafeRedact helps you redact personal information from documents, which is one component of CCPA compliance. Full compliance requires additional measures including data mapping, privacy policies, consumer request processes, and security practices. Consult with a privacy professional for comprehensive compliance guidance.
What types of personal information can SafeRedact detect?
SafeRedact's AI detects most text-based CCPA categories including identifiers (names, SSNs, addresses, emails), financial information, professional/employment data, education records, and internet activity data. Biometric data and photos require manual review.
Start Redacting Free
See if it fits your workflow. No account required for the free tier.