CCPA-Compliant Scheduling Software
California businesses and any business with California clients must comply with the California Consumer Privacy Act. Schedly provides the controls to handle consumer rights requests, honor opt-outs, and maintain compliant scheduling data practices.
Regulation: California Consumer Privacy Act (CCPA) / CPRA
The California Consumer Privacy Act (CCPA) / CPRA requirements that apply to scheduling
Right to know
California consumers have the right to know what personal information is collected about them. Schedly provides data export tools to fulfill these requests.
Right to delete
Consumers can request deletion of their personal information. Schedly allows permanent deletion of all data associated with any client.
Right to opt out of sale
If you sell or share consumer data, you must provide a 'Do Not Sell' mechanism. Schedly does not sell consumer data and provides tools to configure data sharing settings.
Non-discrimination
Consumers who exercise their privacy rights cannot be discriminated against. Schedly's platform does not affect service access based on privacy right exercise.
Compliance built into every plan
These features ship on every Schedly account — not locked behind expensive enterprise tiers.
Consumer data export
Export all personal information associated with any California consumer from the Schedly admin panel — fulfilling right-to-know requests within the CCPA's 45-day window.
Data deletion tools
Permanently delete all scheduling data, intake form responses, and personal information for any client within 24 hours of a valid deletion request.
Privacy policy link on booking pages
Add your privacy policy URL to your Schedly booking page so California consumers can review your data practices before providing personal information.
Data sharing controls
Control which third-party integrations receive client data. Disable CRM sync for clients who have requested data sharing opt-out.
Built security-first, from the infrastructure up
Every layer of the Schedly stack is designed for regulated industries.
AES-256 Encryption
All booking data, intake forms, and client PHI is encrypted at rest and in transit using AES-256.
SOC 2 Type II Certified
Annual third-party audits verify our infrastructure controls. Certificate available on request.
Audit Logs & Access Controls
Every data access is logged. Role-based permissions ensure only authorized staff see protected records.
Isolated Data Infrastructure
Client data is siloed per account. Multi-tenant architecture is designed so data never co-mingles.
Automated Data Retention
Configure data retention windows that match your compliance policy. Deletions are permanent and auditable.
BAA Available on Pro+
Business Associate Agreements are available on Professional and Enterprise plans with one-click execution.
Your Compliance Setup Checklist
Check off each step as you complete your compliant scheduling setup.
Business Associate Agreement ready to sign
For practices and businesses that require a signed BAA, Schedly offers a standard BAA on Professional and Enterprise plans — executable directly in your dashboard with no legal back-and-forth.
- Executed in your Schedly dashboard in minutes
- No attorney required — pre-approved standard language
- Covers all PHI processed by Schedly on your behalf
- Renewed automatically with your subscription
CCPA for Service Businesses: Understanding Your Obligations When You Schedule California Clients
The California Consumer Privacy Act applies more broadly than most businesses realize. Any business that collects personal information from California consumers and meets one of three thresholds — annual gross revenues over $25 million, buying/selling personal information of 50,000+ consumers annually, or deriving 50% or more of annual revenues from selling personal information — is covered. For many service businesses that schedule California clients, the second threshold (50,000 consumers) is the most relevant: a business with 200+ active clients collecting even basic booking information (name, email, phone, appointment history) accumulates personal information at a rate that can trigger CCPA obligations.
The Four Consumer Rights You Must Be Able to Fulfill
CCPA grants California consumers four core rights that covered businesses must be able to honor within specified timeframes. The right to know (fulfilled within 45 days): upon request, you must disclose what personal information you've collected, the categories of sources, the business purpose, and any third parties with whom data is shared. The right to delete (fulfilled within 45 days): consumers can request deletion of their personal information from your records. The right to opt-out of sale: if you sell personal information, consumers must be able to opt out. The right to non-discrimination: you cannot provide inferior service to consumers who exercise their privacy rights. Schedly provides tools to fulfill all four rights from the admin dashboard.
CCPA vs. CPRA: The 2023 Update and What Changed for Scheduling Data
The California Privacy Rights Act (CPRA), which went into effect in 2023, significantly expanded CCPA protections and created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body. The most relevant changes for scheduling businesses: the addition of a right to correct inaccurate personal information (you must be able to update erroneous client records on request), expanded protections for 'sensitive personal information' (which includes health information collected in healthcare appointment intake forms), and new data minimization requirements (collect only information necessary for the stated purpose). Schedly's configurable intake forms support data minimization by letting you control exactly which fields are collected and required.
Compliance Questions Answered
Stop Losing Bookings to
Scheduling Friction.
Schedly puts your calendar to work around the clock. Every lead, every client, and every meeting lands exactly where it should, automatically.