CCPA Ready · SaaS

US state privacy (CCPA/CPRA) for SaaS

CCPA/CPRA (California) plus 10+ newer state laws require a privacy notice, a "Do Not Sell or Share" link, honoring opt-out signals, and consumer data rights. Check yours.

In force US rules SaaS

What US state privacy (CCPA/CPRA) means for SaaS businesses

Does this apply to you?

This rule applies to SaaS businesses who sell to or collect data from consumers in California or other US states. Sell to US consumers? California + new state laws require a privacy notice, opt-out, and a 'Do Not Sell' link. Not sure? The free checker tells you in about a minute — no signup.

The checklist

You need to be able to answer "yes" to each of these — the points SaaS businesses most often get caught on:

Published privacy notice, reviewed in the last 12 months?
Do you sell or 'share' personal info (incl. ad cookies)?
Do you honor opt-out preference signals (GPC)?
Can consumers request access/deletion/correction?
Do you disclose data categories + purposes?
Discounts in exchange for data (loyalty)?
Do you avoid penalizing users who exercise rights?

What's at stake

⚠️ Exposure: $2,500/violation — $7,500 if intentional or a minor · Status: In force.

Compare the penalty for every rule →

Common questions

How does uS state privacy (CCPA/CPRA) affect SaaS businesses?

SaaS businesses sit at the centre of the newer rules: you process personal data at scale, bill on recurring plans, send product and marketing email, and increasingly ship AI features — each its own compliance surface. Sell to US consumers? California + new state laws require a privacy notice, opt-out, and a 'Do Not Sell' link.

Does CCPA apply to my business?

California's CCPA/CPRA applies above certain thresholds (revenue, data volume, or selling data), and 10+ other states have similar laws. If you sell to US consumers and collect personal data or use targeted ads, you likely need a notice and opt-out.

What is a 'Do Not Sell or Share' link?

A clear, account-free link (often "Your Privacy Choices") letting consumers opt out of the sale or sharing of their personal information — including cross-context behavioural advertising cookies.

What is GPC and do I have to honor it?

Global Privacy Control is a browser opt-out signal. Under CPRA and several state laws you must treat it as a valid opt-out of sale/sharing.

The source

RuleGoose checks this against the California CCPA/CPRA + US state privacy laws. Read it yourself: California AG — CCPA →

Check your US state privacy (CCPA/CPRA) compliance — free.
Answer a few questions, see exactly where you're exposed, and draft the fix. No signup, runs in your browser. Run the CCPA Ready checker →

or get one RuleGoose Score across every rule a SaaS business has to meet.

The full picture for SaaS

US state privacy (CCPA/CPRA) is one of several rules a SaaS business has to meet. See the full SaaS compliance checklist →, or read the platform-neutral US state privacy (CCPA/CPRA) guide.

Informational only, not legal advice, and not affiliated with California or the FTC. Last reviewed 2026-06-30.