If your app uses AI APIs and has California users, CCPA (California Consumer Privacy Act) and its amendment CPRA apply to you. Here’s what matters for developers.
The key requirements
1. Disclosure
You must tell users what data you collect and who you share it with. If you send user data to OpenAI, Anthropic, or any AI provider — disclose it in your privacy policy.
2. Opt-out of “sales”
CCPA defines “sale” broadly — it includes sharing data with third parties for value. Sending user data to an AI API in exchange for a service could qualify. You need a “Do Not Sell My Personal Information” link.
3. Automated decision-making
CPRA added rights around automated decision-making. If your AI makes decisions that significantly affect users (hiring, credit, insurance), users can:
- Request information about the logic involved
- Opt out of automated decision-making
- Request human review
4. Data minimization
Only send the minimum necessary data to AI providers. Don’t send full user profiles when you only need a name.
Practical steps
- Audit your AI data flows — what user data goes to which AI provider?
- Update your privacy policy — list AI providers as service providers/third parties
- Add opt-out mechanism — let users opt out of AI-powered features that use their data
- Minimize data sent to APIs — strip PII before sending to AI models
- Use self-hosted models for sensitive data — no third-party sharing
CCPA vs GDPR
| CCPA | GDPR | |
|---|---|---|
| Scope | California residents | EU residents |
| Consent | Opt-out model | Opt-in model |
| AI-specific rules | Limited (automated decisions) | EU AI Act (comprehensive) |
| Fines | $7,500/violation | 4-7% of revenue |
| Data transfers | No restrictions | Restricted (need SCCs) |
GDPR is stricter. If you’re already GDPR compliant, you’re mostly CCPA compliant too.
Related: AI Data Privacy Laws by Region · AI and GDPR for Developers · Where Does Your Code Go? · Which AI APIs Are GDPR Compliant?