Document Summary

California Consumer Privacy Act 2018 (CCPA)

Download PDF
Our approach to security and privacyOur approach to security and privacy
Back to Trust Center

California Consumer Privacy Act 2018

The California Consumer Privacy Act 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them.

The CCPA requires businesses to provide detailed privacy notices with prescribed content, including transparent disclosures about information collection and use practices, sharing of personal information, and consumers’ privacy rights.

What is “personal information” under CCPA?

Personal information is any information that directly identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, either directly or indirectly, with a particular individual or household. This includes, for example, names; aliases; unique personal identifiers (such as social security number, driver’s license number, passport number, etc.); account or user names; IP addresses; unique device or cookie identifier, biometric data; educational, professional, or employment data; behavioral data; Internet activity data; and inferences drawn about an individual based on the foregoing or online activity.

What constitutes a “sale” of personal information?

A “sale” of personal information is any disclosure of or grant of access to personal information in exchange for money or other valuable consideration. These sales are regulated by requiring businesses that sell personal information to provide consumers detailed notice and the opportunity to opt out of these sales.

What roles are assigned to companies under the CCPA?

Companies can be a “business,” “service provider,” or “third party.” Many companies will qualify as one or more depending on the relationship of the parties and the nature of their data processing activities. This is how Secure Code Warrior views these roles in relation to our services and associated responsibilities:


A business is a for-profit entity that (a) does business in California, regardless of whether it has any physical presence in the state; (b) processes personal information of California residents or on whose behalf such personal information is processed;(c) alone, or jointly with others, determines the means and purposes of the processing; and (d) either: (i) has more than $25 million in annual gross revenue; (ii) annually buys, sells, receives or shares for a commercial purpose the personal information of at least 50,000 consumers, whether alone or in combination with other businesses; or (iii) derives at least 50% of its annual revenue from the sale of consumers’ personal information.

Service Provider(s)

A “service provider” because we process personal information on your behalf pursuant to a written agreement. The CCPA requires that this agreement limit our ability to use the personal information we process on your behalf solely to what is needed to perform the services or as may otherwise be permitted by the CCPA. We offer our customers subject to the CCPA an addendum incorporating these terms.

Third Party

Companies with whom personal information is shared but which use the information for their own uses, including sharing with other parties, are “third parties.” Sharing with third parties must be disclosed in a business’s privacy policy and may constitute a ”sale” if performed in exchange for money or valuable consideration, with attendant obligations for the third party.

How does this apply to Secure Code Warrior?

Secure Code Warrior does not currently meet the criteria described above for a “Business” under CCPA, namely because we do not:

  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of our annual revenue from selling California resident's personal information.

However, we are considered a “Service Provider” because we process personal information on your behalf pursuant to a written agreement.

Our obligations to you

Consumer rights requests

We will provide reasonable assistance to you in facilitating compliance with consumer rights requests.

Processing of personal information

We will not:

  1. Sell any personal information about you,
  2. Retain, use, or disclose the personal information for a commercial purpose, other than for providing the services, as further described in the Terms of Use and in our Privacy Policy; and
  3. further retain, use, or disclose the personal information except for business purposes or as otherwise authorized by the CCPA.

Personal information deletion

On termination, you have the option to request the return or deletion of personal information. This request must be made within 30 days of termination. We will make the data available for download by you in a machine readable format. Thereafter we will permanently delete the personal information from the live systems as described in our Privacy Policy.


Secure Code Warrior has implemented what we believe to be an industry-leading security and compliance program for our product infrastructure. Visit our Trust Center to find out more.


We will ensure that all employees, and contractors involved in the handling of personal information are aware of the confidential nature of the personal information and are contractually bound to keep the personal information confidential.

Looking for something else?

Our approach to security and privacy

Visit our Trust Center to learn more about the security and privacy practices that safeguard our information assets, and those of our customers, against misuse, abuse or compromise.

Trust Center