California residents have specific legal rights to know what data Cisco holds about them, delete it, correct it, and opt out of any sale or sharing of their personal information for targeted advertising or other purposes.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
California residents have more enforceable privacy rights against Cisco than users in most other US states, including the right to opt out of data sharing and to limit use of sensitive personal information.
If you live in California, you can formally request that Cisco delete your Duo-related personal data, correct inaccuracies, or tell you exactly what categories of information Cisco holds about you and who it has been shared with.
Cross-platform context
See how other platforms handle California Resident Rights (CCPA/CPRA) and similar clauses.
Compare across platforms →Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA): the right to know about the personal information we collect, use, disclose, or sell; the right to delete personal information we have collected from you; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of your personal information; the right to limit the use and disclosure of sensitive personal information; and the right not to receive discriminatory treatment for exercising your privacy rights.— Excerpt from Duo Security's Duo Privacy
REGULATORY LANDSCAPE: The California Consumer Privacy Act as amended by the California Privacy Rights Act, enforced by the California Privacy Protection Agency and the California Attorney General, grants California residents the enumerated rights stated in this provision. CPRA introduced the right to correct inaccurate personal information and the right to limit use of sensitive personal information, both of which Cisco acknowledges in this provision. Businesses covered by CPRA must respond to verified consumer requests within 45 days. GOVERNANCE EXPOSURE: Medium. Cisco explicitly acknowledges CCPA and CPRA applicability, which is consistent with its size and the volume of California residents likely interacting with its products. Enterprise customers with California-based employees should confirm whether their DPA addresses employee data subject rights or whether employees must exercise CCPA rights directly against Cisco as the controller. JURISDICTION FLAGS: California creates the highest US state-level exposure for CCPA/CPRA compliance. Other US states with comprehensive privacy laws including Virginia, Colorado, Connecticut, and Texas have their own frameworks that Cisco does not explicitly enumerate in this provision, which may create gaps in disclosure obligations in those jurisdictions. CONTRACT AND VENDOR IMPLICATIONS: For enterprise B2B deployments, the question of whether Cisco acts as a business or a service provider under CCPA with respect to employee authentication data is material. If Cisco is a service provider, individual employees may need to direct deletion or access requests through their employer rather than directly to Cisco. Enterprise contracts should clarify this relationship. COMPLIANCE CONSIDERATIONS: California-based organizations should ensure their employee privacy notices reference Cisco's role in processing authentication data and the mechanism for employees to exercise CCPA rights. Legal teams should verify whether Cisco's response procedures for CCPA requests meet the 45-day statutory response requirement and whether a designated contact or web form for California requests is accessible.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
California residents have more enforceable privacy rights against Cisco than users in most other US states, including the right to opt out of data sharing and to limit use of sensitive personal information.
If you live in California, you can formally request that Cisco delete your Duo-related personal data, correct inaccuracies, or tell you exactly what categories of information Cisco holds about you and who it has been shared with.
ConductAtlas has identified this type of provision across 15 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.