CCPA Compliance Checklist for SaaS Companies

The California Consumer Privacy Act, amended and strengthened by the California Privacy Rights Act (CPRA) effective January 1, 2023, is the most significant US privacy law in effect. For SaaS companies, it creates a set of obligations that differ meaningfully from GDPR in scope, structure, and enforcement. This guide focuses on what SaaS companies specifically need to do to achieve and maintain compliance.

Does CCPA Apply to You?

CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of the following thresholds:

1. Annual gross revenues exceeding $25 million
2. Annually buys, sells, receives, or shares the personal information of 100,000 or more consumers or households (CPRA lowered this from the original 50,000 threshold for selling; 100,000 applies to buying/sharing/receiving as well)
3. Derives 50% or more of annual revenues from selling or sharing consumers' personal information

The law applies based on where consumers are located, not where your business is incorporated. If you have California-resident users, customers, or employees and meet one of the thresholds, CCPA applies regardless of whether you are a California company.

Important for B2B SaaS: CCPA covers personal information of California residents, including business contacts. Employee and job applicant data is now covered under CPRA. If you process personal data of California employees or contractors, CCPA obligations apply to that data too.

Small company exception: If you generate less than $25M in revenue and process the personal information of fewer than 100,000 consumers, CCPA likely does not apply. But even exempt companies increasingly face customer pressure to meet CCPA-equivalent practices.

Categories of Personal Information Under CCPA

CCPA's definition of personal information is broader than GDPR's. It includes:

• Identifiers (name, email, IP address, account name, SSN)
• Commercial information (purchase records, products considered)
• Internet activity (browsing history, search history, interactions with a website)
• Geolocation data
• Professional or employment information
• Inferences drawn from any data to create a profile about a consumer

Publicly available information from government records is excluded. Aggregated or de-identified information that cannot reasonably be linked to an individual is also excluded.

CPRA added a new category: sensitive personal information (SPI), which includes Social Security numbers, financial account credentials, precise geolocation, race, ethnicity, religious beliefs, health information, sexual orientation, and the contents of communications. SPI carries additional rights (the right to limit use and disclosure) and stricter processing restrictions.

Consumer Rights You Must Support

Right to Know

Consumers have the right to know what personal information you collect about them, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom you share it. They also have the right to know the specific pieces of personal information you have collected about them.

You must be able to respond to verified requests within 45 days (extendable by 45 days with notice). For SaaS companies, this typically means building or licensing a data subject request (DSR) workflow that can query your databases and compile a report.

Right to Delete

Consumers can request deletion of their personal information. Exceptions apply when retention is necessary for:

• Completing a transaction or providing a contracted service
• Detecting security incidents
• Complying with a legal obligation
• Exercising free speech
• Internal uses reasonably aligned with consumer expectations

You must also instruct your service providers (processors) to delete the information. Maintain deletion logs for audit purposes.

Right to Correct

CPRA added the right to correct inaccurate personal information. When a consumer submits a correction request, you must use commercially reasonable efforts to correct the information and must notify service providers to correct it in their systems.

Right to Opt Out of Sale or Sharing

This is the most operationally complex right. Consumers can opt out of the "sale" of their personal information. Under CPRA, this extends to "sharing" — defined as disclosing personal information for cross-context behavioral advertising, even without monetary exchange.

For many SaaS companies, the critical question is whether using analytics or advertising platforms constitutes "sharing." If you use Google Analytics with advertising features enabled, or Meta Pixel, or send data to an ad network, those transfers likely constitute sharing under CPRA. You must provide a clear "Do Not Sell or Share My Personal Information" link on your homepage and honor opt-out signals including the Global Privacy Control (GPC) browser signal.

Right to Limit Use of Sensitive Personal Information

If you collect SPI, consumers can direct you to limit its use to what is necessary to perform the requested service. You must provide a "Limit the Use of My Sensitive Personal Information" link (which can be combined with the opt-out link).

Right to Non-Discrimination

You cannot discriminate against consumers who exercise their privacy rights. You may offer financial incentives for data collection, but they must be reasonably related to the value of the data.

Privacy Notice Requirements

Your privacy policy must include:

• Categories of personal information collected in the past 12 months
• Categories of sources
• Business or commercial purposes for collection
• Categories of third parties to whom data is disclosed
• Consumer rights and how to exercise them
• How you will verify identity for rights requests
• Contact information for submitting requests (email, toll-free phone number, or web form)
• Date of last update

For SPI, you must separately disclose the purposes for which it is used.

CCPA requires an at-collection notice — a shorter disclosure at the point where you collect data (sign-up forms, checkout, etc.) that tells consumers what categories of information you collect and links to your full privacy policy. For employee data, provide a separate HR privacy notice.

The "Do Not Sell or Share" Mechanism

If your business sells or shares data, you must:

1. Post a "Do Not Sell or Share My Personal Information" link prominently on your homepage
2. Honor the Global Privacy Control (GPC) signal as a valid opt-out
3. Implement a process to receive and act on opt-out requests within 15 business days

SaaS companies should audit their third-party integrations. Every pixel, analytics tag, and marketing SDK should be evaluated: does this transfer personal information to a third party for its own purposes? If yes, it is likely "selling or sharing" under CCPA. Run a tag audit, document findings, and implement consent mechanisms or opt-out controls.

Vendor (Service Provider) Contracts

Under CCPA, service providers are companies that process personal information on your behalf under a written contract. The contract must restrict service providers from retaining, using, or disclosing personal information outside of the specific service they provide.

Your contracts with service providers must include:

• A prohibition on the service provider selling or sharing the personal information
• A restriction to using the data only as directed and as necessary for the contracted service
• Requirements to comply with CCPA
• Rights to audit or assess service provider compliance
• Requirements to notify you if the service provider determines it can no longer meet its obligations

Review and update vendor contracts systematically. SaaS companies are typically both a business under CCPA (with respect to their end users) and a service provider to their business customers. Both sides of this relationship require contractual coverage.

CPRA Updates (2023)

CPRA introduced the California Privacy Protection Agency (CPPA), a dedicated enforcement agency. Previously, enforcement resided solely with the California Attorney General. The CPPA can initiate its own investigations and enforcement actions.

Key CPRA changes beyond what was covered above:

• Data minimization: You may only collect personal information reasonably necessary and proportionate to the disclosed purpose
• Storage limitation: Personal information must not be kept longer than necessary for the disclosed purpose
• Automated decision-making rights: Consumers have the right to opt out of automated decision-making that has significant effects on them, and the right to access information about automated decision-making logic
• Annual cybersecurity audits: Businesses that pose significant risk to consumer privacy must submit annual cybersecurity audits to the CPPA (rulemaking pending)
• Privacy impact assessments: Required for high-risk processing activities (rulemaking pending)
• Expanded employee and B2B contact coverage: Removed the temporary exemptions that excluded employee and B2B contact data from many CCPA requirements

CCPA vs. GDPR: Key Differences

Both laws give individuals rights over their personal data, but they differ in important ways.

Legal basis for processing: GDPR requires a lawful basis for each processing activity. CCPA does not — you can collect and process data freely as long as you disclose it and honor rights requests.

Opt-out vs. opt-in: GDPR requires opt-in consent for most processing (with exceptions). CCPA uses an opt-out model — you can process data until a consumer opts out (with exceptions for SPI and certain high-risk processing).

Scope: GDPR covers all EU residents. CCPA covers California residents only, though many other US states have passed similar laws (Virginia CDPA, Colorado CPA, Texas TDPSA, etc.).

Penalties: GDPR fines reach 4% of global annual revenue. CCPA civil penalties reach $2,500 per unintentional violation and $7,500 per intentional violation, with a private right of action for data breaches ($100-$750 per consumer per incident).

B2B data: GDPR has no carve-out for business contact data. CCPA's B2B carve-out was eliminated by CPRA, making them more similar in this respect.

Building a Compliance Program

A sustainable CCPA compliance program includes:

Data inventory: Document every category of personal information you collect, where it comes from, where it goes, how long you keep it, and the business purpose. This is the foundation for accurate privacy notices and rights request responses.

DSR workflow: Implement a process for receiving, verifying, and responding to rights requests. Identity verification is required — you must reasonably verify the consumer is who they claim to be before disclosing or deleting data. A verified email confirmation plus matching account details is typically sufficient for most categories.

Vendor audit: Review all third-party data transfers and update contracts. Flag any transfers that could constitute "selling or sharing."

Technical controls: Implement the ability to delete user data on request, correct it, provide a data export, and suppress it from marketing processes.

Training: Train customer-facing and technical teams on how to handle rights requests and escalate them correctly.

Annual review: Privacy laws evolve. Review your privacy notice, data inventory, and vendor contracts at least annually and after any significant product changes that affect data collection.

The California privacy enforcement environment is maturing. The CPPA has signaled aggressive enforcement of notice and opt-out requirements. Companies that invested in genuine compliance programs rather than cosmetic privacy policies are significantly better positioned.