BETA · GateTest is in active polish ahead of public launch. Some flows are rough. Found a bug? hello@gatetest.ai — we're reading every message.
Compliance regime · California, USA

CCPA compliance — what GateTest actually catches

California Consumer Privacy Act (amended by the CPRA)

The California Privacy Protection Agency reached full enforcement throughput in 2024-25. Their public sweeps focus on "sale or sharing" disclosures and on apps that log identifiers (email, IP, device-ID) into systems that haven't been documented to consumers. Both are visible in code.

Run a scan →See the modules

The regime

California Consumer Privacy Act (amended by the CPRA)California, USA — applies to qualifying businesses anywhere that handle California-resident data.. Effective since January 2020 (CCPA); January 2023 (CPRA amendments + CPPA enforcement).

Maximum penalty: Civil penalties up to $2,500 per unintentional violation and $7,500 per intentional violation or violation involving minors (Cal. Civ. Code § 1798.155).

Authoritative source: https://oag.ca.gov/privacy/ccpa

The 3 modules that do the heaviest lifting for CCPA

Linked to each module's page for the full finding list.

GateTest module
logPii
View full coverage →
GateTest module
secrets
View full coverage →
GateTest module
dataIntegrity
View full coverage →

Technical findings GateTest catches for CCPA

Each item ties a specific code-level pattern to a clause or principle of CCPA. These are the findings auditors sample.

  • Email / phone / device-ID logged in plaintext via console / logger / structlog — § 1798.100(c) reasonable security.
  • Hardcoded credentials granting access to consumer data stores — § 1798.150 private right of action breach trigger.
  • Database migrations that drop / rename PII columns without a documented deletion-request path — § 1798.105 right-to-delete.
  • PII included in third-party analytics calls (Segment / Mixpanel / GA4) without a documented basis — "selling/sharing" disclosure trigger.
  • Missing TLS validation on calls that move consumer data — § 1798.150 unencrypted-data carve-out.
  • Wildcard CORS with credentials on consumer endpoints — § 1798.100(c).
  • Cookies on consumer-facing endpoints set without httpOnly / Secure — XSS-to-session-takeover risk.
  • Stale credentials older than 90 days in repos with consumer-data access — § 1798.100(c) reasonable security.

Out of scope — what you still need humans for

GateTest is a code scanner. CCPA compliance is a programme, not a tool. These items will never be answerable from source code alone.

  • Publishing a CCPA-compliant privacy policy and the "Do Not Sell or Share My Personal Information" link.
  • Implementing the verifiable consumer-request workflow.
  • Service-provider contracts and the contractually-required CCPA clauses.
  • Employee training on CCPA-rights handling.
  • Annual cybersecurity audit and risk assessment requirements under CPRA regulations.

Where this regime applies

Country-specific guides:

usa

How GateTest fits a compliance programme

GateTest is a code-quality and security scanner. It belongs in your CI pipeline, not in your auditor's office. We catch the technical findings auditors look for — secrets, missing rotation, weak TLS, PII in logs, dangerous dependencies — so the audit becomes a paperwork exercise instead of an emergency.

Pricing

Quick
$29
4 essential modules
Full
$99
All modules — scan only
Scan + Fix
$199
Full scan + AI auto-fix PR
Forensic
$399
Everything + correlation + report

Trust

CLI is MIT-licensedAvailable on GitHub Marketplace soon

Try a $29 Quick scan on your repo

See the CCPA-relevant findings on your own code in under 15 seconds. Free preview. Pay only if you ship the report.

Start a scan →

Other regulations

GDPR
General Data Protection Regulation
HIPAA
Health Insurance Portability and Accountability Act
SOC 2
SOC 2 Trust Services Criteria (Type I and Type II)
PCI DSS
Payment Card Industry Data Security Standard (v4.0)
ISO 27001
ISO/IEC 27001:2022 — Information security management systems