The California Privacy Rights Act (CPRA) builds on the CCPA and is enforced by the California Privacy Protection Agency. Termly's overview covers the legal mechanics; this article focuses on what a SaaS needs to ship in its privacy policy and operational stack in 2026.
What CPRA adds to CCPA
- A new category of "sensitive personal information" (precise geolocation, health, sexual orientation, religion, biometrics, contents of communications)
- The right to limit use of sensitive PI, on top of opt-out of sale/share
- Mandatory contracts with service providers and contractors
- Annual audits and risk assessments for high-volume processors
- A dedicated enforcement agency (CPPA), not just the AG
Who CPRA applies to
If your SaaS meets any of these in California: 25M USD annual revenue, processes data of 100k+ Californians, or earns 50%+ revenue from sale of PI. The 100k threshold is the one most growing SaaS cross unintentionally.
What to ship in your privacy policy
1. Sensitive PI block
Disclose if you process any sensitive PI, the purposes, and the limit-use opt-out path.
2. "Do Not Sell or Share" link in footer
Two distinct rights now. Both must be honored within 15 business days (a tighter timeline than GDPR).
3. Service provider contract list
Document who processes data on your behalf with CPRA-compliant clauses. Stripe, AWS, HubSpot all have signed addenda available.
| Right | CCPA | CPRA addition |
|---|---|---|
| Access | Yes | Extended retention details |
| Deletion | Yes | Propagation to service providers |
| Opt-out of sale | Yes | + Opt-out of share |
| Correction | No | Yes (new under CPRA) |
| Limit use of sensitive PI | No | Yes (new under CPRA) |
The CPPA is more active in 2026 than the AG ever was under CCPA. First wave of enforcement focused on dark-pattern opt-outs and missing service provider contracts. Both are policy fixes, not engineering.
Conclusion
CPRA is not GDPR-lite; it has its own teeth and its own enforcer. SaaS that built CCPA compliance in 2020 needs a 2026 refresh. The good news: most of the work is in the policy text, not the product.
To generate a CPRA-compliant section per US state plus GDPR for EU, try Termerly free.
