California privacy compliance guide for SaaS and e-commerce startups: run a simple test

Step 1: Do California Privacy Law Requirements for Startups Apply to You?

The first and most important question is whether the California Consumer Privacy Act (CCPA/CPRA) even applies to your startup yet. Before you start building compliance workflows, you need to run a simple test. The law has specific triggers, and many early-stage companies will not meet the criteria. To fall under the CCPA/CPRA, a for-profit business must collect personal data on California residents and meet at least one of the following three thresholds.

It's crucial to understand that the term 'consumers' is broad. It covers not just your paying customers but also website visitors, newsletter subscribers, and free-tier users who are located in California.

Here are the three thresholds to check against your business operations:

• Annual Revenue: Your business has annual gross revenue over $25 million. This applies to your total company revenue, not just income from California. Most pre-seed to Series B startups will not meet this threshold.
• Data Volume: Your business buys, sells, or shares the personal information of 100,000 or more California consumers or households annually. A B2C SaaS or e-commerce app with significant free-tier usage or high website traffic from California could hit this number.
• Business Model: Your business derives 50% or more of its annual revenue from selling or sharing consumers’ personal information. This primarily targets data brokers, and a typical SaaS or e-commerce business model does not involve selling customer data.

For most startups, the second threshold is the one to watch. If your website gets heavy traffic from California or you have a large freemium user base there, you might cross the 100,000-consumer line sooner than you hit the $25 million revenue mark.

Step 2: Your Lean CCPA Compliance Steps and Playbook

If you've determined that your startup does meet one of the thresholds, the goal is not to build a perfect, enterprise-grade privacy program overnight. The reality for most Pre-Seed to Series B startups is more pragmatic: implement a core, functional system that respects consumer rights and can be improved over time. This approach directly addresses the challenge of building a workflow to find, delete, or export customer data without hiring a dedicated privacy manager.

If you run a SaaS business, see our US SaaS Compliance Checklist.

A. Get Your Public-Facing House in Order

Your first actions should focus on transparency. Your website is your primary interface with consumers, and it needs two key elements to meet data protection requirements in California.

First, update your Privacy Notice. This document must inform consumers about their rights, such as the right to know, delete, and correct their personal information. It also needs to describe the categories of personal data you collect and why. This is not a 'nice to have'; it is a foundational requirement.

Second, you must provide a clear and conspicuous link on your homepage titled 'Do Not Sell or Share My Personal Information'. This mechanism allows consumers to opt out of having their data sold or shared, particularly for cross-context behavioral advertising. For many SaaS and e-commerce companies, this relates directly to their use of marketing analytics and retargeting pixels.

B. Map Your Data and Prepare for Requests

You cannot honor a request to delete or access data if you do not know where it is. Data mapping is the process of creating an inventory of all the personal information you collect and store. For a startup, this doesn't need to be a complex project. It can start as a simple spreadsheet listing each system that holds customer data.

Your list will likely include tools like your production database (Postgres, AWS), payment processor (Stripe), CRM (HubSpot), customer support platform (Zendesk, Intercom), and marketing automation tools (Klaviyo). Once you have this map, you can build a manual workflow to handle data requests. The law provides a 45-day response window for a consumer data request, and a 45-day extension is possible if the consumer is notified, making a manual process manageable for most startups.

Consider this example of a manual workflow for a SaaS company:

1. Request Received: A user submits a 'right to delete' request via email.
2. Identity Verification: Confirm the user's identity by having them log in or verify their email address.
3. System Checklist: Using your data map, an employee such as a founder or engineer queries each system to remove the user's data. For example:
   • Stripe: Look up the user's email to find and delete their payment information.
   • HubSpot: Search for and delete their contact record.
   • Postgres Database: Run a script to anonymize the user's record in the users table.
   • Intercom: Delete their conversation history and user record.
   • Google Analytics: This is often aggregated, but you must ensure no user-ID features are linking data back to them.
4. Confirmation: Document that the steps were completed and email the user to confirm their data has been deleted.

A documented, manual process is perfectly acceptable for an early-stage company and demonstrates you have a good-faith system in place to handle requests.

C. Check Your Vendor Contracts

Your startup relies on third-party vendors for critical services. Under CCPA/CPRA, you must ensure these vendors handle your customers' data with the same level of care you do. This is managed through Data Processing Addendums (DPAs). A DPA is a contract that governs how your vendor can process the data you share with them.

Most major service providers like AWS, Stripe, Google, and HubSpot have standard DPAs that you can sign. Your priority is to ensure these agreements are in place with any vendor that stores or processes personal information on your behalf. Focus on your biggest vendors first, as this step is crucial for preventing your compliance from being undermined by a partner's practices.

Step 3: A Prioritized CPRA Startup Guide

Navigating California data privacy laws for startups can feel overwhelming, but it boils down to a staged, manageable process. Attempting to do everything at once is a recipe for inaction. Instead, focus on a clear, prioritized sequence that aligns with your startup's stage and risk level.

If you serve EU customers, see our GDPR Compliance Checklist for UK and EU.

1. This Week: Run the Litmus Test. Your first priority is to get a clear 'yes' or 'no' on whether the CCPA/CPRA applies to your company right now. Calculate your annual gross revenue, estimate the number of California consumers whose data you process, and confirm your business model isn't based on selling data. This single step provides immediate clarity and prevents over-investing in a problem you may not yet have.
2. This Month: Update Public-Facing Documents. If the answer is 'yes,' your next priority is your public presence. Draft a compliant Privacy Notice and add the 'Do Not Sell or Share My Personal Information' link to your website. This is your most visible compliance signal and addresses a core requirement of the law.
3. Next Quarter: Build Internal Processes. Finally, focus on the internal mechanics. Create your data map by listing all tools holding customer data. Based on that map, design and document a simple, manual workflow for handling consumer data requests. While you're at it, review key vendor agreements and sign their DPAs. This operational readiness ensures you can meet your obligations before a request becomes an emergency.

By breaking e-commerce and SaaS data privacy compliance into these distinct stages, you can manage your legal risk pragmatically without sacrificing growth. See the Compliance Checklist hub for a year-round roadmap.

Frequently Asked Questions

Q: What is the difference between CCPA and CPRA?A: The California Privacy Rights Act (CPRA) amended and expanded the California Consumer Privacy Act (CCPA). It introduced new consumer rights, created the California Privacy Protection Agency (CPPA) for enforcement, and broadened compliance obligations. For startups, it's best to consider their requirements together as a single set of rules.

Q: Do these California data privacy laws apply to B2B startups?A: Yes, potentially. The law's definition of "consumer" is broad and can include employees of business clients who are California residents. While some B2B communications had temporary exemptions that have expired, B2B companies meeting the thresholds should evaluate their obligations, particularly regarding employee and client data.

Q: Do I need a lawyer for CCPA and CPRA compliance?A: For the initial steps outlined in this guide, such as determining applicability and setting up basic processes, a lawyer may not be necessary. However, as your company grows or if you have complex data practices, consulting a legal professional specializing in data privacy is a wise investment to ensure full compliance.

Q: What are the penalties for not complying with the CCPA/CPRA?A: The California Privacy Protection Agency can issue fines of up to $2,500 per violation, or $7,500 for intentional violations or those involving minors. These penalties can add up quickly, making proactive compliance a more cost-effective approach for startups than risking enforcement actions.