Face Verification
Address Verification
Document Verification
Age Verification
VideoIdent
Fast ID
eIDV
Consent Verification
NFC Verification
Business Verification
Due Diligence
Investor Verification
QES
E-Signature
AML Screening
Transaction Monitoring
PEP & RCA
Sanctions
Watchlist
Adverse Media Screening
Business AML Screening
Behavioural Biometrics
Device Fingerprinting
1:1 Authentication
Fraud Hub
MFA
Onboarding
Ongoing Monitoring
Age Assurance
Identity Verification
KYC
KYB
KYI
Workforce IAM
Candidate Verification
Compliance
Fraud prevention
Trust & safety
Global expansion
Product Managers
Compliance Officers
Fraud Analysts
Developers
Global Trust Platform
Case Management
Journey Builder
Shufti AI
Fraud Analytics
Vendor Comparison
Brand Personalisation
IDV Modes
AI Compliance Co-Pilot
OCR
Secure Capture
Deployment Options
Identity Methods
Banking
Fintech
Crypto
Gaming
Forex
Social Networks
Marketplace
Gig Economy
Payments
Ride Hailing
Adult Content
Blind Spot Audit
Deepfake Detector
Liveness Detection
Document Originality
Document Deepfake
Deepfake
Account Takeover
Synthetic Identity Fraud
Document Fraud
Impersonation Fraud
Multi-Accounting
Bonus Abuse / Promotion Abuse
Fraud Networks
Chargeback Fraud
Money Mule Activity
Party Fraud
Regulatory & Compliance Risks
API Documentation
Mobile SDKs
Service Status
Help Center
Contact Us
Technical Support
Supported Documents
Content library
Blogs
News
Reports
Insights
Knowledgebase
ROI calculator
About
Career
Press Release
Certifications
Partnership
Awards
Events & Webinar
Interactive Demo
Podcast Studio
Spotlight Studio
REGULATORY COMPLIANCE · CCPA / CPRA
Shufti is a compliant service provider under California law
Under CCPA/CPRA, your verification provider is either a service provider operating under strict contractual restrictions, or a third party with rights to use your users' data broadly. Shufti is a service provider and uses identity verification data solely to provide the verification service, not for any secondary purpose, and never sold or shared. Shufti service provider agreement is included in every enterprise contract.
What CCPA / CPRA Is
California's privacy law has two phases. Understanding both matters because the CPRA amendments introduced significant new obligations that directly affect how biometric and identity verification data must be handled.
CCPA (2018)
The California Consumer Privacy Act established consumer rights over personal information: the right to know what data is collected, the right to delete it, the right to opt out of its sale, and the right to non-discrimination. It created the service provider classification, a vendor who uses data only for the contracted service.
CPRA (2023 Amendment)
The California Privacy Rights Act significantly expanded CCPA. It created a new category, sensitive personal information, which explicitly covers biometric data, facial images, and identity documents. It added the right to limit use of sensitive personal information, strengthened enforcement by establishing the California Privacy Protection Agency, and tightened service provider obligations.
Why It Matters
If your verification provider lacks a CCPA-compliant service provider agreement, or cannot technically support a consumer deletion or access request, you cannot meet your CPRA obligations when a California resident submits a request. The California Privacy Protection Agency is actively enforcing CPRA against businesses whose vendors fail to deliver the required protections.
You have 45 days to respond to a verified consumer rights request
Shufti's API and admin console let you locate, export, or delete an individual's verification records and generate a deletion confirmation. That confirmation is your regulatory evidence that the request was fulfilled.
45 days Statutory response window
For CCPA consumer rights requests. If your verification vendor cannot support individual record deletion or export within that window, the compliance gap is yours to carry.
How Shufti Maintains IT
Shufti CCPA/CPRA service provider provisions are in the standard enterprise agreement, you do not need to negotiate a separate addendum. The contract restricts our data use, prohibits data selling and sharing, commits us to specific security standards, and requires us to cooperate on consumer rights requests.
The same compliance approach extends to Virginia CDPA, Colorado CPA, Connecticut CTDPA, and Texas TDPSA, so one Shufti integration covers you across those frameworks without separate addenda.
Certification Details
Data classification
Biometric and identity document data classified as sensitive personal information under CPRA.
Role under CCPA/CPRA
Service provider, not a third party or data broker.
Consumer rights support
Deletion, access, and portability supported via API and admin console within 45-day window.
Contract coverage
CCPA/CPRA service provider provisions in standard enterprise contract, no addendum required.
Multi-state coverage
Compliance approach covers Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA.