California Consumer Privacy Act and e-signature data

The California Consumer Privacy Act (CCPA), effective 2020, and its update California Privacy Rights Act (CPRA), effective 2023, give California residents enumerated rights over their personal data — including signature records.

Who must comply

Businesses meeting any of:

• Gross revenues > $25M/year
• Buy/sell/share personal info of 100,000+ Californians/year
• Derive 50%+ of revenue from selling personal info

If you meet any threshold, CCPA/CPRA applies to your e-signature workflows with California residents.

The 6 CCPA/CPRA rights

1. Right to know — what personal info is collected, how, shared with whom 2. Right to delete — request deletion of personal info 3. Right to correct — fix inaccurate info (CPRA addition) 4. Right to opt-out of sale/sharing — including cross-context behavioral advertising 5. Right to limit sensitive personal info use (CPRA addition) 6. Right to non-discrimination — can't penalize consumers for exercising rights

What this means for e-signatures

Signing a document generates personal information: name, email, IP, signature image, document content. California residents can:

• Request a copy of everything your platform has about them
• Request deletion (subject to legal retention exceptions for contracts)
• Request correction of errors in their profile

Your e-signature platform must support these requests within 45 days (45 CFR § 1798.130).

Sensitive personal information (SPI)

CPRA added a "sensitive personal information" category that includes:

• Social Security Number, DL, passport
• Financial account info
• Precise geolocation
• Racial/ethnic origin, religion
• Contents of mail, email, text messages
• Health data
• Biometric data

Some signed documents contain SPI. CPRA requires stronger protections for SPI and gives consumers the right to limit its use to what's necessary for the service.

The "selling" and "sharing" distinction

CCPA defined "selling" narrowly. CPRA expanded to "sharing" — including cross-context behavioral advertising. E-signature platforms generally don't sell or share signature data, but verify:

• Check the platform's privacy policy for data sharing practices
• Verify they don't serve ads using your signed document content
• Confirm no third-party trackers on the signing pages

SignBolt doesn't sell, share, or advertise on signature data. Their privacy policy is explicit on this.

Retention under CCPA

CCPA doesn't impose specific retention periods but requires:

• Disclose retention periods in privacy policy
• Retain only as long as reasonably necessary for disclosed purposes
• Delete upon verified consumer request (subject to legal exceptions)

For e-signatures, the legal exception is contract retention requirements — you can't delete a signed contract just because one party requested it, since the other party needs it for their records.

Breach notification

California Civil Code § 1798.82 requires notification "in the most expedient time possible and without unreasonable delay" after breach discovery. Attorney General notification within specific timeframes if 500+ California residents affected.

Practical compliance

For e-signature workflows with California residents:

• Platform privacy policy must disclose CCPA rights
• Support "Do Not Sell My Personal Information" link
• Respond to verified requests within 45 days
• Document retention periods
• Maintain inventory of SPI collected
• Breach notification process in place

SignBolt supports all of the above on Business tier.

Next

• GDPR and e-signatures
• Data retention for signed contracts