Privacy Policy for SaaS Products: What US Law Requires

CCPA Applicability: When It Triggers for Your SaaS

The California Consumer Privacy Act (CCPA) is the strictest US privacy law. It applies to SaaS companies that collect personal information from California residents AND meet any one of these thresholds:

• Annual gross revenue exceeds $25 million, OR
• Buys, receives, or sells personal information of 100,000 or more residents or households, OR
• Derives 50% or more of annual revenue from selling California residents' personal information

Most startups don't hit these thresholds initially. But here's the catch: even if you don't meet CCPA thresholds, you're not off the hook.

Why You Still Need a Privacy Policy Below CCPA Thresholds

Many B2B SaaS companies below CCPA thresholds discover their enterprise clients require a comprehensive Privacy Policy anyway. Why?

• Contractual requirement: Large clients (corporations, healthcare, finance) contractually require all vendors to have a Privacy Policy
• Data Processing Agreements (DPAs): If you process customer data on behalf of enterprise clients, they'll demand a DPA, which references your Privacy Policy
• Compliance by association: If your customer is subject to HIPAA (health), GLBA (finance), or other regulations, they'll require you to comply too

Bottom line: Write a comprehensive Privacy Policy that would satisfy CCPA requirements, even if you're below thresholds. It costs nothing and opens doors to enterprise customers.

What CCPA Requires in Your Privacy Policy

If you meet CCPA thresholds, your Privacy Policy must include:

Categories of Personal Information Collected

You must list the categories (not necessarily individual data points) you collect:

• Identifiers (name, email, phone, IP address, account ID)
• Commercial information (purchase history, payment info, transaction records)
• Biometric information (if you collect fingerprints, facial recognition, etc.)
• Internet activity (browsing history, search history, feature usage)
• Geolocation data
• Sensory information (audio/video recordings, if applicable)
• Professional information (job title, company, work history)

Purposes for Collection

Explain why you collect each category. Examples: "to provide the service," "to improve features," "for security," "for analytics," etc.

Whether You Sell or Share Data

CCPA defines "selling" broadly — even data sharing with third parties for their benefit counts. Be explicit:

• "We do not sell personal information" (if true)
• "We share certain data with service providers including [list names] for [purposes]"
• "We do not have a 'Do Not Sell' mechanism" or "Consumers can opt-out of data sales at [link]"

Consumer Rights

CCPA gives California residents these rights (you must disclose them):

• Right to Know: Consumers can request what personal data you collect about them
• Right to Delete: Consumers can request deletion (with some exceptions)
• Right to Opt-Out of Sale: If you "sell" data, consumers can opt out
• Right to Correct: (Under CPRA, California's 2023 expansion) Consumers can request correction of inaccurate data

Your Privacy Policy must explain how consumers exercise these rights: "To request access, deletion, or opt-out, email privacy@yourcompany.com or use our consumer rights form."

Data Retention Periods

Disclose how long you retain different data categories. Example:

"We retain account data for the duration of your account, plus 30 days after cancellation. Analytics data is retained for 26 months. Backup copies are deleted within 90 days."

Hosting in AWS/GCP/Azure? You're Still Responsible

Many SaaS companies think their cloud provider (AWS, GCP, Azure) "handles" privacy compliance. Wrong. You're liable for where and how your data is stored.

Your Privacy Policy must disclose:

• Your hosting provider: "Data is hosted on Amazon Web Services (AWS) in US-East-1"
• Where data is physically stored: Specific regions/countries
• Data protection measures: Encryption in transit (TLS), encryption at rest, access controls, backup procedures
• Subprocessors: If AWS uses other vendors (which they do), disclose that too

Third-Party Integrations & Service Providers

CCPA distinguishes between "service providers" (who process data on your behalf) and independent third parties:

Service providers (must be disclosed):

• Stripe, Square, PayPal (payment processing)
• Intercom, Zendesk (customer support)
• Segment, Mixpanel, Amplitude (analytics)
• SendGrid, Twilio (transactional email)
• AWS/GCP/Azure (hosting)

For each, your Privacy Policy should state: "[Service Name] processes data on our behalf for [purpose]. See their privacy policy."

Data Processing Agreements (DPAs) If You Have EU Users

If your SaaS has any European customers, GDPR applies in addition to CCPA. Many enterprise customers will demand a DPA. Your Privacy Policy should acknowledge this:

"For customers subject to GDPR, we execute a Data Processing Agreement (DPA) as required. Contact sales@yourcompany.com for DPA template."

Multi-State Compliance: The Patchwork Problem

Beyond California, several other states have privacy laws with similar (but not identical) requirements:

• Virginia (VCDPA): Effective 2023. Similar to CCPA but slightly narrower scope.
• Colorado (CPA): Effective 2023. Similar framework.
• Connecticut (CTDPA): Effective 2023. Similar to others.
• Texas (TDPSA): Effective 2024. Similar framework.

Best practice: Write your Privacy Policy to CCPA standards. This covers you for all state laws, since CCPA is the strictest. If you serve customers in multiple states, mention this:

"This Privacy Policy complies with privacy laws in all jurisdictions where we operate, including CCPA, VCDPA, and similar state privacy laws."

Information to Prepare Before Generating

• Your company name and location
• Do you have California customers? If so, estimate roughly how many.
• Do you estimate hitting CCPA thresholds? Revenue, data volume, or revenue from data sales?
• All data categories you collect: Identifiers, commercial info, usage data, location, etc.
• Purposes for collection: Service delivery, analytics, marketing, compliance, etc.
• Data retention policies: How long for each data category?
• All third-party service providers: Stripe, email, analytics, CRM, hosting, etc.
• Your hosting provider and regions
• Do you sell or share customer data? Be honest — sharing with third parties counts as "selling" under CCPA.
• Do you have EU customers? If so, you'll need to mention GDPR and DPA availability.

Official US Resources on Privacy Law & Compliance

The following government sources provide authoritative guidance on US privacy law requirements for your Privacy Policy:

• FTC Business Guidance: Privacy & Security — the Federal Trade Commission's official guidance on privacy notices, data security, and consumer protection obligations
• California AG: CCPA Official Text & Guidance — the California Attorney General's office resource on California Consumer Privacy Act requirements and enforcement
• FTC: COPPA Rule — required reading if your service may be used by children under 13