CCPA and CPRA Compliance in 2026: A Complete Guide for SaaS Companies and Their Privacy Teams

Most SaaS founders and compliance teams encounter privacy law through GDPR first. The European regulation is expansive, its penalties are dramatic, and its extraterritorial reach means that virtually any company with European customers cannot ignore it. But there is a second major privacy law that applies to a significant portion of those same companies — one that is enforced by a dedicated state agency with an active investigative docket, that carries statutory damages of up to $7,500 per intentional violation, and that has been strengthened considerably since its original passage.

The California Consumer Privacy Act, as amended and expanded by the California Privacy Rights Act, is the most consequential consumer privacy law in the United States. It applies to any for-profit business that meets certain thresholds and does business in California — which, in practice, means most B2B SaaS companies operating in the US market. Unlike GDPR, which applies based on where your customers are located, CCPA applies based on where your business operates and where your customers reside. California has the fifth-largest economy in the world. The odds that your SaaS company has California-resident customers or employees are effectively 100%.

This guide covers what CCPA and CPRA require, who they apply to, what consumer rights they create, how enforcement works in 2026, and how the California privacy framework compares to GDPR for organizations navigating both.

Understanding the Relationship Between CCPA and CPRA

The California Consumer Privacy Act was signed into law in June 2018 and came into effect on January 1, 2020. It was the first comprehensive consumer privacy law enacted in the United States and introduced a set of consumer rights — the right to know, the right to delete, the right to opt out of sale — that had no equivalent in US federal law at the time.

The California Privacy Rights Act was passed by ballot initiative in November 2020 and came into full effect on January 1, 2023. It did not replace CCPA. It amended and substantially expanded it. CPRA added new consumer rights, created new categories of sensitive personal information with heightened protections, established the California Privacy Protection Agency as a dedicated enforcement authority, and introduced several concepts that brought California privacy law significantly closer to GDPR in its operational requirements.

When compliance professionals refer to CCPA today, they typically mean the combined framework — the original CCPA as amended by CPRA. The California Privacy Protection Agency (CPPA) has issued final regulations governing how both laws are implemented, and those regulations have been updated and expanded since CPRA's effective date. Understanding CCPA compliance in 2026 means understanding the law as it currently stands, not as it was written in 2018.

Who CCPA and CPRA Apply To

CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds. The first threshold is annual gross revenue exceeding $25 million. The second is buying, selling, receiving, or sharing the personal information of 100,000 or more California consumers or households annually. The third is deriving 50 percent or more of annual revenue from selling or sharing California consumers' personal information.

The $25 million revenue threshold catches most growth-stage and established SaaS companies. The 100,000-consumer threshold captures many early-stage companies, particularly those with free tiers, freemium products, or marketing databases that include California residents. The third threshold — deriving majority revenue from selling or sharing personal data — applies primarily to data brokers and ad-tech businesses.

CPRA narrowed the second threshold from 50,000 to 100,000 consumers, which removed some smaller businesses from the scope. But it simultaneously expanded the definition of sharing to include disclosing personal information to third parties for cross-context behavioral advertising — meaning that companies running standard retargeting and analytics stacks may be subject to sharing obligations even if they do not sell personal data in any conventional sense.

Service providers — the CCPA equivalent of GDPR processors — are not directly subject to most CCPA obligations, but they must operate under written contracts with businesses that restrict the purposes for which they can use personal information. If your SaaS product processes the personal data of your customers' California-resident end users under a service agreement, you are operating as a service provider, and your contracts must reflect that role.

Employees and job applicants are covered by the CCPA and CPRA regarding their personal information. The employee exemption that existed under the original CCPA expired on January 1, 2023, and was not renewed. California-based employees and California-resident job applicants now have full CCPA rights regarding their personal information, which has compliance implications for HR systems, applicant tracking platforms, and payroll processors.

What Personal Information Means Under CCPA

CCPA defines personal information broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked — directly or indirectly — with a particular consumer or household. This definition is wider than most US legal definitions of personal information and encompasses a long list of categories that businesses routinely handle.

The statutory categories include identifiers such as names, email addresses, IP addresses, and account names; commercial information including purchase history and customer records; internet or other electronic network activity such as browsing history and interaction with a website or application; geolocation data; professional or employment-related information; and inferences drawn from any of the above to create a profile about a consumer.

CPRA introduced the concept of sensitive personal information, a subcategory that carries heightened obligations. Sensitive personal information includes Social Security numbers and government identifiers, financial account credentials, precise geolocation data, racial or ethnic origin, religious beliefs, union membership, the contents of mail, email, and text messages, genetic data, biometric information processed for identification purposes, health information, and information concerning sex life or sexual orientation.

Businesses that use sensitive personal information for purposes other than those exempted by the regulations must provide consumers with the right to limit that use. This right to limit use of sensitive personal information is one of the rights added by CPRA and has no direct equivalent in the original CCPA.

The Consumer Rights Created by CCPA and CPRA

CCPA and CPRA together create seven distinct consumer rights that businesses must operationalize. Each right requires a corresponding procedure — a mechanism for receiving requests, verifying the identity of the requester, fulfilling the request within the required timeframe, and maintaining records of requests received and completed.

The right to know allows consumers to request that a business disclose what personal information it has collected about them, the categories and specific pieces of information collected, the sources from which it was collected, the purposes for collection and use, and the categories of third parties with whom it has been shared.

The right to delete allows consumers to request deletion of their personal information. Businesses must delete the information and direct their service providers and contractors to do the same. There are exceptions — personal information needed to complete a transaction, detect security incidents, comply with a legal obligation, or enable certain internal uses may be retained — but the default obligation is deletion.

The right to correct was added by CPRA and requires businesses to correct inaccurate personal information upon a verified consumer request. This right has no equivalent in the original CCPA and is analogous to GDPR's right to rectification.

The right to opt out of sale or sharing allows consumers to direct a business not to sell their personal information or share it with third parties for cross-context behavioral advertising. Businesses that sell or share personal information must provide a clear and conspicuous opt-out mechanism — the "Do Not Sell or Share My Personal Information" link — on their homepage and in their privacy policy.

The right to limit use of sensitive personal information allows consumers to direct businesses to restrict their use of sensitive personal information to the purposes specified in the regulations. Businesses that use sensitive personal information for other purposes must provide a separate opt-out mechanism — the "Limit the Use of My Sensitive Personal Information" link.

The right to non-discrimination prohibits businesses from discriminating against consumers who exercise their CCPA rights by denying goods or services, charging different prices, or providing a different level of service quality. Financial incentive programs — loyalty programs, discounts in exchange for data — are permitted but must meet specific disclosure requirements.

The right to data portability requires that, when a consumer makes a request to know, the information must be provided in a portable, readily usable format that allows transmission to another entity, to the extent technically feasible.

All requests must be fulfilled within 45 days of receipt, with one 45-day extension available when reasonably necessary. Businesses must provide at least two methods for submitting requests: a toll-free phone number for businesses that operate primarily online, or a web form for those without a physical presence.

What Businesses Must Have in Place

Beyond responding to individual consumer rights requests, CCPA and CPRA impose a set of baseline operational requirements that apply regardless of whether any consumer ever exercises a right.

A compliant privacy policy is required. The privacy policy must disclose the categories of personal information collected in the past 12 months, the purposes for which each category is used, the categories of sources from which information is collected, whether personal information is sold or shared and to whom, the consumer rights available under CCPA, and how to submit a request. The policy must be updated at least every 12 months.

A privacy notice at collection must be provided at or before the point of collection. This is a separate, shorter notice — distinct from the full privacy policy — that discloses the categories of personal information collected and the purposes for which it is collected. Many businesses satisfy this with a banner or pop-up, but the notice must be specific to the context of collection, not generic.

Contracts with service providers and contractors must include the specific terms required by the CCPA and the CPRA. These terms must prohibit the service provider from retaining, using, or disclosing personal information for any purpose other than performing the contracted services, certify that the service provider understands and will comply with these restrictions, and grant the business the right to audit compliance. Without these contractual terms, a disclosure to a service provider may be treated as a sale under CCPA, which triggers opt-out obligations the business may not have anticipated.

A data inventory or records of processing activities is not explicitly required by CCPA the way it is by GDPR, but it is functionally necessary for responding to consumer rights requests, completing privacy risk assessments, and demonstrating compliance in the event of an enforcement investigation. The CPPA's regulations make clear that businesses are expected to know what personal information they collect, where it goes, and how long they keep it.

A data retention policy is required. CPRA explicitly prohibits retaining personal information for longer than is reasonably necessary for the disclosed purpose of collection. Businesses must have a retention schedule that defines how long each category of personal information is kept and on what basis.

A privacy risk assessment is required for processing activities that present a significant risk to consumers. CPRA requires the CPPA to establish risk assessment regulations, and the agency has been developing these requirements through its rulemaking process. Businesses engaged in high-risk processing — selling personal information, using sensitive personal information for targeted advertising, profiling consumers in ways that produce significant decisions — should expect formal risk assessment requirements to be operationally mandated in 2026.

How Enforcement Works in 2026

CCPA enforcement was originally the exclusive domain of the California Attorney General, who could bring civil actions against businesses for violations. CPRA created the California Privacy Protection Agency — a dedicated state agency with investigative, prosecutorial, and rulemaking authority — and transferred enforcement authority to the CPPA while preserving the Attorney General's concurrent enforcement power.

The CPPA began issuing enforcement actions and investigative notices in 2023 and 2024. Its early enforcement priorities have focused on opt-out mechanisms — specifically, whether businesses offering financial incentive programs have valid opt-in consent, and whether "Do Not Sell or Share" mechanisms actually function as represented. The CPPA has also focused on dark patterns — user interface designs that make it difficult for consumers to exercise their rights or that manipulate consent.

Statutory penalties under CCPA are $2,500 per unintentional violation and $7,500 per intentional violation. For a business that has collected personal information from hundreds of thousands of California residents without a compliant opt-out mechanism, the per-violation math becomes serious quickly. The CPPA does not need to prove harm to a specific individual — the violation of the statutory requirement is itself the basis for the penalty.

A private right of action exists for data breaches involving certain categories of personal information that result from a business's failure to implement reasonable security procedures. Consumers can recover between $100 and $750 per incident, or actual damages if greater. Class-action litigation under this provision is ongoing.

The CPPA has also been explicit about its intention to investigate based on its own initiative — through research, complaints, and proactive scanning — rather than waiting for consumer complaints. Businesses should not assume that the absence of a complaint means there is no risk.

How CCPA Compares to GDPR

For compliance teams managing both GDPR and CCPA, understanding where the frameworks align and where they diverge is essential to building a single, efficient privacy program rather than two parallel ones.

The consent model is the most significant structural difference. GDPR is fundamentally opt-in for most processing that goes beyond narrowly defined legitimate interests — businesses must have a lawful basis, and for marketing and profiling, that basis is typically consent. CCPA is fundamentally opt-out — businesses can collect and use personal information and must provide a mechanism for consumers to object, but the default is that processing is permitted unless the consumer exercises their right to opt out of the sale or sharing of their information.

The definition of personal information is broader under CCPA for some categories — particularly household-level information, which CCPA covers explicitly — but GDPR's definition of personal data has been interpreted expansively by European data protection authorities and in practice covers similar ground.

Data subject rights are comparable but not identical. Both frameworks include rights to access, deletion, correction, and portability. CCPA's right to limit use of sensitive personal information has no direct GDPR equivalent, though GDPR's restrictions on special category data achieve a similar protective purpose through different mechanisms. GDPR includes a right to object and rights related to automated decision-making that CCPA does not replicate with equivalent specificity.

Records of processing activities are mandatory under GDPR (Article 30) for most organizations. CCPA does not impose an equivalent explicit requirement, but as described above, maintaining such records is a practical necessity for compliance. Organizations already maintaining GDPR Article 30 records can leverage that documentation directly for CCPA compliance purposes with relatively modest extensions.

The processor/controller distinction maps closely. GDPR's controller and processor map to CCPA's business and service provider. The contractual requirements for service provider agreements under CCPA are similar in purpose to GDPR's data processing agreements, though the specific required terms differ. Organizations with GDPR-compliant DPAs in place will need to review them against CCPA requirements and supplement where necessary.

For organizations subject to both frameworks, the most efficient approach is to build a privacy program on the GDPR foundation — which has more demanding baseline requirements — and layer CCPA-specific requirements on top. The records of processing activities, the data subject rights procedures, the data retention schedule, the vendor contractual framework, and the privacy by design process can all serve both regulatory purposes with appropriate calibration.

Building a CCPA Compliance Program in Practice

A CCPA compliance program that will withstand regulatory scrutiny in 2026 requires more than a privacy policy update and a "Do Not Sell" link. The operational infrastructure behind those visible elements is what auditors and regulators examine.

Start with a data inventory. Before you can disclose what personal information you collect, respond to access and deletion requests, or demonstrate that retention periods are being observed, you need to know what personal information your organization collects, where it comes from, where it goes, and how long it is kept. This inventory does not need to be exhaustive on day one, but it must be accurate enough to support the disclosures in your privacy policy and to fulfill consumer rights requests.

Audit your vendor contracts. Every third party that receives personal information from your organization — analytics platforms, cloud infrastructure providers, marketing tools, customer support systems, subprocessors of any kind — must be covered by a contract that meets CCPA service provider requirements. Identify the gaps. Prioritize vendors that receive significant volumes of personal information or sensitive personal information. Update or replace agreements that do not contain the required terms.

Build the consumer rights request mechanism. Decide how requests will be received — web form, email address, toll-free number — and how they will be routed internally for fulfillment. Define who is responsible for verifying requestor identity, who is responsible for querying systems to locate personal information, who is responsible for coordinating deletion across internal systems and with service providers, and who is responsible for sending the response to the consumer. Document the procedure. Test it.

Review your opt-out mechanism. If your organization sells personal information or shares it for cross-context behavioral advertising — which may include standard third-party advertising and analytics integrations — verify that your opt-out link is present, functional, and actually effectuates the opt-out rather than merely recording a preference that is technically not honored.

Update your privacy policy and notice at collection. Ensure that the categories of personal information disclosed in the privacy policy match what your data inventory shows you actually collect. Ensure that the notice at collection is provided at the point of collection for each context in which you collect personal information, not only on the main website.

Establish a retention schedule and enforce it. Define retention periods for each category of personal information in your inventory. Implement technical controls or operational procedures to delete or de-identify personal information when retention periods expire. Document the schedule and review it annually.

The Risk of Treating CCPA as a Check-the-Box Exercise

The California Privacy Protection Agency has been explicit that it intends to enforce CCPA as a substantive law, not as a notice-and-disclosure requirement. The early enforcement actions and investigative focus on opt-out mechanisms, dark patterns, and financial incentive programs signal that the CPPA is examining whether privacy rights are real and functional — not whether privacy disclosures are technically present.

For SaaS companies, the reputational and commercial risks of a CPPA enforcement action or a class-action data-breach lawsuit significantly exceed the operational investment required to build a compliant privacy program. Enterprise buyers with California operations are increasingly including CCPA compliance representations in vendor contracts. Investors conducting due diligence on Series B and later-stage rounds are treating privacy compliance as part of legal risk assessment.

Building a CCPA program that genuinely reflects the law's requirements — complete data inventory, functioning consumer rights procedures, compliant vendor contracts, honest opt-out mechanisms — is both the right approach from a compliance standpoint and the one that creates defensible documentation if the CCPA ever comes looking.

dsalta helps SaaS companies build privacy compliance programs that meet CCPA, CPRA, and GDPR requirements within a single integrated framework — from data mapping to automated evidence collection.