RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJune 21, 2026

CCPA Compliance Checklist for AI SaaS Products 2026: What You Need to Do

CCPA enforcement is active. The California Privacy Protection Agency is specifically investigating how AI companies handle consumer data. If your SaaS uses AI to collect, infer, or profile users, this checklist covers what you need to have in place now.

$7,500
Per intentional CCPA violation — can multiply across millions of records
2026
CPPA actively investigating AI companies for CCPA/CPRA violations
Inferences
AI-generated consumer profiles are explicitly covered personal information

Does CCPA Apply to Your AI SaaS?

CCPA (as expanded by CPRA) applies to for-profit businesses that do business in California and meet one of these thresholds:

  • Annual gross revenue over $25 million
  • Buys, sells, receives, or shares personal information of 100,000+ California consumers or households per year
  • Derives 50%+ of annual revenue from selling or sharing consumer personal information

The 100,000 consumer threshold is the one that catches most AI SaaS companies before they've hit significant revenue. If you process data from 100,000+ users, and any of them are California residents, you're likely covered — even if your total revenue is $500k.

"Do business in California" is also interpreted broadly. Having California users of a web product or app generally qualifies, regardless of where your company is incorporated or operated.

What AI Data Is Covered Under CCPA

CCPA's definition of personal information is expansive and explicitly covers data that AI systems commonly generate, use, or store:

IN SCOPE
User Input Data
Text prompts, voice inputs, uploaded files, form submissions fed to AI models
IN SCOPE
AI-Generated Inferences
Behavioral profiles, interest categories, personality assessments, risk scores derived from user activity
IN SCOPE
Usage Behavioral Data
Click patterns, session data, feature usage — used to train or personalize AI responses
IN SCOPE
Biometric Data
Voice prints, facial recognition data, fingerprints — if your AI processes any of these
IN SCOPE
Commercial and Financial Information
Purchase history, transaction data used for AI recommendations or predictions
EXEMPT
Truly Anonymized Aggregates
Aggregate statistics where individual re-identification is not reasonably possible

The CCPA AI SaaS Compliance Checklist

Work through each section. These aren't aspirational — they're the requirements the CPPA actively checks during investigations and audits.

1. Data Inventory and Mapping
  • Map all personal information your AI system collects at each touchpoint
  • Document what AI-generated inferences are created about users
  • Identify all third parties that receive user data (AI APIs, analytics, ad platforms)
  • Classify data by sensitivity: regular PI, sensitive PI, children's data
  • Document data retention periods for each category
  • Determine if any data sharing qualifies as a 'sale' under CCPA (includes sharing for cross-context behavioral advertising)
2. Privacy Policy Updates
  • List all categories of personal information collected in the past 12 months
  • Disclose all purposes for which personal information is used
  • Name categories of third parties with whom PI is shared
  • Explicitly disclose AI inference categories as a class of PI collected
  • Include retention periods or criteria used to determine retention
  • Provide a 'Do Not Sell or Share My Personal Information' link if you sell/share data
  • Update policy within 12 months of any material changes to your AI data practices
3. Consumer Rights Infrastructure
  • Build a mechanism for users to submit data access requests (what data you have on them)
  • Build a mechanism for deletion requests (including AI-generated inferences, not just raw data)
  • Build a mechanism for data portability requests (export in usable format)
  • Build opt-out from sale/sharing — conspicuous link required in footer
  • Build opt-out from automated decision-making / profiling (CPRA requirement)
  • Build correction/rectification mechanism for inaccurate personal information
  • Configure 45-day response SLA with automated acknowledgment
  • Verify requester identity without requiring unnecessary personal information
4. Automated Decision-Making Opt-Out
  • Identify all AI decisions that produce 'legal or similarly significant effects' on California consumers
  • Document what data inputs drive these decisions and what outputs they produce
  • Build technical capability for users to opt out of profiling for these purposes
  • Implement a process to honor opt-outs within 15 business days
  • Disclose automated decision-making in privacy policy with meaningful description
  • If profiling affects access to credit, insurance, employment, housing, or education — this is highest priority
5. Sensitive Personal Information Controls
  • Identify any sensitive PI your AI handles: racial/ethnic origin, health data, sexual orientation, precise geolocation, biometrics, immigration status
  • Limit use of sensitive PI to what's necessary for disclosed purposes
  • Provide 'Limit the Use of My Sensitive Personal Information' link if you use SPI for secondary purposes
  • Obtain explicit consent for AI processing of sensitive PI where required
  • Do not use sensitive PI for targeted advertising or to build consumer profiles
6. Service Providers and AI API Contracts
  • Audit contracts with all AI API providers (OpenAI, Anthropic, Google, etc.) for CCPA compliance language
  • Ensure AI APIs you use are classified as service providers — not third parties who receive the data
  • Require contractual prohibitions on AI vendors using your users' data to train their models (unless users consented)
  • Update all vendor contracts to include required CCPA service provider restrictions
  • Verify analytics and monitoring tools (Mixpanel, Amplitude, Segment) have CCPA-compliant terms

CCPA Enforcement Priorities for AI Companies in 2026

The California Privacy Protection Agency has signaled specific enforcement priorities that directly target how AI products handle consumer data:

AI Training Data Practices

Using consumer data to train AI models without appropriate disclosure or consent. If your product's terms don't clearly disclose that user inputs may be used for model training — and you're using them — this is an active enforcement risk.

Behavioral Advertising Without Opt-Out

Sharing user data with ad networks or third-party AI platforms for cross-context behavioral advertising qualifies as a 'sale' under CCPA even without money changing hands. Many AI SaaS products share data with analytics or retargeting tools without offering the required opt-out.

Dark Patterns in Privacy Controls

The CPPA specifically targets UI/UX designs that make it harder to opt out than to consent. Requiring 5 clicks to opt out but 1 to opt in; burying opt-out links; auto-ticking consent checkboxes — these are enforcement targets in 2026.

Insufficient Data Minimization

Collecting more personal information than necessary for disclosed purposes. AI products that collect behavioral data 'for analytics' but then use it for unrelated AI training or ad targeting are at risk.

Children's Data Violations

If any of your California users are under 16 and you're using their data for targeted advertising or AI profiling without appropriate consent, penalties are automatically tripled. Age verification and children's data policies must be airtight.

AI Model APIs and the CCPA Data Sale Question

One of the most contested CCPA questions for AI SaaS companies: when you send user data to an AI API (OpenAI, Anthropic, Google AI), does that constitute a "sale" or "sharing" of personal information under CCPA?

The answer depends on the contract terms with the AI provider:

  • If the AI API provider uses the data only to process your API requests and is contractually prohibited from using it for their own purposes — they're a service provider. Not a sale; CCPA's service provider exception applies.
  • If the AI API provider can use your users' data to train their own models, improve their own products, or share it with their affiliates — they're a third party. Sharing with them likely constitutes a sale or sharing under CCPA.

Review the data processing addendums from every AI API you use. Default API terms from major providers often contain language permitting model training on API data — which changes the CCPA analysis entirely. Get explicit service provider terms before assuming you're in the safe zone.

Frequently Asked Questions

We're a B2B SaaS — our customers are businesses, not individual consumers. Does CCPA apply?

If your B2B SaaS collects personal information from individuals who happen to be employees of your business customers (California-based users using your product), those individuals are California consumers under CCPA. B2B doesn't exempt you from CCPA — the exemptions that used to apply to employee and B2B data expired in 2023. If your product captures personal information from any individuals, CCPA applies.

Our AI product uses anonymized data. Are we covered?

Anonymized data that cannot reasonably identify individuals is exempt from CCPA. But the standard for true anonymization is high — aggregate statistics where re-identification isn't reasonably possible. Pseudonymized data (where a key links back to an individual), hashed identifiers, or 'de-identified' data that can be re-combined with other datasets does not qualify for the exemption. Many AI companies mistakenly treat pseudonymization as anonymization.

Do we need a CCPA opt-out button even if we don't sell user data?

The 'Do Not Sell or Share My Personal Information' requirement triggers if you 'sell' OR 'share' personal information. Sharing includes disclosing data to third parties for cross-context behavioral advertising — even without payment. If you run advertising pixels, share data with analytics platforms that use it for their own purposes, or use any third-party tools that receive individual-level behavioral data, you likely share under CCPA's definition and need the opt-out link.

What's the difference between CCPA and CPRA for AI products?

CPRA (Proposition 24, effective 2023) expanded CCPA with new rights specifically relevant to AI: the right to opt out of automated decision-making and profiling, new protections for sensitive personal information, data minimization obligations, purpose limitation, and created the California Privacy Protection Agency with dedicated enforcement authority. CPRA also strengthened correction rights and added the concept of 'sharing' to capture ad-tech data flows previously outside CCPA's scope. When people say 'CCPA compliance' in 2026, they mean the full CCPA/CPRA framework.

Start With the Data Map

CCPA compliance for AI SaaS isn't primarily a legal problem — it's an engineering and data problem. You can't write accurate disclosures without knowing what data you collect. You can't honor deletion requests without knowing where data lives. You can't build opt-outs without knowing what decisions are being automated.

Start with the data inventory. Map every data input your AI touches, every inference it produces, and every third party that receives any of it. The compliance work flows from that foundation.