CCPA/CPRA Compliance for SaaS Companies: What You Need to Know

California's privacy laws apply to more SaaS companies than most founders realize. If you have customers or users in California and meet certain revenue or data thresholds, you're likely subject to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

This guide covers what SaaS companies need to know, with a focus on the practical steps to achieve compliance.

Does CCPA/CPRA Apply to Your SaaS Company?

CCPA/CPRA applies to for-profit businesses that collect California residents' personal information and meet any one of these thresholds:

1. Annual gross revenue exceeds $25 million

2. Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices annually

3. Derive 50% or more of annual revenue from selling or sharing California residents' personal information

A few clarifications that matter for SaaS:

1. You don't need to be based in California. If you're a Delaware corporation headquartered in Austin but you have California users, CCPA/CPRA applies if you meet a threshold.

2. B2B data is now covered. The CPRA removed the temporary exemption for business-to-business contacts. If you collect personal information from California-based business contacts (prospects, customers, vendors), that data is now subject to CCPA/CPRA.

3. Employee data is now covered. The exemption for employee and job applicant data also expired. HR data for California employees falls under the law.

4. The 100,000 threshold is easier to hit than it sounds. This includes devices, not just people. If your website drops cookies or collects IP addresses from 100,000 California devices annually, you may meet this threshold even with a smaller customer base.

Key Definitions You Need to Understand

Personal Information. CCPA/CPRA defines personal information broadly: any information that identifies, relates to, describes, or could reasonably be linked to a California resident or household. This includes obvious identifiers (names, email addresses, Social Security numbers) but also:

• IP addresses

• Device identifiers

• Browsing history

• Geolocation data

• Professional or employment information

• Inferences drawn from any of the above

For SaaS companies, this means customer contact information, user account data, usage analytics, and support tickets all likely contain personal information.

Sensitive Personal Information. CPRA created a new category with additional protections:

• Social Security and government ID numbers

• Financial account information with credentials

• Precise geolocation

• Racial or ethnic origin

• Religious beliefs

• Contents of mail, email, and text messages

• Genetic and biometric data

• Health information

• Sex life or sexual orientation data

Consumers have the right to limit how you use sensitive personal information, beyond the rights that apply to regular personal information.

Sale vs. Share. CCPA originally focused on "selling" personal information. CPRA added "sharing," which means disclosing personal information for cross-context behavioral advertising, regardless of whether money changes hands. If you use third-party advertising pixels (Meta, Google Ads) that collect user data from your site, you may be "sharing" personal information even if you're not selling it.

Service Provider vs. Third Party. This distinction is critical for SaaS companies, who often operate as service providers to their customers.

Service provider: A business that processes personal information on behalf of another business, pursuant to a written contract, for a business purpose. Service providers have limited obligations directly to consumers because the contracting business retains primary responsibility. Most B2B SaaS companies function as service providers when processing customer data. You process data on your customer's behalf, under their instructions, to provide your service. This status provides some protection but requires specific contractual language.

Third party: Any business that isn't a service provider. Third parties have direct obligations to consumers.

The Consumer Rights You Must Support

CCPA/CPRA grants California residents several rights. If you're a covered business, you must enable consumers to exercise these rights.

Right to Know. Consumers can request:

• What categories of personal information you've collected

• The sources of that information

• Your business or commercial purpose for collecting it

• The categories of third parties with whom you share it

• The specific pieces of personal information you've collected about them

You must respond within 45 days (with a possible 45-day extension).

Right to Delete. Consumers can request deletion of their personal information. You must comply and direct your service providers to do the same, unless an exception applies (legal obligation, completing a transaction, security purposes, etc.).

Right to Correct. Added by CPRA, consumers can request correction of inaccurate personal information.

Right to Opt Out of Sale/Sharing. Consumers can direct you to stop selling or sharing their personal information. You must honor this request and cannot ask them to opt back in for at least 12 months. If you sell or share personal information, your website must include a "Do Not Sell or Share My Personal Information" link.

Right to Limit Use of Sensitive Personal Information. If you collect sensitive personal information, consumers can limit your use to what's necessary to perform your services or provide requested goods.

Right to Non-Discrimination. You cannot discriminate against consumers who exercise their privacy rights by denying services, charging different prices, or providing a different quality of service.

What Your Privacy Policy Must Include

CCPA/CPRA requires specific disclosures in your privacy policy:

1. Categories of personal information collected in the preceding 12 months

2. Sources of that personal information

3. Business or commercial purposes for collecting, selling, or sharing

4. Categories of third parties with whom you share personal information

5. Categories of personal information sold or shared in the preceding 12 months (or a statement that you don't sell or share)

6. Categories of personal information disclosed for a business purpose in the preceding 12 months

7. Retention periods for each category of personal information

8. Consumer rights explanation and how to exercise them

9. Contact information for submitting requests

10. Date of last update

Your privacy policy should be reviewed and updated at least annually.

SaaS-Specific Compliance Considerations

• When You're a Service Provider

Most B2B SaaS companies process customer data as service providers. To maintain this status:

Your contract must include specific language. Your terms of service or data processing agreement must prohibit you from:

• Selling or sharing personal information

• Retaining, using, or disclosing personal information outside the direct business relationship

• Combining personal information with data from other sources (except as permitted)

You must certify compliance. Your contract should include a certification that you understand and will comply with these restrictions.

Respond to customer requests. When your customer receives a consumer request (deletion, access), they may need your help to fulfill it. Your contract should address how these requests flow through.

You still have direct obligations. Even as a service provider, you must implement reasonable security measures and can only use sub-processors under written contracts with equivalent restrictions.

• When You're a Business

If you collect personal information directly from California consumers (for your own marketing, your freemium users, your website visitors), you're acting as a business for that data and have direct compliance obligations. Many SaaS companies are both: a business for data they collect directly, and a service provider for customer data they process.

Analytics and Advertising. Review your third-party integrations:

• Analytics tools: Google Analytics, Mixpanel, Amplitude, and similar tools may involve sharing personal information with third parties. Understand what data flows to these tools and how they use it.

• Advertising pixels: If you run paid acquisition campaigns with Meta, Google, LinkedIn, or others, you're likely sharing personal information for advertising purposes. This triggers the "Do Not Sell or Share" opt-out requirement.

• Cookie consent: While CCPA doesn't require opt-in consent for cookies (unlike GDPR), you must honor opt-out requests. Consider a consent management platform that can suppress advertising cookies when users opt out.

Implementing Consumer Request Processes. You need operational processes to handle consumer requests.

Intake Methods. Provide at least two methods for submitting requests:

• A toll-free phone number

• A website form or email address

If you operate exclusively online, you can provide an email address instead of a phone number.

Verification. Before fulfilling requests, you must verify the consumer's identity. The verification level should match the sensitivity of the request:

• Lower risk (categories of data): Match two data points the consumer provides against your records.

• Higher risk (specific data pieces, deletion): Match three data points and obtain a signed declaration under penalty of perjury.

Don't collect additional personal information just for verification. Use what you already have.

Response Timeline

• Acknowledge requests within 10 business days

• Respond substantively within 45 calendar days

• You can extend by an additional 45 days if reasonably necessary (with notice to the consumer)

Tracking and Documentation. Maintain records of all consumer requests and how you responded for at least 24 months. If you receive more than 10 million consumer requests annually, you must publish metrics on requests received, complied with, and denied.

Common Compliance Mistakes SaaS Companies Make

Mistake 1: Assuming B2B means exempt. The B2B exemption expired on January 1, 2023. Personal information about your business contacts (names, emails, phone numbers, job titles) is covered.

Mistake 2: Ignoring the "share" definition. You may not "sell" data, but if you use advertising pixels that enable cross-context behavioral advertising, you're "sharing" data and need opt-out mechanisms.

Mistake 3: Inadequate service provider contracts. Your customer agreements need specific CCPA/CPRA language. Generic data protection terms may not be sufficient to establish service provider status.

Mistake 4: No process for consumer requests. Having a privacy policy is not enough. You need actual processes to intake, verify, and respond to requests within the required timeframes.

Mistake 5: Forgetting about employee and HR data. California employee data is now covered. Your HR systems and processes need CCPA/CPRA compliance too.

Mistake 6: Set-and-forget privacy policy. Your privacy policy must accurately reflect your current practices and be updated annually. A policy drafted three years ago is likely out of compliance.

Enforcement and Penalties

The California Privacy Protection Agency (CPPA) enforces CCPA/CPRA. The California Attorney General can also bring enforcement actions.

Administrative fines:

• Up to $2,500 per unintentional violation

• Up to $7,500 per intentional violation or violation involving minors

Private right of action: Consumers can sue directly for data breaches involving unencrypted or unredacted personal information, with statutory damages of $100-$750 per consumer per incident.

The per-violation calculation can add up quickly. A single data practice affecting thousands of consumers could result in significant liability.

Conclusion

CCPA/CPRA compliance requires more than updating your privacy policy. It demands a clear understanding of what data you collect, why you collect it, and who you share it with. You need operational processes to honor consumer rights and contractual frameworks that establish your role in the data ecosystem.

For SaaS companies, the service provider relationship provides important protections, but only if your contracts and practices support it. Take the time to get your data mapping, policies, and processes right. The cost of compliance is far less than the cost of enforcement.

Need help with CCPA/CPRA compliance for your SaaS company? Reach out for a consultation.