CCPA and retail analytics: what California's privacy law says about counting shoppers

Why California privacy law matters to a retail analytics buyer

California's privacy regime is the closest the United States has to a comprehensive consumer privacy law, and it applies to a lot more retailers than people realise. Any business that collects information about California residents and crosses one of the statutory thresholds, broadly: USD 25 million in annual revenue, processing the personal information of 100,000 or more California consumers or households, or earning the majority of revenue from selling or sharing personal information, falls within scope. A retailer with even a modest e-commerce presence and a network of physical stores often crosses the second threshold without thinking about it.

That puts retail analytics squarely on the agenda for the legal, security, and operations teams. If a system in a store, mall, or distribution centre might be collecting personal information about California residents, the privacy team will want to know what it captures, what rights consumers have over it, and what disclosures the business owes. The cleanest position is one where the analytics system never captures personal information in the first place, so most of the heavier obligations do not attach. People counting built that way is the example this article walks through.

This article is informational and not legal advice. CCPA, CPRA, and CPPA references describe public statute and the published regulator. Engage your privacy counsel for a compliance review specific to your deployment, your data flows, and your contracts.

CCPA, CPRA, and the CPPA in one paragraph

The California Consumer Privacy Act (CCPA) took effect in 2020. The California Privacy Rights Act (CPRA), passed by ballot initiative in 2020, amended and expanded the CCPA and took full effect on 1 January 2023. The amended statute is still commonly called the CCPA in practice. The CPRA also created the California Privacy Protection Agency (CPPA), an independent state regulator with rulemaking and enforcement authority over the law. The California Attorney General retains concurrent enforcement authority. The CPPA publishes regulations, advisories, and enforcement priorities; check the agency's site for current guidance rather than relying on any third-party summary, including this one.

What counts as "personal information" under California law

The CCPA defines personal information broadly: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The statute lists categories of examples, including identifiers (name, alias, postal address, IP address, email, account name, social security number, driver's licence, passport, or other similar identifiers), commercial information (records of products or services purchased or considered), internet or other electronic network activity (browsing history, search history, interaction with a website or application), geolocation data, biometric information, inferences drawn from any of the above, and sensitive personal information (a sub-category introduced by the CPRA, with extra rights attached).

Three exclusions are useful to keep in mind for the analytics conversation:

• Aggregate consumer information. Information that relates to a group or category of consumers from which individual consumer identities have been removed, and that is not linked or reasonably linkable to any consumer or household, is excluded from the definition.
• Deidentified information. Information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer is excluded, provided the business meets specific commitments around the data (no attempt to reidentify, contractual obligations on recipients, technical and organisational safeguards).
• Publicly available information. Information lawfully made available from government records or by the consumer to the general public is excluded.

For a retail analytics system, the practical question is whether the data it produces sits inside the broad definition, or falls under one of these exclusions. The answer depends almost entirely on what the sensors capture in the first place.

Where retail analytics systems usually land in the definition

Retail analytics technology covers a wide range, and different sensor choices put a deployment in very different places under California law.

Cameras with computer vision

A camera that captures images of identifiable shoppers is processing personal information from the moment the frame is recorded. If the system runs facial recognition or other physiological identifier extraction, it is processing biometric information, which is on the CPRA's sensitive personal information list. Even where the business says it discards frames quickly, the capture itself is what the statute looks at. Disclosure, opt-out, deletion, and access obligations all attach, and the sensitive personal information sub-category adds further consumer rights, including a right to limit the use and disclosure of that information.

Wi-Fi / MAC address based tracking

A system that captures device identifiers (MAC addresses, Bluetooth identifiers, advertising IDs) is processing personal information. The California Attorney General's published guidance has historically treated unique device identifiers as identifiers within the meaning of the statute, and the CPRA's definition explicitly lists unique personal identifiers. Whether the data is also geolocation data depends on how it is used; an indoor location read on a specific consumer's device typically is.

Camera-free, identifier-free counting

A system that captures no images, no device identifiers, and no biometric data, and produces only aggregate counts and trajectory geometry that cannot be linked to a specific consumer, sits structurally close to the aggregate-consumer-information and deidentified-information exclusions. The business still needs to confirm that no element of its own configuration (for example, joining the counts to a loyalty programme) brings the data back inside the definition, but the underlying measurement does not, on its own, capture personal information.

How Ariadne measures, and why that matters here

Ariadne measures this with Hybrid Fusion, its patented camera-free method. Time-of-Flight depth sensing counts every visitor at the entrances, capturing geometry rather than images, while patented phone signal sensing follows movement through the interior, detecting the signals a phone emits even in airplane mode. The sensor streams both feeds to Ariadne, where Hybrid Fusion combines them into one trajectory per visit and computes counts, dwell, and paths. The streams carry no identifier: no MAC address, no device ID, no biometric data, and no camera is involved. Identifiers are stored only when a visitor explicitly opts in, which keeps the method GDPR-friendly and outside biometric territory.

Applied to the California definition, the Ariadne method produces three categories of output for a retail deployment:

• Aggregate counts. Entries, exits, and live occupancy per zone, computed centrally from sensor streams. No identifier attaches to a count, and the count by definition relates to a group, not a consumer.
• Trajectory geometry. A path through the store expressed as coordinates over time, without any identifier and without any image. The geometry describes movement, not a person, and cannot reasonably be linked to a specific consumer.
• Dwell time, aggregated. The average and distribution of time visitors spend in each zone, derived from the aggregated trajectories.

None of those outputs is an identifier, a biometric, a commercial record of a specific consumer's purchase, or a geolocation read on a specific consumer's device. The deployment's analytics data is therefore structurally close to the aggregate-information exclusion in the statute. Whether you also rely on the deidentified-information exclusion depends on how strict your reading is and what your privacy counsel prefers, but the underlying capture is the cleanest possible starting point.

The "sale" and "share" question

CCPA gives consumers a right to opt out of the "sale" of their personal information, and the CPRA added a right to opt out of "sharing" personal information for cross-context behavioural advertising. Both definitions are deliberately broad. "Sale" covers selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information for monetary or other valuable consideration. "Sharing" is targeted at the ad-tech ecosystem and covers similar communications for cross-context behavioural advertising whether or not for consideration. If a retailer is "selling" or "sharing" personal information, it must offer a clear opt-out mechanism, including support for the Global Privacy Control (GPC) signal, and post a "Do Not Sell or Share My Personal Information" link or equivalent on its homepage.

For an analytics deployment that captures no personal information, the sale and share questions become straightforward. There is no personal information moving out of the system in the first place, so the framework does not engage on the counting data. Where the retailer's wider data flows do involve sale or share (for example through its e-commerce site, ad pixels, or loyalty programme partnerships), that is a separate conversation for the privacy team and is unaffected by, but also unhelped by, the choice of counter.

Sensitive personal information and the CPRA

The CPRA added a new sub-category of sensitive personal information, with extra rights for consumers including a right to limit its use and disclosure to what is necessary to perform the services reasonably expected by an average consumer. The sub-category includes precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of consumer mail, email, and text messages where the business is not the intended recipient, genetic data, biometric information processed for the purpose of uniquely identifying a consumer, personal information collected and analysed concerning a consumer's health, and personal information collected and analysed concerning a consumer's sex life or sexual orientation.

Retail analytics systems intersect with this sub-category in two specific ways:

• Biometric information processed to uniquely identify. Facial recognition or fingerprint matching used to single out a returning visitor falls inside the sub-category. A counting system that does no identification is not in this territory at all. Ariadne performs no face recognition, no gait inference, and no demographic detection, so the underlying measurement does not enter the sub-category.
• Precise geolocation. Defined in the regulations as the ability to locate a consumer with precision of 1,850 feet or better, but applied to a particular consumer. Anonymous indoor trajectory geometry, with no identifier attached, does not locate any particular consumer, so it does not fall into this part of the sub-category.

If a deployment later changes (for example, you enable opt-in identifier capture for a loyalty programme), the sensitive personal information analysis should be rerun. The starting position with a camera-free, identifier-free counter is that the sub-category is not engaged.

Consumer rights mechanics when there is no identifier at capture

California gives consumers a set of rights over their personal information: the right to know what is collected and the categories of sources and recipients, the right to access the specific pieces of personal information, the right to delete, the right to correct, the right to opt out of sale or share, the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising any of these.

A retailer that captures personal information in its analytics system has to operationalise each right for that data. Requests have to be authenticated, traced through the systems that hold the consumer's data, fulfilled within the statutory windows, and recorded. Where the data has been shared with service providers or contractors, the obligation usually flows down through the contract.

When the analytics system captures no identifier at all, the mechanics of each right play out differently:

• Right to know. The retailer's privacy notice should still disclose the analytics deployment in general terms (a sensor-based counting system, what it measures, what it does not capture). The disclosure is honest and short because there is no consumer-specific data to enumerate.
• Right to access. There is no consumer-specific record to return from the counting data. A request can be answered with a clear explanation that no personal information about the requester is held in the counting system, and a description of what the system does capture in the aggregate.
• Right to delete. Deletion requests have nothing consumer-specific to delete in the counting data. The same explanation as the access response works for deletion.
• Right to correct. Correction requests have nothing consumer-specific to correct. The system does not hold an attribute of the requester to be wrong about.
• Right to opt out of sale or share. There is no personal information to sell or share from the counting data, so this right is not engaged at the deployment level. The retailer's wider obligations are unchanged.
• Right to limit sensitive personal information. No sensitive personal information is being collected by the counter, so the right is not engaged at the deployment level.
• Right against discrimination. Always applies regardless of the underlying data and should be reflected in the retailer's overall consumer rights handling process.

This is the practical payoff of choosing a method that captures no personal information. The rights still exist, but each one has a short, defensible answer in the counting context. The retailer's privacy team can focus its operational effort on the systems that do process personal information: e-commerce, loyalty, customer service, marketing.

Service provider, contractor, and third party terminology

California law distinguishes a "service provider" and a "contractor" from a "third party". Service providers and contractors process personal information on behalf of the business, subject to a written contract that restricts the recipient's use of the data to the business purposes set out in the contract. A third party is anyone else who receives personal information. A disclosure to a service provider or contractor with the right contractual terms is not a "sale" or "share". A disclosure to a third party may be.

A retail analytics vendor processing personal information for the retailer typically signs a service provider agreement under the CCPA, alongside any GDPR processor agreement and similar instruments. The contract should set out the business purposes, prohibit further use, require the vendor to flow obligations down to its sub-processors, and address combinations of data and onward transfers.

Where the analytics deployment captures no personal information, the legal need for a service provider agreement on that data category is smaller. Even so, the agreement is worth signing in its standard form, because (a) configurations change over time and a future change could bring personal information into scope, and (b) procurement and security teams will ask for it as a matter of course. The Ariadne data handling and the data residency posture are set out in the Ariadne privacy policy, which is the document to attach as a starting point.

What a California-aware buyer should ask a counting vendor

If you are evaluating a retail analytics system from a CCPA / CPRA perspective, these are the questions worth putting to any vendor in writing before a trial. Treat any unclear answer as a red flag.

1. What does the system capture? Ask for an itemised list: video frames, MAC addresses, Bluetooth identifiers, advertising IDs, biometric features, demographic inferences. A clear no by default for each is the position you want.
2. Does the system perform any biometric identification or demographic inference? If yes, the deployment is in sensitive-personal-information territory and the conversation is different. If no, that should be reflected in the contract and in the privacy documentation.
3. Under what configurations does personal information enter the system? Most vendors offer optional features (guest Wi-Fi joins, loyalty integrations, identified-shopper analytics) that change the data category. Get the list and make the default-off configuration explicit.
4. What is the vendor's role for CCPA purposes? Service provider, contractor, or third party. Document this in the contract. A service provider with appropriate restrictions is the position most retailers expect to negotiate.
5. Where is the data processed and stored? Data residency matters less under California law than it does under GDPR, but procurement and security teams will still want to know. Get the answer in writing.
6. How does the vendor respond to consumer rights requests forwarded by the retailer? Service providers are obliged to assist. Confirm the process and the response times in the contract.
7. How does the vendor handle a security incident? Notification windows, content of notifications, and obligations to assist with consumer notification where required.

How Ariadne fits

Ariadne is built so that the heavy questions above have short, structural answers. The sensor does not capture video, does not capture MAC addresses by default, does not produce demographic inferences, and does not perform any biometric identification. The fusion runs centrally in the Ariadne platform; the outputs the retailer sees are aggregate counts, anonymous trajectory geometry, and aggregate dwell time. The default configuration sits structurally close to the aggregate-information exclusion in California law and does not engage the sensitive-personal-information sub-category at all.

No. Ariadne counts with Hybrid Fusion: Time-of-Flight depth sensing plus patented phone signal sensing, never cameras. Time-of-Flight captures geometry rather than images, and signal sensing captures no MAC address by default, so the measurement involves no video, no faces, and no biometric data.

Where a retailer wants to combine the counts with identifiable consumer data (for example, a logged-in app session inside the store), that is an explicit, opt-in, contract-bound choice, not a default. The deployment-level CCPA analysis is rerun for that configuration. The starting point, however, is a counter that does not put California compliance on the critical path for a store-by-store rollout. The full product overview sits on the people counting page, and the data handling specifics are documented in the privacy policy.

FAQ

Does the CCPA apply to non-California businesses?

The statute applies to businesses that collect personal information about California residents and meet one of the statutory thresholds, regardless of where the business is headquartered. A retailer based outside California with stores or e-commerce activity reaching California residents may well be in scope. The threshold analysis should be done by counsel against the current statutory text.

Is anonymous people counting "personal information" under the CCPA?

On the configuration this article describes, no. A system that captures no images, no device identifiers, and no biometric data, and produces only aggregate counts and trajectory geometry that cannot reasonably be linked to a particular consumer, sits close to the aggregate-information exclusion. Confirm the analysis for your specific deployment with privacy counsel, particularly if you plan to join the counting data with any other source that does contain identifiers.

Do we need to add the counter to our privacy notice?

It is good practice to mention the deployment in plain language in your privacy notice and in in-store signage, even where no personal information is captured. Transparency about sensing technology builds trust with shoppers and avoids surprise if a consumer asks. The disclosure is honest and short: a sensor-based counting system, what it measures, what it does not capture.

What if we already use cameras for loss prevention?

Loss prevention CCTV is a separate processing activity with its own legal basis, its own retention rules, and its own consumer-rights treatment under California law. The fact that you operate cameras for one purpose does not affect the analysis of a separate, camera-free counting system. The two systems should be documented separately, and the privacy notice should make the distinction.

Is this article legal advice?

No. This article is informational only. Engage counsel for a compliance review specific to your deployment, your configuration choices, your contracts with vendors, and any planned combinations with other data sources you hold. Refer to the California Privacy Protection Agency's published regulations and advisories for the current state of the rules.