The California Email You Weren't Expecting
A customer emails asking to delete their data under "CCPA rights." You're a B2B SaaS company based in Texas. Does California law even apply to you? (Spoiler: probably yes.)
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), created the strongest privacy law in the US. If you have California customers— or customers with California employees—you likely need to comply.
This guide cuts through the confusion to explain what CCPA/CPRA actually requires of B2B companies, and how to comply without over-engineering.
Does CCPA/CPRA Apply to Your Business?
CCPA applies to for-profit businesses that collect California residents' personal information AND meet any of these thresholds:
- Revenue Threshold — Annual gross revenue over $25 million
- Data Volume — Buy, sell, or share personal info of 100,000+ California residents/households
- Data Revenue — Derive 50%+ of revenue from selling/sharing California residents' personal info
"We're B2B, not B2C" doesn't exempt you. If your B2B customers have California employees using your product, that's California resident data. A 500-person company with 10% California-based employees means 50 California residents in your system—per customer.
What Counts as Personal Information?
Definitely Covered:
- Names and contact information
- IP addresses and device identifiers
- Geolocation data
- Employment information
- Commercial information (purchase history)
- Internet activity (browsing, search history)
Not Covered:
- Publicly available government records
- Deidentified or aggregate data
- HIPAA-covered health information
- GLBA-covered financial information
- Information from other businesses (B2B exception)
The CCPA/CPRA Compliance Checklist
1. Privacy Notice Requirements
Why it matters: CCPA requires specific disclosures about your data practices. Generic privacy policies don't cut it.
- Categories of Information — List what types of personal info you collect.
- Purpose of Collection — Explain why you collect each category.
- Third-Party Sharing — Disclose who you share data with and why.
- Consumer Rights — Explain the rights California residents have.
- Contact Methods — Provide at least two methods to submit requests.
- Update Annually — Review and update your privacy notice each year.
CPRA added new requirements: disclose retention periods for each data category, explain whether you use sensitive personal information, and describe any automated decision-making.
2. Consumer Rights Handling
Why it matters: California residents have specific rights. You need processes to handle requests.
- Request Intake — Provide at least two methods (web form, email, toll-free number for some).
- Identity Verification — Verify the requestor is who they claim to be.
- Response Process — Document how you'll handle each type of request.
- Tracking — Log all requests and responses for compliance evidence.
3. Data Inventory and Mapping
Why it matters: You can't comply with "delete my data" if you don't know where data lives.
- Data Sources — Where do you collect California resident data?
- Data Storage — Where is it stored (databases, backups, analytics)?
- Data Sharing — Which vendors/partners receive this data?
- Retention Periods — How long do you keep each data category?
4. Vendor Management
Why it matters: If vendors process California data on your behalf, you need contracts in place.
- Service Provider Agreements — Contracts limiting vendor use of data to your purposes.
- Contractor Agreements — Similar restrictions for contractors.
- Flow-Down Requirements — Ensure vendors delete data when you request.
- Annual Review — Verify vendor compliance annually.
CPRA created stricter requirements for "contractors" vs. "service providers." Know which category each vendor falls into—the contractual requirements differ.
5. Sensitive Personal Information (CPRA)
Why it matters: CPRA added extra protections for sensitive data categories.
Sensitive personal information includes:
- Social Security numbers, driver's license, passport numbers
- Financial account information with access credentials
- Precise geolocation
- Racial/ethnic origin, religious beliefs, union membership
- Contents of mail, email, text messages (unless you're the recipient)
- Genetic data, biometric data, health information
- Sex life or sexual orientation information
If you collect sensitive PI, you must:
- Disclose it in your privacy notice
- Provide a "Limit Use" opt-out if using it beyond service delivery
- Honor consumer requests to limit use
CCPA vs GDPR: Key Differences
GDPR compliance gives you a head start on CCPA. Key additions: California-specific privacy notice language, "Do Not Sell/Share" opt-out mechanism, and service provider contract requirements. You're not starting from scratch.
Common CCPA Mistakes
Mistake 1: "We Don't Sell Data"
CCPA's definition of "sell" is broad. Sharing data with an advertising network for targeted ads might qualify as "selling" even if no money changes hands. CPRA added "sharing" as a separate category to clarify this.
Mistake 2: Ignoring B2B Employee Data
The B2B exemption is narrower than many think. Employee data of your B2B customers (California-based employees using your SaaS) is covered. You need processes to handle their requests.
Mistake 3: Relying on Click-Through Consent
CCPA is opt-out, not opt-in. You don't need consent to collect—but you do need to honor opt-out requests. A buried consent checkbox doesn't satisfy CCPA's "Do Not Sell" requirements.
Mistake 4: No Process for Requests
Getting a deletion request and figuring it out ad hoc doesn't work. You need documented processes, trained staff, and technical capability to actually find and delete data within 45 days.
The Multi-State Reality
California was first, but other states are following with similar laws:
- Virginia (VCDPA) — Effective January 2023
- Colorado (CPA) — Effective July 2023
- Connecticut (CTDPA) — Effective July 2023
- Utah (UCPA) — Effective December 2023
- Many more pending — Expect 20+ states by 2026
Build for California first—it's the strictest. A CCPA-compliant program will largely satisfy other state laws with minor adjustments. Don't build separate programs for each state.
Quick Start: Your First Week
Day 1-2: Threshold Assessment
Determine if CCPA applies: Check revenue ($25M+), data volume (100K+ CA residents), or data revenue (50%+ from selling). Most B2B SaaS over $25M revenue are covered.
Day 3-4: Data Inventory
Map California resident data: Where collected, where stored, who it's shared with, how long kept. This drives everything else.
Day 5: Privacy Notice Review
Update your privacy policy with CCPA-required disclosures: categories collected, purposes, third parties, consumer rights, contact methods.
Day 6-7: Request Process
Document how you'll handle consumer requests: intake methods, verification, fulfillment, response tracking. Test the process end-to-end.
Next Steps
CCPA/CPRA compliance is becoming table stakes for companies with California exposure—which is most US companies. The good news: a solid CCPA program positions you well for the wave of state privacy laws coming.
Start with your data inventory. You can't manage what you don't understand. Map where California data flows, then build processes around that reality.
Navigating state privacy laws? vCISO Lite helps you track compliance across CCPA, GDPR, and emerging state requirements with unified data mapping and request tracking tools.