CCPA6 min readUpdated Feb 2026

CCPA for SaaS Companies: Compliance Guide

SaaS companies face unique CCPA considerations due to their business model, data processing relationships, and typical customer base. Understanding these nuances is essential for effective compliance.

Alban Veauté

•

Security Engineer

Alban is a security engineer at Bastion with deep expertise in information security, SOC 2, and ISO 27001. He also specializes in data protection and privacy compliance, including GDPR requirements, and helps companies build robust security programs.

SOC 2ISO 27001GDPRCyber Essentials

Key Takeaways

Point	Summary
Dual role	SaaS companies often act as both business and service provider
B2B focus	Many SaaS companies primarily collect business contact data
Data flow complexity	Customer data flows create service provider relationships
Product implications	Product features may need CCPA-enabling capabilities
Enterprise requirements	B2B customers increasingly require CCPA compliance

Quick Answer: SaaS companies must understand their dual role as a business (for direct relationships) and service provider (for customer data). Compliance requires privacy notices, consumer rights processes, service provider contracts, and potentially product features that enable customer compliance.

SaaS Business Models and CCPA

Direct vs. Customer Data

Data Type	Your Role	CCPA Implications
Direct customers	Business	Full CCPA obligations
Website visitors	Business	Full CCPA obligations
Customer's end users	Service provider	Contractual obligations
Employee data	Business	Full CCPA obligations

Common SaaS Data Categories

Category	Examples	Role
Account information	Customer name, email, billing	Business
Usage data	Feature usage, logs	Business
Customer content	Data stored by customers	Service provider
End-user data	Customer's users' information	Service provider
Marketing leads	Website form submissions	Business

Determining Applicability

Revenue Threshold

For a detailed breakdown of applicability, see who needs CCPA compliance.

Consideration	Details
ARR calculation	Annual recurring revenue toward threshold
All revenue	Not just California customer revenue
Parent company	Consider common ownership
2025 threshold	$26.625 million

Data Volume Threshold

Consideration	Details
Direct users	Your customers, website visitors
Not customer data	End-users in customer accounts are customer's consumers
California identification	Need reasonable method to identify CA users
2025 threshold	100,000 California consumers

Data Revenue Threshold

Consideration	Details
Typical SaaS	Usually not 50%+ from data sales
Analytics products	May derive revenue from data monetization
Ad-supported	May involve data sharing for advertising

SaaS as a Business

Direct Customer Compliance

Obligation	Action
Privacy policy	Cover account data, usage data, marketing
At-collection notice	Form disclosures, app notifications
Opt-out	If selling/sharing marketing data
Consumer rights	Handle customer requests

Website and Marketing

Activity	CCPA Consideration
Website analytics	May involve sharing for advertising
Marketing pixels	May constitute sale/sharing
Lead forms	At-collection notice needed
Email marketing	Opt-out considerations

Employee Data

Obligation	Action
At-collection notice	Provide during hiring
Privacy policy	Cover employee data categories
Consumer rights	Handle employee requests

SaaS as Service Provider

Contract Requirements

Term	Requirement
Purpose limitation	Only process for specified purposes
Use restriction	Cannot use for own purposes
Sale/sharing prohibition	Cannot sell or share customer data
Subprocessor requirements	Same restrictions flow down
Consumer rights assistance	Help customers respond to requests

Customer Data Processing

Obligation	Action
Documentation	Document processing purposes
Access controls	Limit internal access to customer data
Data segregation	Keep customer data separate
Deletion capability	Enable customer data deletion
Export capability	Enable data portability

Data Processing Agreement (DPA)

Element	Purpose
Processing purposes	Define permitted uses
Subprocessors	List and notify of changes
Security measures	Document security controls
Consumer rights	Process for handling requests
Audit rights	Customer verification rights

Product Considerations

CCPA-Enabling Features

Feature	Purpose
Data export	Support customer Right to Know obligations
Deletion API	Support customer deletion requests
Access controls	Enable customer data governance
Consent management	If product involves advertising/tracking
Audit logs	Document access and changes

Product Documentation

Documentation	Purpose
Data practices	Help customers understand data flows
Security documentation	Demonstrate reasonable security
Subprocessor list	Transparency about data sharing
Deletion process	How customers can delete data

Enterprise Customer Requirements

Common Customer Asks

Request	Response
DPA with CCPA terms	Provide compliant DPA
Security questionnaire	Complete with CCPA questions
Subprocessor list	Publish and maintain list
SOC 2 report	Demonstrate security practices
Right to audit	Include audit provisions in contract

Certification and Attestation

Approach	Details
SOC 2 + CCPA	Add CCPA criteria to SOC 2 scope
Self-attestation	Certify compliance in contracts
Third-party assessment	Engage assessor for verification

Technical Implementation

Data Mapping

Step	Action
Inventory	Document all PI data fields
Classification	Categorize according to CCPA
Flow mapping	Document data movement
Purpose alignment	Match data to business purposes

Consumer Rights Infrastructure

Capability	Implementation
Request intake	API or interface for requests
Identity verification	Match requester to account
Data retrieval	Query systems for consumer data
Deletion	Remove from active systems; propagate to backups over retention cycle
Logging	Track request handling

Multi-Tenancy Considerations

Consideration	Approach
Data isolation	Logical or physical separation
Access controls	Tenant-level permissions
Cross-tenant queries	Prevent unauthorized access
Deletion completeness	Ensure tenant data fully removed

Common SaaS Challenges

Challenge: Identifying California Consumers

Approach	Consideration
Billing address	Most reliable for customers
IP geolocation	Approximation for visitors
Self-identification	Rely on consumer statement
Universal treatment	Apply CCPA rights to all

Challenge: Data Across Multiple Systems

System	Consideration
Production database	Primary data store
Analytics systems	May contain PI
Backup systems	Deletion must propagate
Third-party tools	CRM, support, marketing
Logs	May contain PI

Challenge: Customer vs. End-User Data

Scenario	Approach
Customer makes request	Fulfill as business
Customer's user makes request	Route to customer
Direct request for customer data	Verify authority

Integration Considerations

Third-Party Services

Service Type	CCPA Consideration
Analytics	May involve sharing
Customer support	Service provider relationship
Payment processing	Service provider relationship
Email marketing	May involve sharing
Advertising	Likely involves sharing

APIs and Integrations

Integration	Consideration
Customer integrations	Customer remains controller
Third-party data sources	Understand data origin
Marketplace apps	Clear data responsibilities

Compliance Checklist for SaaS

As a Business

Update privacy policy for direct users
Implement at-collection notices
Build consumer rights request process
Configure opt-out for marketing/advertising
Implement GPC signal detection
Create employee privacy notice

As a Service Provider

For detailed contract requirements, see service provider requirements.

Update customer contract with CCPA terms
Document processing purposes
Implement deletion capability
Implement export capability
Publish subprocessor list
Train support team on request routing

Product

Assess product for CCPA-enabling features
Build data export functionality
Build deletion functionality
Create customer documentation
Consider consent management features

How Bastion Helps

SaaS companies have unique compliance needs spanning direct operations and customer relationships.

Challenge	How We Help
Dual role clarity	Analyze your business model and obligations
DPA creation	CCPA-compliant data processing agreements
Product assessment	Identify CCPA-enabling feature needs
Enterprise readiness	Prepare for customer compliance requirements
Security alignment	Map security practices to reasonable security
Vendor management	Subprocessor compliance and documentation

Ready to address CCPA compliance for your SaaS business? Talk to our team →

Sources

California Consumer Privacy Act (CCPA) - California Attorney General official CCPA page
CPPA Regulations - Service provider requirements
CCPA Text - California Civil Code

← PreviousCCPA Compliance Checklist: Step-by-Step Implementation Guide Next →CCPA vs GDPR: Key Differences for Compliance

Back to CCPA guides

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company