CCPA / CPRA — California Privacy
Status: service-provider obligations met · not a covered business by threshold · last updated 27 May 2026
The California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.), as substantially amended by the California Privacy Rights Act of 2020 (CPRA, effective 1 January 2023), is California's comprehensive consumer privacy statute. The CPRA established the California Privacy Protection Agency (CPPA) as the enforcement body.
Glassbreak is not currently a "business" subject to the CCPA as defined in § 1798.140(d) — we do not meet the threshold criteria (gross revenue, volume of California-resident personal-information processing, or revenue share from selling/sharing personal information). We do, however, satisfy the "service provider" definition in § 1798.140(ag) when a covered customer engages us, and our standard contract terms reflect those obligations.
Business threshold analysis
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| (d)(1)(A) | Annual gross revenue > $25 million | N/A | Below threshold at current operations. |
| (d)(1)(B) | Annually buys, sells, or shares personal information of 100,000+ California residents or households | N/A | Below threshold. Glassbreak does not buy or sell personal information; sharing (as defined for cross-context behavioural advertising) does not apply because we do no advertising. |
| (d)(1)(C) | Derives 50%+ of annual revenue from selling or sharing personal information | N/A | 0% of revenue from selling or sharing personal information. Subscription revenue from emergency-communications subscriptions only. |
None of the three independent threshold tests are met, so Glassbreak is not directly subject to the CCPA's business-level obligations. We track this annually; if growth pushes us across the (d)(1)(A) revenue line, we will publish updated CCPA notices and process consumer-rights requests directly. Until then, our obligations flow through customer contracts as a service provider.
Service-provider obligations
When a California-resident's personal information is processed via Glassbreak on behalf of a customer who IS a covered business, § 1798.140(ag) makes us a service provider. Service-provider obligations apply contractually and operationally:
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| § 1798.100(d)(1) | Contract specifies purposes for which personal information is processed | Met | Our standard DPA at /legal/dpa scopes processing to the provision of the emergency-communications service the customer subscribed to. No secondary use. |
| § 1798.100(d)(2) | Prohibits retention, use, or disclosure outside the direct business relationship | Met | DPA prohibits using personal information for any purpose other than performing the contracted service, including combining with other personal information. |
| § 1798.100(d)(3) | Prohibits selling or sharing personal information | Met | Glassbreak does not sell or share personal information in any sense. This is the structural commitment underlying the entire product (see /security on zero-knowledge architecture). |
| § 1798.100(d)(4) | Requires the same level of privacy protection as required of the business | Met | Our DPA mirrors the customer's CCPA obligations — including consumer-rights forwarding, breach notification, and the cooperation required to support the customer's response to consumer requests. |
| § 1798.100(d)(5) | Grants the business rights to take reasonable and appropriate steps to ensure compliance | Met | Audit rights granted in the DPA — customer-led audits with reasonable notice or reliance on Glassbreak's published trust evidence (when issued) SOC 2 / ISO 27001 reports. |
| § 1798.100(d)(6) | Requires notification if the service provider determines it can no longer meet its obligations | Met | DPA contains a notification clause: if Glassbreak determines it can no longer meet its service-provider obligations, written notice to the customer and a cooperation window for transition / remediation. |
| § 1798.100(d)(7) | Grants the business the right to stop and remediate unauthorised use | Met | DPA preserves the customer's right to direct stop-processing and remediation; standard 30-day cooperation window with full export + deletion of customer data. |
Consumer rights — how we support customer fulfilment
California residents have a suite of rights under the CCPA/CPRA. When a consumer submits a verifiable request to a Glassbreak customer (the business), that customer relies on us to actually retrieve, return, or delete the relevant data. Our service-provider support:
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| § 1798.110 | Right to know — categories and specific pieces of personal information | Met | In-product data export at /legal/data-request yields the consumer's entire personal record in a structured, machine-readable bundle within 45 days. Customer-business can forward this to the consumer to satisfy the right-to-know request. |
| § 1798.105 | Right to delete | Met | Self-service account erasure available via the in-product settings; for service-provider context, customer-business may submit a deletion-request relay and we erase the named consumer's personal record within 45 days, except for retention required by law (audit logs scrubbed to non-PII fingerprints). |
| § 1798.106 | Right to correct | Met | Self-service profile-edit covers the consumer-modifiable fields (name, email, communication preferences). For service-provider context, customer-business may relay correction requests and we apply the same edits. |
| § 1798.120 | Right to opt out of sale or sharing | N/A | Not applicable — Glassbreak does not sell or share personal information. There is nothing to opt out of. |
| § 1798.121 | Right to limit use and disclosure of sensitive personal information | Met | Sensitive personal information (e.g. precise geolocation, biometric data) is end-to-end encrypted such that Glassbreak cannot decrypt it; use is structurally limited to the contracted service. See /security. |
| § 1798.125 | Right of non-discrimination for exercising privacy rights | Met | Pricing and service quality do not depend on whether a consumer has exercised CCPA rights against the customer-business or directly against Glassbreak. |
| § 1798.185(a)(16) | Right to opt out of automated decision-making (CPPA draft regulations) | Met | Glassbreak does not use automated decision-making that produces legal or similarly significant effects on consumers. Routing decisions for emergency messages are based on customer-configured rules, not algorithmic profiling. |
Notice requirements
CCPA notice obligations (§ 1798.100(b), § 1798.130(a)(5), § 1798.135) apply to the business that collects the personal information directly from the consumer. As a service provider, Glassbreak's notices are documented in:
- Privacy Policy — what information we receive in the service-provider capacity, how it's processed, retention.
- Data Processing Agreement — contractual treatment of the personal information.
- Sub-processor list — third parties who receive personal information in the course of providing the service.
Customer-businesses subject to the CCPA should include Glassbreak in their CCPA "Notice at Collection" and Privacy Policy disclosures as a service provider, and reference our DPA for the contractual terms that govern the transfer.
Data minimisation by design
The CCPA places weight on data minimisation, retention limits, and purpose limitation. Glassbreak's zero-knowledge architecture helps customers meet these standards:
- Secret content, message content, and contact PII are end-to-end encrypted such that Glassbreak cannot read them — purpose limitation is structural, not policy-based.
- Refresh tokens, email-verification tokens, and password-reset tokens are stored as one-way hashes; plaintext exists only on the wire.
- Audit logs strip PII to fingerprints (HMAC-SHA256 of the email) so the operational log surface itself contains the minimum necessary to investigate incidents.
- Retention is purpose-bound: account-deletion cryptographically erases the user's encryption keys, making remaining ciphertext unrecoverable even if backups retain it for the audit-retention window.
What changes if we cross the (d)(1)(A) threshold
If annual gross revenue exceeds $25 million, Glassbreak becomes a CCPA "business" in its own right. We will then:
- Publish a Glassbreak "Notice at Collection" + Privacy Policy with the full set of disclosures required by § 1798.130.
- Establish the consumer-request intake channels required by § 1798.130(a)(1) (toll-free phone OR online form for businesses that operate primarily online — Glassbreak qualifies for the online-only exception).
- Train staff handling consumer requests per § 1798.135(g) (most of this overlaps with our existing security-awareness training).
- Submit any required filings to the CPPA.
- Register as a "data broker" if subsequent activity meets that definition — currently does not apply.
If you are a California-headquartered enterprise onboarding Glassbreak and need a CCPA-aligned DPA addendum, evidence of our service-provider commitments, or specific language for your "Notice at Collection", write to compliance@glassbreak.io with the contract reference.