CCPA Requirements: What California Privacy Law Means for Your SaaS
The CCPA (California Consumer Privacy Act) requirements applied to most SaaS platforms four years ago and got sharper every year since. The CPRA (California Privacy Rights Act) expanded the baseline in 2023 and stood up the California Privacy Protection Agency as a dedicated enforcer. This brief covers what applies, what to build, and what the agency has actually been fining companies for. Written for founders and privacy leads at SaaS platforms that serve California residents — which is effectively every US SaaS company.
Which Businesses the CCPA Applies To
CCPA requirements apply to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:
- Annual gross revenue over $25 million
- Buys, sells, or shares personal information of 100,000 or more California consumers or households annually
- Derives 50% or more of annual revenue from selling or sharing personal information
The 100,000-consumer threshold catches most mid-stage B2C and B2B SaaS with a free tier or broad consumer reach. The revenue threshold alone catches most Series C and later companies. Most growing SaaS platforms hit at least one threshold without realizing it.
The authoritative source is the California Attorney General's CCPA page and the California Privacy Protection Agency regulations.
Service Providers vs Businesses — Why the Distinction Matters
CCPA splits covered entities into two roles:
- Business — the entity that determines why and how personal information is processed
- Service provider — an entity that processes personal information on behalf of a business under a written contract
For B2B SaaS, your customer is typically the business and you are the service provider. Service provider status requires a compliant contract — specifically, one that restricts you from retaining, using, or disclosing the personal information for any purpose other than delivering the service. Many SaaS contracts are not compliant by default. Fixing them is a one-time lift; ignoring them shifts liability to your company.
For consumer-facing SaaS or platforms that monetize data, you are the business and the full requirement set applies directly.
Consumer Rights Under CCPA and CPRA
CPRA expanded CCPA to include five consumer rights. Every in-scope business must be able to receive, verify, and respond to requests within 45 days (extendable once to 90 days):
1. Right to Know
Consumers can request the categories and specific pieces of personal information you collected, the sources, the purposes, and who you shared it with in the prior 12 months.
2. Right to Delete
Consumers can request deletion of their personal information. Exceptions apply — ongoing service, security, legal hold, internal research aligned with consumer expectations.
3. Right to Correct
CPRA-added. Consumers can request correction of inaccurate personal information.
4. Right to Opt Out of Sale or Sharing
Consumers can opt out of the sale or sharing of their personal information. "Sharing" was added by CPRA and covers cross-context behavioral advertising — so ad-tech pixels and remarketing tags trigger this requirement even without a cash transaction.
5. Right to Limit Use of Sensitive Personal Information
CPRA-added. Consumers can limit use of sensitive categories (SSN, precise geolocation, health data, race, religion, union membership, biometric data, contents of communications) to what is necessary to deliver the service.
What to Actually Build
Six operational capabilities cover most of the CCPA requirements for a SaaS platform.
A privacy notice at collection
Displayed at or before the point of data collection. Lists the categories of personal information collected, the purposes, the retention periods, whether data is sold or shared, and the consumer rights summary with a link to the full privacy policy.
A full privacy policy
Updated at least every 12 months. Covers all categories from the prior 12 months and the disclosures required by the CCPA regulations. Posted at a stable URL.
A "Do Not Sell or Share My Personal Information" mechanism
If you sell or share personal information (including via cross-context behavioral advertising), a clear opt-out link titled exactly that or "Your Privacy Choices" on the homepage. Must process signals from the Global Privacy Control (GPC) browser header automatically.
A request intake and verification workflow
A webform or email address that accepts rights requests. A documented verification procedure that authenticates the requester without requiring excessive new data. A tracked SLA clock against the 45-day response window.
A data inventory
Which systems hold which categories of personal information, which categories of sensitive personal information, and which third parties receive each category. Without this, responding to a Right to Know request is guesswork.
Contracts with every downstream service provider
Service provider contracts that meet the specific CCPA requirements — purpose limitation, no sale or share, confidentiality, subcontractor flowdown, cooperation with rights requests. Review every vendor contract.
Enforcement Reality
The California Privacy Protection Agency and the Attorney General have both issued penalties since 2022. Enforcement priorities have clustered around three failures:
- Missing or broken opt-out mechanisms. Links that lead nowhere, forms that do not work, Global Privacy Control signals ignored.
- Non-compliant service provider contracts. Businesses passing personal information to vendors without required contract terms.
- Deceptive privacy practices for minors. Tighter rules for personal information of consumers under 16 — affirmative opt-in for sale or share.
Penalties run up to $2,500 per unintentional violation and $7,500 per intentional violation or violation involving a minor's personal information. Violations are typically counted per consumer, so a 10,000-consumer email list mishandled can scale quickly.
CCPA vs GDPR — Quick Orientation
Both laws grant similar consumer rights but differ in structure. CCPA is opt-out for sale or share; GDPR for SaaS is opt-in consent for most processing. CCPA applies based on thresholds; GDPR applies based on processing EU or UK personal data regardless of business size. Running both compliance programs in parallel is common for US SaaS with European customers — for the GDPR side, see our GDPR compliance service.
How CPRA Is Different From CCPA
CPRA amended CCPA rather than replacing it. The main additions:
- The sensitive personal information category with a Right to Limit
- The Right to Correct
- "Sharing" added to the opt-out scope (covers cross-context behavioral advertising)
- A 12-month minimum retention rule, documented per category
- The California Privacy Protection Agency as a dedicated enforcement body
- Employee and B2B personal information fully in scope (the prior temporary exemption expired January 2023)
If your program was built to CCPA 2020 and never updated, it is almost certainly out of compliance with the current requirements.
Frequently Asked Questions
What businesses need to comply with CCPA? For-profit businesses collecting personal information from California residents that meet at least one of three thresholds: over $25 million annual gross revenue, handling personal information of 100,000 or more California consumers or households annually, or deriving 50% or more of revenue from selling or sharing personal information. Most Series B and later SaaS companies meet at least one threshold.
What are the CCPA penalties? Up to $2,500 per unintentional violation and up to $7,500 per intentional violation or per violation involving a consumer under 16. Violations are typically counted per consumer. The California Privacy Protection Agency and the Attorney General both have enforcement authority, and the private right of action under the data breach provision allows statutory damages of $100–$750 per consumer per incident.
How is CPRA different from CCPA? CPRA amended CCPA starting in 2023. It added the Right to Correct, a sensitive personal information category with a Right to Limit, expanded opt-out scope to include "sharing" (cross-context behavioral advertising), a documented retention requirement, and the California Privacy Protection Agency as a dedicated enforcer. Employee and B2B personal information became fully in scope when the temporary exemption expired.
Ready to Start?
ShieldKey runs CCPA and CPRA readiness programs for SaaS platforms — rights workflow, privacy notice, service provider contract remediation, and data inventory. For scope and delivery model, see our CCPA compliance service.