CCPA and AI Tools: What SaaS Businesses Need to Know in 2026
California's privacy law doesn't just cover data collection — it reaches AI profiling, automated decision-making, and AI model training. If your SaaS product uses AI on California residents' data, here's what you're legally required to do in 2026.
CCPA Basics: What Makes a Business Subject to CCPA?
CCPA (California Consumer Privacy Act), as amended by CPRA (California Privacy Rights Act), applies to any for-profit business that:
- Has gross annual revenues over $25 million, OR
- Annually buys, sells, or shares personal information of 100,000+ consumers or households, OR
- Derives 50%+ of annual revenues from selling or sharing personal information
The law applies regardless of where the business is incorporated — a Delaware-incorporated SaaS with California users is covered if it meets any of these thresholds. The 100,000 consumer threshold is particularly easy to hit for SaaS products: if you process personal data of more than 100,000 California users annually, you're covered.
For AI-powered SaaS, "processing personal information" includes: using user data to generate AI responses, training or fine-tuning models on user data, building user profiles for personalization, and using AI to analyze, infer, or predict things about users.
How CPRA Changed the Rules for AI
The 2020 CPRA amendments (effective January 2023) added several provisions that directly impact AI-powered products. These weren't hypothetical — they were written specifically to address AI risks:
Right to Opt Out of Automated Decision-Making
New in CPRACalifornia residents can now opt out of businesses' use of 'automated decision-making technology, including profiling.' This applies to AI systems that make or significantly influence decisions with legal or similarly significant effects — hiring, lending, healthcare, insurance, education, and similar high-stakes contexts. You must provide a clear opt-out mechanism and honor it within 15 business days.
Right to Know About Automated Decision-Making Logic
New in CPRAThe CPPA (California Privacy Protection Agency) can issue regulations requiring businesses to explain the logic behind automated decisions affecting consumers. Businesses must be prepared to explain — in plain language — what factors an AI system considered and why a particular output was generated. This right is most directly enforceable in employment and credit contexts.
Sensitive Personal Information Restrictions
New in CPRACPRA created a new category: Sensitive Personal Information (SPI). SPI includes health/medical data, financial account data, precise geolocation, racial/ethnic origin, religious beliefs, union membership, sexual orientation, and biometric data. Using SPI to train AI models or for profiling requires either user opt-in consent or a strict legitimate use exception. The default is: you cannot use SPI for AI training without consent.
Purpose Limitation for AI Training
Applies to AIUnder CPRA, data collected for one purpose cannot be used for incompatible secondary purposes without notice and opportunity to opt out. Collecting user interactions to improve your product (disclosed purpose) is different from using those interactions to train an AI model that serves other customers (potentially undisclosed secondary use). If you're doing the latter, you need updated disclosures.
AI Training Data and CCPA: The Questions Every Founder Needs to Answer
Are you training AI models on personal information of California residents?
HighIf yes: This must be disclosed in your privacy policy. You need a legitimate basis (it must fit within your stated purposes). If the data includes Sensitive Personal Information (health, biometric, financial data), you need opt-in consent or a valid statutory exception.
Are you sharing user data with third-party AI providers for model training?
HighIf yes: Sharing personal data with third parties for AI training may constitute 'sharing' or 'selling' personal information under CCPA, triggering opt-out rights. Review your contracts with AI providers (OpenAI, Anthropic, etc.) — many explicitly prohibit training on API inputs unless you opt in.
Does your AI produce inferences or profiles about users?
MediumCCPA covers 'inferences' as a category of personal information — inferences drawn from personal information to create a profile reflecting preferences, behaviors, attitudes, intelligence, abilities, or aptitudes. If your AI infers things about users, those inferences are personal information under CCPA and must be disclosed and available for deletion on request.
Is your AI used for automated decisions that significantly affect users?
HighHiring screening, loan underwriting, insurance scoring, tenant screening — if AI makes or significantly influences these decisions for California residents, you must offer opt-out rights under CPRA and be prepared to explain AI logic on request.
Does your AI use precise geolocation, health data, or biometric data?
CriticalThis is Sensitive Personal Information under CPRA. Opt-in consent required for using SPI to train AI models or for profiling. Opt-out rights apply for other SPI uses. If you're processing biometric data (facial recognition, voice prints, fingerprints) with AI, additional BIPA exposure exists in Illinois.
What Your Privacy Policy Must Say About AI
Under CCPA/CPRA, your privacy policy must specifically address AI data use. Generic privacy policies written before AI features were added are typically non-compliant. Required disclosures include:
- Categories of personal information collected — including any AI-generated inferences about users, which are their own category under CCPA.
- Purposes for which AI uses personal information — if you use data to train models, personalize with AI, or generate AI outputs, each purpose must be listed.
- Whether you share data with AI providers for training — any sharing with third-party AI platforms that may use data for model improvement must be disclosed.
- Opt-out rights for AI profiling and automated decision-making — the opt-out mechanism must be clearly described and accessible.
- Sensitive Personal Information uses and restrictions — if you process SPI, you must disclose the categories and the limitation on its use.
CCPA Compliance Checklist for AI SaaS Products
CCPA vs. Other State AI Privacy Laws in 2026
California is the most aggressive, but not alone. As of mid-2026, these states have enacted privacy laws with AI-relevant provisions:
California (CCPA/CPRA)
Fully enforcedOpt-out of automated decision-making, SPI protections, inference coverage
Colorado (CPA)
Enforced since July 2023Right to opt out of profiling in furtherance of decisions with legal effects
Connecticut (CTDPA)
Enforced since July 2023Right to opt out of profiling for consequential decisions; data protection assessments required
Virginia (VCDPA)
Enforced since Jan 2023Right to opt out of profiling; data protection assessments for high-risk processing
Texas (TDPSA)
Enforced since July 2024Right to opt out of profiling; no AG-only enforcement like Texas often uses
If you're building a CCPA-compliant AI product, you're 70–80% of the way to compliance with most other US state privacy laws — they largely follow California's framework. California is the hardest compliance target.
Check your AI product for compliance risks
RatedWithAI helps SaaS teams identify compliance issues across their web properties. Start with a free scan to understand what California users experience when they visit your product.
Scan Your Product for Free →Frequently Asked Questions
Does CCPA apply to AI-generated content?
CCPA applies to personal information — it covers AI systems that process personal data, not AI-generated content that isn't about an identifiable person. However, if your AI generates content about specific identified individuals (generated profiles, summaries of a user's activity, etc.), that output may itself be personal information subject to CCPA's access and deletion rights.
Can I use California customer data to train my AI model?
Yes, but with CCPA-compliant disclosures. Your privacy policy must disclose this use. The data must fit within your stated purpose. You cannot use Sensitive Personal Information for AI training without opt-in consent. And you must honor deletion requests — which creates a challenge for AI models trained on that data (model unlearning is hard; consider whether you can exclude the data from training instead).
What is 'profiling' under CCPA for AI products?
CCPA/CPRA defines profiling as any automated processing of personal information to evaluate certain aspects about a person — particularly analyzing or predicting aspects concerning performance at work, economic situation, health, preferences, interests, reliability, behavior, location, or movements. Many AI features qualify: recommendation engines that build interest profiles, AI that infers user risk scores, behavioral targeting systems. If your AI builds user models, you're probably profiling.
What happens if a California resident requests deletion of data used to train my AI?
CCPA grants consumers the right to delete personal information. You must comply within 45 days. For data used to train AI models, this creates a compliance challenge — once data is used to train a model, the model's weights embed that data in ways that are difficult to 'unlearn.' Best practice: maintain a deletion list that excludes deleted users' data from future training runs. For truly high-risk processing, consider not training on personal data at all.
Does CCPA apply if I use a third-party AI API (like OpenAI)?
Yes — you remain the 'business' under CCPA; OpenAI (or other providers) are 'service providers.' As the business, you're responsible for CCPA compliance on how data is processed. You must have a service provider agreement with your AI provider that restricts them from using your users' data for their own purposes. Most major AI APIs now include this in their terms, but verify. If your AI provider uses your users' data to train their own models, that's a CCPA 'sharing' and may require opt-out notices.