The January 2026 CPRA amendments represent the most significant expansion of California privacy requirements since the CCPA's original enactment. Combined with 20+ other state privacy laws now in force, US privacy compliance for SaaS companies requires a comprehensive multi-state framework — not just a California addendum.
California remains the most demanding US privacy framework, but 20+ states have now enacted comprehensive privacy legislation. The practical challenge for SaaS companies is that while many laws are similar in structure, they differ materially on: consumer opt-out rights, sensitive data categories, data broker obligations, enforcement mechanisms, and cure periods.
| State | Law Effective | Key Distinction |
|---|---|---|
| California | Jan 2020 (CCPA) / Jan 2026 (CPRA amend.) | Most comprehensive; mandatory GPC recognition |
| Virginia | Jan 2023 | Controller-centric; no private right of action |
| Colorado | Jul 2023 | Mandatory GPC recognition; opt-out of profiling |
| Texas | Jul 2024 | No revenue threshold; applies to most businesses |
| Indiana | Jan 2026 | Mandatory GPC signal recognition added |
CCPA applies to for-profit businesses doing business in California that meet any one of these thresholds: annual gross revenue over $26.6 million (2026 adjusted figure); processing personal information of 100,000 or more California consumers annually; or deriving 50%+ of revenue from selling or sharing personal information. These thresholds apply regardless of where your business is incorporated.
The January 2026 amendments introduced: mandatory cybersecurity audit requirements for businesses processing sensitive data; formal risk assessment protocols required before high-risk processing; extensive automated decision-making transparency obligations; updated requirements for identifying categories of data shared with service providers; and coordinated multi-state enforcement. No grace period — requirements were effective immediately.
California consumers have the right to opt out of the "sale" or "sharing" of their personal information. Under the 2023 CPRA amendments, "sharing" includes making data available for cross-context behavioural advertising — even without monetary consideration. Your website must include a "Do Not Sell or Share My Personal Information" link and a compliant opt-out mechanism, and must honour Global Privacy Control signals.
You have 45 days to respond to verified CCPA data subject requests, with a 45-day extension available. Responses must be provided free of charge. You must verify the requester's identity before disclosing data. You may not discriminate against consumers who exercise their rights. TECHLAWG can design the verification and response procedures your team needs to meet these obligations.
As of 2026, comprehensive state privacy laws are in force in California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Nebraska, Rhode Island, and Tennessee. Each has different thresholds, different consumer rights, and different enforcement mechanisms. A multi-state compliance framework is now essential for any US-facing SaaS product.
Book a free consultation. We assess your situation, confirm scope, and provide a fixed-fee quote — with no commitment required.
Send an Enquiry