If your app uses AI APIs and has California users, CCPA (California Consumer Privacy Act) and its amendment CPRA apply to you. This isn’t theoretical — the California Privacy Protection Agency has been actively enforcing since 2024, and AI-powered applications are squarely in their sights. Here’s what matters for developers.

What CCPA actually requires

CCPA applies to for-profit businesses that collect personal information from California residents and meet any of these thresholds: annual gross revenue over $25 million, buy/sell/share personal information of 100,000+ consumers or households, or derive 50% or more of annual revenue from selling or sharing personal information.

If you’re building a SaaS product with AI features and you have California users, you almost certainly meet the first or second threshold. The law gives California residents several rights:

• Right to know — what personal information you collect and why
• Right to delete — request deletion of their personal information
• Right to opt out — of the sale or sharing of their personal information
• Right to non-discrimination — you can’t penalize users who exercise their rights
• Right to correct — inaccurate personal information
• Right to limit — use of sensitive personal information

For AI developers, the tricky part is that “personal information” is defined very broadly. It includes any information that identifies, relates to, or could reasonably be linked to a consumer or household. User prompts, conversation histories, usage patterns, and even inferences drawn by AI models can all qualify.

The key requirements for AI applications

1. Disclosure

You must tell users what data you collect and who you share it with. If you send user data to OpenAI, Anthropic, or any AI provider — disclose it in your privacy policy. This means listing each AI provider by name, describing what data you send them, and explaining why.

Many developers overlook this. If your app sends user text to an API for summarization, classification, or generation, that’s a data transfer to a third party. Your privacy policy needs to say so explicitly.

2. Opt-out of “sales” and “sharing”

CCPA defines “sale” broadly — it includes sharing data with third parties for value. Sending user data to an AI API in exchange for a service could qualify as “sharing” under CPRA’s expanded definition. You need a “Do Not Sell or Share My Personal Information” link prominently displayed on your site.

This is where it gets complicated for AI apps. If a user opts out, you need a way to either:

• Stop sending their data to third-party AI providers entirely
• Switch to a self-hosted model for opted-out users
• Process their requests without AI features

The practical solution for many developers is to offer a non-AI fallback or use self-hosted models that don’t involve third-party data transfers.

3. Automated decision-making (CPRA addition)

CPRA added significant rights around automated decision-making. If your AI makes decisions that significantly affect users (hiring, credit, insurance, housing), users can:

• Request information about the logic involved
• Opt out of automated decision-making
• Request human review of decisions

This applies to any “profiling” that produces legal or similarly significant effects. If your AI app scores job applicants, determines creditworthiness, sets insurance rates, or makes similar consequential decisions, you need to provide meaningful information about how the algorithm works and offer a human review option.

Even if your AI features are less consequential — like content recommendations or search ranking — it’s good practice to document the logic and be prepared to explain it.

4. Data minimization (CPRA addition)

Only send the minimum necessary data to AI providers. Don’t send full user profiles when you only need a name. CPRA requires that personal information collection be “reasonably necessary and proportionate” to the purpose.

For AI applications, this means:

• Strip PII from prompts before sending to AI APIs when possible
• Don’t include user metadata that isn’t relevant to the AI task
• Use anonymization or pseudonymization where feasible
• Avoid sending entire conversation histories when only the last few messages matter

5. Data retention limits

You can’t keep personal information indefinitely. CPRA requires you to disclose retention periods and not retain data longer than reasonably necessary. This applies to AI training data, conversation logs, and any user data stored by your AI providers. Check your data retention policies and make sure they align with what you disclose.

Penalties and enforcement

CCPA violations carry real financial consequences:

• $2,500 per unintentional violation
• $7,500 per intentional violation
• $7,500 per violation involving minors’ data
• Private right of action for data breaches — $100-$750 per consumer per incident

These are per-violation penalties. If you’re sending data for 10,000 California users to an AI API without proper disclosure, that’s potentially 10,000 violations. The California Privacy Protection Agency has been increasingly active, and AI applications are a stated enforcement priority for 2026.

Practical compliance steps

1. Audit your AI data flows — map exactly what user data goes to which AI provider, when, and why. Document every API call that includes personal information.
2. Update your privacy policy — list AI providers as service providers or third parties. Be specific about what data you share and for what purpose.
3. Add opt-out mechanism — implement a “Do Not Sell or Share My Personal Information” link. Build the technical capability to honor opt-outs for AI features.
4. Minimize data sent to APIs — strip PII before sending to AI models. Use system prompts and preprocessing to remove unnecessary personal information.
5. Implement data subject requests — build workflows to handle deletion, access, and correction requests. This includes data held by your AI providers.
6. Use self-hosted models for sensitive data — no third-party sharing means no “sale” or “sharing” under CCPA.
7. Review AI provider contracts — ensure your AI providers have appropriate data processing agreements that restrict how they use your users’ data.
8. Document automated decisions — if your AI makes consequential decisions, document the logic and provide opt-out and human review mechanisms.

CCPA vs GDPR: key differences for AI developers

	CCPA	GDPR
Scope	California residents	EU residents
Consent model	Opt-out (can collect by default)	Opt-in (need consent first)
AI-specific rules	Limited (automated decisions)	EU AI Act (comprehensive)
Fines	$2,500-$7,500/violation	Up to 4% of global revenue
Data transfers	No restrictions on cross-border	Restricted (need SCCs, adequacy)
Right to explanation	For automated decisions	Broader right to explanation
Data minimization	Required (CPRA)	Required (stricter)
DPO requirement	No	Yes (in many cases)

GDPR is stricter overall. If you’re already GDPR compliant, you’re mostly CCPA compliant too — but not entirely. CCPA’s “sale” definition is broader than GDPR’s concept of data sharing, and the opt-out mechanism is different from GDPR’s opt-in approach. You need to handle both if you serve users in both regions. See our privacy laws by region guide for a complete breakdown.

Which AI APIs help with CCPA compliance?

Not all AI providers are equal when it comes to privacy compliance. Key things to look for:

• Data processing agreements (DPAs) — does the provider offer a DPA that restricts how they use your data?
• No training on your data — does the provider commit to not training on your inputs?
• Data residency options — can you keep data in specific regions?
• Deletion capabilities — can you request deletion of data sent to the API?

Check our guide on which AI APIs are GDPR compliant — the same providers that handle GDPR well tend to handle CCPA well too. Enterprise tiers from OpenAI, Anthropic, and Google all offer DPAs and no-training commitments.

FAQ

Does CCPA apply to AI apps?

Yes. If your AI application collects personal information from California residents and your business meets the revenue or data volume thresholds, CCPA applies. This includes data sent to AI APIs — user prompts, conversation histories, and any personal information processed by AI models are all covered. The California Privacy Protection Agency has specifically called out AI applications as an enforcement focus area.

How is CCPA different from GDPR?

The biggest difference is the consent model. GDPR requires opt-in consent before collecting data, while CCPA allows collection by default but requires an opt-out mechanism. GDPR also has stricter rules about cross-border data transfers, requires Data Protection Officers in many cases, and has the comprehensive EU AI Act layered on top. CCPA fines are per-violation ($2,500-$7,500) while GDPR fines are percentage-based (up to 4% of global revenue). For small companies, CCPA fines can actually be more painful if violations are numerous.

Do I need CCPA compliance if I’m not in California?

If your business is based outside California but you have California users or customers, CCPA still applies — as long as you meet the thresholds. There’s no exemption based on where your company is located. If you operate a website or app accessible to California residents and you meet the revenue or data volume thresholds, you need to comply. The practical approach: if you serve US users, assume you have California users and build CCPA compliance into your product from the start.

Related: AI Data Privacy Laws by Region · AI and GDPR for Developers · Where Does Your Code Go? · Which AI APIs Are GDPR Compliant? · AI Data Retention Policies