CCPA / CPRA 2026: What SaaS Founders Need to Know This Year

If you sell to customers in California — and if you're a SaaS company with US users, you almost certainly do — CCPA/CPRA compliance is no longer optional. California's privacy law has evolved significantly since its 2020 launch, and 2025–2026 enforcement has heated up under the California Privacy Protection Agency (CPPA).

This guide cuts through the noise: what CCPA/CPRA requires, what changed with the CPRA amendments, and exactly what your SaaS needs to implement in 2026.

CCPA vs CPRA: What's the Difference?

The California Consumer Privacy Act (CCPA) was enacted in 2018 and took effect January 1, 2020. The California Privacy Rights Act (CPRA) — Proposition 24, passed by voters in November 2020 — amended and expanded CCPA significantly. CPRA's substantive provisions took effect January 1, 2023.

The key changes CPRA made to CCPA:

Created the California Privacy Protection Agency (CPPA) — a dedicated enforcement agency (replacing sole AG enforcement)
Added a new category: Sensitive Personal Information (SPI) with an explicit opt-out right
Added data minimisation requirements (similar to GDPR)
Added purpose limitation requirements
Expanded data retention obligations (must disclose retention periods)
Strengthened contractor and service provider agreement requirements
Extended consumer rights to include right to correct inaccurate personal information
Extended opt-out right to cover sharing for cross-context behavioural advertising (not just "sale")

Does CCPA/CPRA Apply to Your SaaS?

CCPA/CPRA applies to for-profit businesses that collect California residents' personal information and meet at least one of these thresholds:

Annual gross revenue exceeding $25 million
Annually buy, sell, receive, or share personal information of 100,000 or more California consumers or households
Derive 50% or more of annual revenue from selling or sharing California consumers' personal information

For most early-stage SaaS companies: You probably don't hit threshold 1 or 3 early on. But threshold 2 is reachable faster than you think — if you have 100,000 users and a meaningful number are from California (typically 10–15% of US traffic), you may hit this even at early scale.

CPRA also created a B2B exception, but it's narrower than many assume. Business-to-business communications (contacting a company to do business) are partially exempted, but personal information collected from individual employees of your B2B customers is not exempt.

What CCPA/CPRA Requires: The Core Rights

Right	What it means	Your obligation
Right to Know	Know what personal info is collected, used, disclosed, or sold	Privacy policy disclosure + respond to requests within 45 days
Right to Delete	Request deletion of their personal information	Delete within 45 days; notify service providers to delete
Right to Correct	Correct inaccurate personal information (CPRA addition)	Correct within 45 days; notify service providers
Right to Opt-Out (Sale/Sharing)	Opt out of sale or sharing of personal info for targeted advertising	"Do Not Sell or Share My Personal Information" link on homepage
Right to Limit SPI Use	Limit use of Sensitive Personal Information to necessary purposes	"Limit the Use of My Sensitive Personal Information" link if SPI is used beyond basic service
Right of Non-Discrimination	Not be discriminated against for exercising CCPA rights	Can't deny service, charge different prices, or provide lower quality for exercising rights
Right to Data Portability	Receive their data in a portable format	Provide machine-readable export on verified request

Sensitive Personal Information (SPI) — The Key CPRA Addition

CPRA introduced a new category of Sensitive Personal Information (SPI) with additional protections. SPI includes:

Social security numbers, driver's licence numbers, or state ID numbers
Financial account numbers, debit/credit card numbers (with access credentials)
Precise geolocation (within 1,852 metres / 1 mile)
Racial or ethnic origin, religious beliefs, or union membership
Personal communications (emails, texts) where you're not the intended recipient
Genetic data, biometric data processed to uniquely identify an individual
Health data, sex life or sexual orientation data

If your SaaS collects any SPI and uses it for purposes beyond providing the service (e.g., for advertising, analytics, or profiling), you must:

Provide a "Limit the Use of My Sensitive Personal Information" link
Disclose the SPI categories in your privacy policy with specific retention periods
Allow consumers to opt out of secondary SPI processing

Most B2B SaaS companies don't collect SPI and don't need to worry about this. But HealthTech, HR tech, and analytics platforms should audit their data collection carefully.

Data Minimisation and Purpose Limitation — The New Requirements

This is the biggest operational change CPRA introduced that catches SaaS companies off-guard. CPRA Section 1798.100(a)(3) states:

"A business's collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed."

What this means in practice:

You can't collect data "just in case" it might be useful later
You can't use data for purposes beyond what was disclosed at collection
You must have and disclose specific retention periods for each category of personal information
If you change your use of data in a way that's incompatible with the original purpose, you must notify consumers and obtain consent

For SaaS companies, this means your privacy policy can no longer say "we retain data for as long as necessary" — you must specify actual retention periods per data category.

What Your Privacy Policy Must Include in 2026

Your CCPA/CPRA-compliant privacy policy must include:

Categories of personal information collected (with specific enumeration)
Purpose for collecting each category
Specific retention period for each category (or criteria used to determine it)
Categories of third parties with whom you share personal information
Whether you sell or share personal information (with opt-out mechanism)
Whether you use or disclose SPI beyond basic service (with limit mechanism)
How consumers can submit rights requests (toll-free number or web form)
Your response timeline (45 days standard, 45-day extension available)
Date of last update (must be updated at least every 12 months)

Service Providers vs Contractors vs Third Parties

CPRA sharpened the definitions of who you share data with and what agreements you need:

Category	Definition	Agreement required
Service Provider	Entity that processes data on your behalf for a disclosed business purpose (e.g., Stripe for payments, AWS for hosting)	Written CCPA service provider contract with prohibited uses clauses
Contractor	Entity that receives personal information but is not a service provider (CPRA addition)	Written contract with CCPA-compliant restrictions
Third Party	Everyone else — including ad networks, analytics platforms that use data for their own purposes	Opt-out right must be provided; no contract alone is sufficient

The practical implication: if you use Google Analytics with advertising features enabled, or embed third-party ad pixels, you're likely sharing personal information with "third parties" under CCPA, which triggers the "Do Not Sell or Share" opt-out requirement even if you don't receive money for the data.

CPPA Enforcement in 2025–2026: What's Changed

The California Privacy Protection Agency (CPPA) became fully operational for enforcement in 2023 and has been escalating activity. Key 2025–2026 enforcement priorities:

Dark patterns: The CPPA's first major investigation focus. Confusing opt-out flows, pre-ticked boxes, and misleading consent UX are being targeted. Your opt-out mechanism must be "as easy" as the mechanism for opting in.
Automated decision-making: The CPPA finalised rules on automated decision-making (ADMT) in 2025. If your SaaS makes decisions that have "significant effects" on consumers using automated means, you must provide opt-out rights and pre-use notices — similar to GDPR Article 22.
Privacy audits: The CPPA can require businesses to submit to audits. Having documented data inventories and retention schedules is increasingly important.
Data broker registry: California's Delete Act (SB 362) created a data broker registry and deletion mechanism effective 2026. If your SaaS sells data to data brokers or is itself a data broker, registration is required.

CCPA Fines

$2,500 per violation (unintentional)
$7,500 per violation (intentional)
For children's data violations: $7,500 per child per violation
Private right of action for data breaches: $100–$750 per consumer per incident, or actual damages if higher

Quick CCPA/CPRA Compliance Checklist for SaaS

☐ Privacy policy updated with CPRA requirements (retention periods, SPI, opt-out disclosures)
☐ "Do Not Sell or Share My Personal Information" link on homepage if applicable
☐ Consumer rights request mechanism (web form or toll-free number)
☐ Process to respond to rights requests within 45 days
☐ Service provider agreements in place with third-party data processors
☐ Data inventory / record of processing with retention periods
☐ Check third-party integrations for "sharing" that triggers opt-out requirements
☐ Audit opt-out UX for dark patterns
☐ Annual privacy policy review and update

👉 Generate a CCPA & GDPR-compliant Privacy Policy that includes proper disclosures for data categories, retention periods, and consumer rights — free, no account required.

Key Takeaways

CPRA took effect January 2023 and significantly expanded CCPA — if your privacy policy hasn't been updated since then, it's probably non-compliant.
The 100,000-consumer threshold is reachable for growth-stage SaaS — audit whether you're subject to CCPA.
Data minimisation and specific retention periods are now required, not just best practice.
The CPPA is actively enforcing — especially dark patterns in opt-out flows and automated decision-making.
If you use analytics or advertising tools that share data for their own purposes, you likely need a "Do Not Sell or Share" opt-out mechanism.