CCPA / CPRA compliance with Sonomos
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents rights over their personal information (PI) and imposes obligations on businesses that collect or process that information. The regulations are enforced by the California Privacy Protection Agency and the California Attorney General. AI tools are a new and largely unmonitored conduit through which PI can be disclosed to third parties — Sonomos prevents that disclosure at the source.
What CCPA/CPRA protects
“Personal information” under CCPA is broad: anything that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a California resident or household. That includes identifiers, commercial information, internet activity, geolocation, biometric data, and inferences drawn from any of the above.
“Sensitive personal information” (SPI) under CPRA carves out a stricter subset: SSN, driver’s license, financial account credentials, geolocation, racial or ethnic origin, religious beliefs, contents of mail and messages, genetic data, biometric identifiers, and health, sex life, or sexual orientation information.
Sonomos detects every common category of PI and SPI — see the Detector Reference.
Why AI tools change the CCPA picture
Several CCPA/CPRA concepts are directly affected by employee AI usage:
- “Sale” and “sharing” — disclosing PI to a third party for monetary or other valuable consideration. Pasting PI into a chat assistant that uses prompts for model training arguably triggers this; even where it doesn’t, the optics are bad.
- “Service provider” vs. third party — the line depends on contractual restrictions on use. Many AI vendors don’t qualify as service providers under CCPA. If staff use them with PI, you may be making third-party disclosures the consumer never agreed to.
- Right to know / right to delete — once PI is in an AI vendor’s logs or training data, honoring those requests for that PI becomes difficult or impossible.
- Purpose limitation — disclosing PI for an AI summarization task likely isn’t the purpose the consumer was told about at collection.
The cleanest answer to all four is to prevent the PI from leaving the browser in the first place. That’s Cloak’s job.
How Sonomos supports CCPA/CPRA obligations
Minimization (§1798.100(c))
CCPA requires that the collection, use, retention, and sharing of PI be reasonably necessary and proportionate to the disclosed purpose. Cloak’s pseudonymization at the AI-tool boundary directly supports minimization: only the data the model needs to answer is transmitted.
Reasonable security (§1798.100(e), CPRA amendment)
CPRA introduced an explicit reasonable-security obligation for personal information. Cloak’s automatic masking + Send Guard’s blocking warnings constitute documented technical controls for one of the highest-velocity disclosure paths in a modern workplace.
Sensitive personal information (§1798.121)
Consumers can direct businesses to limit the use and disclosure of SPI. Sonomos’s high-severity tier (SSNs, driver’s licenses, financial credentials, health data) maps closely to the CPRA SPI definition — Modal-mode Send Guard provides a hard stop before SPI can be submitted.
Disclosures and contracts with service providers (§1798.140)
If your AI tools are service providers under your contracts, those contracts limit how they can use the PI you send. Sonomos doesn’t change the contract, but it materially reduces the volume of PI you actually send — which limits the residual risk from any contract gap.
Right to know / right to delete (§§1798.105, 1798.110)
When PI never leaves the browser, there is no copy at the AI vendor to subsequently locate or delete. This is the strongest possible posture: the obligation is moot because the disclosure never happened.
Sensitive personal information requires Modal mode
For staff handling SPI categories — SSNs, driver’s licenses, financial account credentials, geolocation, biometric data — set Send Guard to Modal always. On the Teams plan, pin this minimum so members cannot drop below it. The Modal requires explicit acknowledgement before any SPI-category content can be submitted to a non-Cloak-supported AI tool.
Recommended configuration for CCPA/CPRA
- Enable Cloak on every supported AI platform. Today: Claude.ai, Gemini, Grok.
- Set Send Guard to “Modal always” for departments that handle SPI (HR, finance, legal, healthcare-adjacent).
- Set Send Guard to “Banner + Modal” (default) elsewhere.
- Pin admin policy on the Teams plan to prevent members from dropping below the minimum.
- Schedule compliance reports to your privacy team’s inbox; tie them into your records of processing activities and your CCPA notice at collection.
- Update your privacy notice if your staff use AI tools — disclose the safeguards (including Sonomos’s detection and masking) and the categories of PI that may incidentally be processed.
Where Sonomos fits in your CCPA program
| CCPA element | How Sonomos contributes |
|---|---|
| Notice at collection | Document Sonomos as a technical safeguard for AI tools |
| Data minimization | Cloak’s pseudonymization at the AI-tool boundary |
| Reasonable security | Cloak + Send Guard + Teams policy enforcement |
| Limit use of SPI | Modal mode on SPI categories |
| Service provider risk reduction | Less PI in transit = less residual risk from contract gaps |
| Records of processing | Compliance reports surface categories and frequencies |
Coming in Sonomos Desktop
Specifically relevant for CCPA/CPRA-driven rollouts:
- OS-wide PI coverage — native AI clients, IDE assistants, local LLMs, clipboard, screenshots. Today, these channels are out of scope for the extension.
- Per-app sensitivity profiles — different rules for, say, an internal CRM (allow) vs. a public chatbot (block).
- Tamper-evident audit log — useful for documenting reasonable-security operation over time.
See the Sonomos Desktop overview.