CCPA for B2B SaaS: Does the California Privacy Law Apply to Your Business Customers?
Most B2B SaaS founders still believe CCPA is a consumer-app problem. The exemption they're relying on expired in 2023. Here's what actually applies to B2B software companies in 2026 — and what to do about it.
The B2B Exemption Is Gone — and Has Been Since 2023
When CCPA first passed in 2018 and took effect in 2020, it included a temporary exemption for business contact information and employee data. Many B2B SaaS companies built their privacy posture on that exemption. The California Privacy Rights Act (CPRA) — which amended and expanded CCPA — removed both exemptions effective January 1, 2023.
That means the data your B2B SaaS product collects, uses, or processes about California residents — whether they're your customers' employees, your sales prospects, or end users of your platform — is now subject to full CCPA/CPRA obligations if you meet the applicability thresholds. The "we're B2B, so CCPA doesn't apply" assumption is three years out of date.
Do You Meet the CCPA Threshold?
CCPA applies to for-profit businesses doing business in California that meet at least one of these thresholds:
Gross annual revenue over $25 million. Most growth-stage B2B SaaS companies cross this before Series B.
Buying, selling, or sharing personal information of 100,000 or more California consumers or households per year. B2B SaaS companies often hit this by aggregating users across customer accounts — especially for CRM, HR tech, analytics, and productivity tools.
Deriving 50% or more of annual revenue from selling personal information. Less common for pure SaaS, but relevant for data-as-a-service or ad-tech-adjacent products.
The 100,000 records threshold catches more B2B SaaS companies than founders expect. If your platform processes data for 500 mid-size customers, each with 200+ California employees or users, you cleared the threshold before your latest quarterly review. Count user records, not customer accounts.
What Personal Data B2B SaaS Companies Actually Process
B2B SaaS founders often undercount the personal data their platforms touch because they think in terms of "business data." Here's what CCPA considers personal information that's common in B2B software:
- •Names, email addresses, and login credentials of your customers' employees who use your platform
- •Usage logs, activity data, and behavioral analytics tied to individual users
- •Performance data processed by AI features (engagement scores, productivity metrics, sentiment analysis)
- •Profile data imported from your customers' HR systems or directories
- •Names, emails, phone numbers, and LinkedIn profiles of leads in your CRM or outreach tools
- •Intent and behavioral data about prospects tracked by your marketing stack
- •Business contact data your sales team imported from data providers (ZoomInfo, Apollo, etc.)
- •Meeting recordings, transcripts, and call logs containing names and statements of California residents
- •Scores, classifications, or predictions your AI generates about individual users or employees
- •Content recommendations, churn risk scores, or engagement predictions at the user level
- •Automated segmentation or tagging of contacts that creates a consumer profile
- •Any derived data that reflects the preferences, behavior, or characteristics of an identified individual
The Service Provider Agreement: Your Biggest Compliance Lever
As a B2B SaaS company, you're most often a service provider under CCPA — you receive personal information from your business customers (controllers) to provide a service. This matters because service providers have a different, generally lighter obligation than controllers, provided you have the right agreements in place.
A CCPA-compliant service provider agreement must:
- Specify that you receive personal information for limited and specified purposes
- Prohibit you from selling or sharing the data or using it for your own commercial benefit outside the service
- Require you to notify your customer if you determine you can no longer comply
- Grant your customer the right to take reasonable steps to stop and remediate unauthorized use
- Require that any subprocessors you use are also bound by equivalent restrictions
If you lack these contracts with your B2B customers, you're at risk of being treated as a third party rather than a service provider — with significantly higher compliance obligations. Audit your data processing agreements now and update any that predate 2023.
CCPA Compliance Checklist for B2B SaaS (2026)
Privacy Infrastructure
- ☐Update privacy policy to cover business contact and employee data explicitly
- ☐Build or contract a mechanism to handle data subject rights requests (DSAR portal)
- ☐Implement a process to respond to DSARs within 45 days
- ☐Add a 'Do Not Sell or Share My Personal Information' opt-out mechanism
- ☐Audit all third-party tools you share data with — are they CCPA service providers or third parties?
- ☐Map where California resident data lives in your systems
Contracts and Vendor Management
- ☐Execute CCPA service provider agreements with all enterprise customers who share personal data with you
- ☐Update subprocessor agreements to include CCPA-required language
- ☐Add CCPA addendum to standard SaaS terms if you haven't already
- ☐Review data broker relationships — are you receiving California resident data from brokers without proper agreements?
- ☐Ensure AI model providers (OpenAI, Anthropic, etc.) have service provider terms covering your use
- ☐Document data retention periods and enforce deletion on schedule
AI Features Trigger Additional CCPA Scrutiny
CPRA added Automated Decision-Making Technology (ADMT) regulations that are still being finalized by the California Privacy Protection Agency, but the direction is clear: if your AI product makes or influences significant decisions about California residents — employees, users, or customers — those individuals have rights around that processing.
For B2B SaaS with AI features, the highest-risk applications are: AI-powered employee performance evaluation, AI-generated hiring or retention recommendations, AI credit or risk scoring that touches individual users, and AI profiling that creates consumer profiles used for targeted advertising or sales. If your product touches any of these for California residents, assume ADMT rules will apply and build in disclosure and opt-out mechanisms now.
Frequently Asked Questions
We're under $25M revenue and process data for less than 100K residents. Do we still need to comply?
If you don't meet any of the three CCPA thresholds, the law doesn't technically apply to you. However, your enterprise customers are almost certainly CCPA-covered businesses, and their procurement teams will require CCPA-compliant data processing agreements from you regardless of your own threshold status. Treat CCPA readiness as a contract requirement even if you're technically exempt.
Our product is purely B2B — we never interact with consumers. Are we still covered?
Under CCPA, 'consumer' means any California resident, not just retail shoppers. The employees of your business customers are consumers under CCPA. So are the California residents in the business contact databases your sales team uses. 'We're B2B' does not create an exemption — it just changes which residents' data you're handling.
What if our customers haven't asked us for CCPA agreements?
The obligation is mutual but the impetus often falls on you as the vendor. Enterprise customers are increasingly including CCPA DPA requirements in security reviews and annual vendor assessments. Don't wait to be asked — proactively offering a CCPA-compliant service provider addendum signals maturity and reduces friction in sales cycles with privacy-conscious buyers.
Can we rely on our AI model provider's terms to cover our CCPA obligations?
No. You need your own CCPA compliance posture independent of your model providers. Your model provider's service provider terms cover their processing; you remain responsible for your processing of California resident data, your agreements with your own customers, and your own privacy notices. Think of it as layered obligations: provider terms limit what they do with your data, but your customers' employees have their CCPA rights against your company, not your AI vendor.
The Exemption Is Gone — But the Fix Is Straightforward
The B2B and employee exemptions that let you defer CCPA compliance expired in January 2023. If your privacy posture hasn't been updated since then, you have gaps. The good news: service provider status under CCPA is genuinely lighter than controller status — but only if you have the right contracts and can honor data subject rights requests when they come through your business customers.
Priority actions: audit your DPAs, update your privacy policy, map where California resident data lives in your stack, and build a DSAR process. Your next enterprise deal's security review will ask for all of it.