US Privacy Compliance: CCPA, CPRA & State Laws

The Compliance Nightmare

In 2023, a mid-sized SaaS company spent $340,000 responding to CCPA data subject requests. They had to build systems to locate, extract, and delete user data across 47 different databases. One request took 73 hours to complete.

This is the reality of modern privacy compliance. CCPA gives California residents the right to know what data you collect, delete it, and opt-out of sale. CPRA adds correction rights and stricter requirements.

But what if you did not collect the data in the first place?

Understanding CCPA & CPRA Requirements

The California Consumer Privacy Act (CCPA) became effective January 1, 2020. The California Privacy Rights Act (CPRA) amended and expanded it, effective January 1, 2023. Together, they create the strongest privacy protections in the United States.

• Right to Know: Consumers can request disclosure of personal information collected, used, shared, or sold (CCPA § 1798.110)
• Right to Delete: Consumers can request deletion of personal information, with some exceptions (CCPA § 1798.105)
• Right to Opt-Out: Consumers can opt-out of the sale of personal information (CCPA § 1798.120)
• Right to Non-Discrimination: Businesses cannot discriminate against consumers who exercise their rights (CCPA § 1798.125)
• Right to Correct: Under CPRA, consumers can request correction of inaccurate information (CPRA § 1798.106)
• Right to Limit: Under CPRA, consumers can limit use of sensitive personal information (CPRA § 1798.121)

The Zero-Knowledge Exemption

Here is what most compliance guides will not tell you: CCPA obligations only apply to businesses that collect, process, or store personal information. If your tools never touch a server, you have no data to disclose, delete, or correct.

ZeyroVault's client-side architecture means:

No Collection: Data never leaves the user's browser. We literally cannot access it.

No Storage: We have no databases of user data. Nothing to breach, nothing to delete.

No Processing**: All encryption, hashing, and encoding happens on the user's device.

No Sale: You cannot sell what you do not have.

This is not a loophole. It is architectural compliance by design.

The State-by-State Privacy Landscape

California started the trend, but it is not alone. As of 2026, 15 states have comprehensive privacy laws:

• Virginia (VCDPA) - Effective January 1, 2023: Similar to GDPR with controller/processor distinctions
• Colorado (CPA) - Effective July 1, 2023: Includes universal opt-out requirements
• Connecticut (CTDPA) - Effective July 1, 2023: Focuses on consumer health data
• Utah (UCPA) - Effective December 31, 2023: Business-friendly approach with narrower scope
• New States: Iowa, Indiana, Tennessee, Montana, Texas, Florida, Delaware, Oregon, New Jersey, New Hampshire

While requirements vary, they share a common thread: obligations apply to businesses that handle personal data. Zero-knowledge architecture sidesteps these obligations entirely.

Practical Compliance Strategy

Even with zero-knowledge tools, you need a compliance strategy. Here is what we recommend:

• Document Your Architecture: Maintain technical documentation proving client-side processing. This becomes your first line of defense in any inquiry.
• Privacy Policy Transparency: Clearly state that your tools operate client-side and do not collect personal information. Reference specific tools and their zero-knowledge nature.
• Vendor Assessment: If you use third-party services (hosting, analytics), ensure they also respect privacy. ZeyroVault uses privacy-first analytics with no personal data collection.
• Employee Training: Ensure your team understands what data you do and do not have. Many compliance failures come from employees incorrectly stating data practices.
• Regular Audits: Review your tools annually to confirm they remain zero-knowledge. New features or dependencies could change your compliance posture.

Frequently Asked Questions