CCPA / CPRA for SaaS — what you actually have to do
California's privacy law applies to any SaaS that has a paying Californian customer. Here's the minimum viable compliance checklist, written for founders who've never done it before.
CCPA (California Consumer Privacy Act, 2018) and its successor CPRA (2023) together give California residents rights over their personal data similar to GDPR. If your SaaS meets any of the thresholds — $25M annual revenue, data on 100K+ California residents, or 50%+ revenue from selling personal data — you're in scope. Most early-stage SaaS stays below these thresholds, but the rights framework is becoming the de-facto US standard.
What it is
CCPA grants California residents rights to: know what personal information you collect, delete it, correct it, limit use of sensitive info, opt out of sale/sharing, and equal service without retaliation for exercising these rights. Enforcement is by the California Attorney General and the CPPA (California Privacy Protection Agency).
Vulnerable example
# Common CCPA mistakes
- No "Do Not Sell or Share My Personal Information" link in footer (required if you share data with ad networks or data brokers)
- No way for users to download their data or delete their account
- Dark-pattern consent flows for cookie tracking
- Different pricing tiers based on opting out of tracking (prohibited retaliation)
- No response mechanism for Global Privacy Control (GPC) browser signals
- Privacy Policy that doesn't enumerate the categories of personal info collectedFixed example
# Minimum viable CCPA compliance
1. Update Privacy Policy with a California-specific section
2. Add "Do Not Sell or Share My Personal Information" link if applicable
3. Honor Global Privacy Control (GPC) browser signals automatically
4. Build self-service data download + delete flows
5. Document the categories of personal information you collect
6. Retention-schedule each category (don't keep data forever)
7. Train any support staff who might receive consumer requests
8. Track request response times (CCPA requires 45 days)How Securie catches it
Securie's privacy specialist (on the Series-A roadmap) will cover automated detection of CCPA/GPC compliance gaps. Today the library includes template Privacy Policy language and DPA guidance.
Checklist
- Privacy Policy includes California-specific rights section
- Categories of personal information collected are enumerated
- Do-not-sell-or-share link in footer (if you share with third parties)
- Global Privacy Control (GPC) signals are honored
- Data-download request workflow (45-day response SLA)
- Account-deletion workflow (45-day response SLA)
- Correction-request workflow documented
- Service tiers are equivalent whether user opts out of tracking or not
- Sub-processor list published
- Sensitive-personal-information handling documented (SSN, login, precise location, etc.)
FAQ
If I'm under the revenue threshold do I still need to do this?
Legally, no — the CCPA thresholds ($25M revenue, 100K+ California residents, or 50%+ data-sale revenue) gate applicability. Practically, adopting the rights framework now is cheap, and enterprise customers + data-processing addendums increasingly require it regardless of threshold.
Is GDPR compliance enough to cover CCPA?
Mostly, yes. If you've built GDPR-compliant workflows (deletion, download, correction), CCPA rights are a subset. The main additions: California-specific Privacy Policy section, 'Do Not Sell or Share' link if applicable, and honoring Global Privacy Control browser signals.
What's Global Privacy Control?
GPC is a browser signal (header and DOM property) that communicates a user's do-not-sell preference. California regulations require you to honor GPC signals as a valid opt-out. Implementation is trivial: check for `Sec-GPC: 1` header on incoming requests and suppress tracking.
What happens if I don't comply?
Penalties range from $2,500 per unintentional violation to $7,500 per intentional violation. The California Attorney General and CPPA enforce. There is also a private right of action for breaches involving non-encrypted personal information ($100-$750 per consumer per incident).
Does CCPA apply if I only have a few California users?
CCPA applies if your business meets any of three thresholds: $25M+ annual revenue, processes personal info of 100K+ California consumers/households, or derives 50%+ revenue from selling personal info. Most seed-stage startups fall under the 100K-consumer threshold quickly once they cross product-market fit.