California Set the Standard
When the California Consumer Privacy Act (CCPA) took effect in January 2020, it became the most significant privacy law in the United States. Two years later, the California Privacy Rights Act (CPRA) amended and strengthened it, adding new rights, new obligations, and a dedicated enforcement agency. Together, they form the baseline that most US state privacy laws have followed.
If you’re a SaaS company that touches consumer data, California privacy law is likely already your problem, even if your headquarters is in Texas, New York, or anywhere else.
Who’s Actually in Scope
CCPA/CPRA applies to for-profit businesses that collect personal information from California residents and meet any one of these thresholds:
- Annual gross revenue exceeding $25 million
- Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices annually
- Derive 50% or more of annual revenue from selling or sharing personal information
That second threshold catches more SaaS companies than you’d expect. If your product has 100,000 users in California, or if you process data on behalf of customers who do, you need to pay attention. And under CPRA, “sharing” data (not just selling it) triggers obligations, which means passing data to third-party analytics, advertising, or integration partners can put you in scope.
What the Law Requires
Consumer Rights
California residents have specific rights over their personal information:
Right to Know. Consumers can request what personal information you’ve collected, where it came from, what you use it for, and who you’ve shared it with. You have 45 days to respond to a verified request.
Right to Delete. Consumers can request deletion of their personal information. You must also direct your service providers and contractors to delete it. There are exceptions, but they’re narrower than most companies assume.
Right to Correct. Added by CPRA. Consumers can request that you correct inaccurate personal information you hold about them.
Right to Opt Out. Consumers can opt out of the sale or sharing of their personal information. If you sell or share data, you need a “Do Not Sell or Share My Personal Information” link on your website.
Right to Limit Use of Sensitive Personal Information. CPRA added a category of “sensitive personal information” that includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, and biometric data. Consumers can limit how you use it.
Right to Non-Discrimination. You can’t penalize consumers for exercising their privacy rights by charging different prices, providing different service levels, or denying service.
Business Obligations
Beyond responding to consumer requests, CCPA/CPRA imposes operational requirements:
Privacy Policy. You must maintain a comprehensive privacy policy that discloses the categories of personal information collected, the purposes for collection, consumer rights, and how to exercise them. It must be updated at least every 12 months.
Data Inventory. You need to know what personal information you collect, where it lives, who has access, and who you share it with. You can’t respond to consumer requests if you don’t know where the data is.
Service Provider Agreements. If you share personal information with service providers or contractors, your agreements must include specific CCPA/CPRA-required provisions restricting how they can use the data.
Data Minimization. CPRA added a requirement that collection, use, and retention of personal information must be reasonably necessary and proportionate to the purposes for which it was collected.
Risk Assessments. CPRA requires businesses whose processing presents significant risk to consumer privacy to conduct regular cybersecurity audits and privacy risk assessments. The California Privacy Protection Agency (CPPA) is still finalizing the specific regulations, but the requirement is in the statute.
SaaS Companies: Processor vs. Controller
This is where it gets nuanced for SaaS companies. You may be acting as both:
A business (controller) when you collect personal information from your own users, website visitors, and prospects. Your marketing site, your product analytics, your customer database: that’s your data, and you’re directly subject to CCPA/CPRA.
A service provider (processor) when you process personal information on behalf of your customers. If your SaaS product stores, processes, or transmits your customers’ end-user data, you’re acting as a service provider for CCPA purposes.
Your obligations differ depending on the role. As a business, you need to honor consumer rights requests directly. As a service provider, you need to assist your customers in honoring those requests and ensure your contracts include the required CCPA/CPRA provisions.
Most B2B SaaS companies are both, and you need to handle each role separately.
Common Mistakes We See
Assuming B2B means exempt. CCPA applies to personal information of California residents, period. Your B2B customers’ employees, contacts, and end users are California residents. B2B data has been fully in scope since January 2023 when the CPRA exemption expired.
Ignoring the service provider role. Many SaaS companies focus only on their direct obligations and overlook their responsibilities as a service provider. Your enterprise customers will increasingly require CCPA-compliant data processing agreements, and they’ll ask how you support their ability to respond to consumer requests.
Cookie banners as a substitute for compliance. A cookie consent banner is one small piece of privacy compliance. It doesn’t address data inventory, consumer rights fulfillment, service provider agreements, data minimization, or any of the operational requirements.
Not tracking regulatory developments. The CPPA is actively issuing regulations that add specificity to the statute. Automated decision-making rules, cybersecurity audit requirements, and risk assessment standards are all in progress. The compliance target is still moving.
Building a Practical Program
1. Map Your Data
Start with a comprehensive data inventory. Document what personal information you collect (directly and through your product), where it’s stored, who has access, how long you retain it, and who you share it with. This is the foundation for everything else.
2. Update Your Agreements
Review and update your service provider agreements, data processing addendums, and customer contracts. Ensure they include CCPA/CPRA-required provisions. If you use sub-processors, make sure those agreements flow down.
3. Build Request Fulfillment Processes
Implement processes for receiving, verifying, and responding to consumer rights requests within the required timeframes. This includes both your direct obligations (your users) and your service provider obligations (helping your customers respond to their users’ requests).
4. Update Your Privacy Policy
Ensure your privacy policy includes all required disclosures. Review it at least annually. If you’ve added new data collection practices, integrations, or sharing arrangements, update it immediately.
5. Train Your Team
Customer support, sales, engineering, and marketing all handle personal information. Make sure they understand what constitutes a privacy request, how to route it, and what not to do with personal data.
How CCPA Relates to Other Frameworks
If you’re already working on privacy compliance, the good news is that frameworks overlap significantly:
GDPR. CCPA and GDPR share core principles: transparency, purpose limitation, data minimization, and consumer rights. A strong GDPR program covers much of what CCPA requires, though the specifics differ (particularly around opt-out vs. opt-in consent models).
SOC 2 Privacy Criteria. If you’ve included the Privacy Trust Services Criteria in your SOC 2 report, you’ve already built many of the operational controls CCPA requires.
ISO 27701. The privacy extension to ISO 27001 provides a management system for privacy information management that maps well to both CCPA and GDPR requirements.
At Concerto, we help SaaS companies build privacy programs that satisfy multiple frameworks simultaneously. Whether you’re starting with CCPA, preparing for GDPR, or building a unified privacy program across jurisdictions, we can help you build it right the first time. Schedule a consultation to discuss your privacy compliance needs.
