There are now 19 US states with comprehensive consumer privacy laws on the books. If you read the headlines, it sounds like a compliance nightmare: different thresholds, different rights, different enforcement mechanisms, and new laws taking effect every few months.
For B2B SaaS founders, the reality is simpler than the headlines suggest. And it starts with one fact that changes the entire analysis.
The One Fact That Simplifies Everything
California is the only state whose comprehensive privacy law applies to B2B data.
Every other state with a comprehensive privacy law exempts data collected in a business-to-business context. Their definitions of “consumer” explicitly exclude individuals acting in a commercial or employment capacity. That means if you’re a B2B SaaS company and your customers are businesses, the personal data you process about their employees and end users in a commercial context falls outside the scope of 18 out of 19 state privacy laws.
California is the exception. The CCPA/CPRA does not exempt B2B data or employment data. If you process personal information of California residents in any capacity, including in a B2B context, the CCPA applies.
This creates a practical compliance strategy that’s similar to how car emissions standards work. California sets the most stringent standard. Manufacturers don’t build separate vehicles for California and everyone else. They build to the California standard, and that covers them nationally. The same logic applies here: if you build your privacy program to comply with the CCPA/CPRA, you’re meeting or exceeding the requirements of every other state law. The incremental effort for other states is minimal.
California: The Baseline You Build To
Who It Applies To
The CCPA/CPRA applies to for-profit businesses that meet any one of the following thresholds: annual gross revenue exceeding $25 million, buying, selling, or sharing the personal information of 100,000 or more California residents or households per year, or deriving 50% or more of annual revenue from selling or sharing California residents’ personal information.
For B2B SaaS companies, the revenue threshold is the most common trigger. If your company generates more than $25 million in annual revenue, the CCPA applies regardless of your business model. Below that threshold, the 100,000 records trigger is relevant if your platform processes data about a large number of California-based end users across your customer base.
What It Requires
The CCPA/CPRA gives California residents a set of rights over their personal information: the right to know what data you collect and why, the right to delete their data, the right to correct inaccurate data, the right to opt out of the sale or sharing of their data, and the right to limit the use of sensitive personal information.
For B2B SaaS companies, the practical obligations include: providing a privacy policy that discloses your data collection practices, purposes, and categories of third parties with whom you share data. Honoring consumer rights requests (access, deletion, correction). Maintaining records of processing activities. Implementing reasonable security measures. Including specific CCPA disclosures in your privacy policy (categories of personal information collected, the purposes for each category, and whether you sell or share personal information).
B2B-Specific Considerations Under CCPA
Since California is the only state that covers B2B data, there are specific considerations that don’t apply under other state laws.
Employee and job applicant data is covered. If you have employees in California, their personal information is subject to the CCPA. This extends to HR data, payroll information, and benefits records.
Business contact data is covered. The personal information of your customers’ contacts (names, email addresses, phone numbers, titles) collected in a B2B context is subject to the CCPA. This is the provision that catches most B2B SaaS founders off guard.
The processor relationship matters. When you process data on behalf of your customers, the CCPA’s “service provider” framework applies. Your DPA should qualify you as a service provider under the CCPA, which limits your obligations for customer data to what’s contractually agreed. This is another reason your DPA and privacy policy need to be aligned.
Enforcement and Penalties
The CCPA is enforced by the California Attorney General and the California Privacy Protection Agency (CPPA). Violations can result in fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Given that violations are calculated per consumer per incident, the aggregate exposure from a systemic issue can be substantial.
There is also a limited private right of action for data breaches resulting from a failure to implement reasonable security measures. This is one of the few areas where individual consumers can sue directly under the CCPA rather than relying on the AG or CPPA to enforce.
The Other 18 States: Grouped by Pattern
While the other 18 states exempt B2B data, they still apply to personal data you collect as a controller in a consumer-facing capacity. This includes website visitor data, marketing contacts who are individual consumers (not acting in a business capacity), and any consumer-facing features of your product.
For most B2B SaaS companies focused on selling to businesses, the exposure under these laws is limited to your marketing website and any consumer-facing data collection. But it’s not zero.
The states follow a few common patterns.
The Standard Model (Most States)
Virginia, Colorado, Connecticut, Utah, Indiana, Iowa, Tennessee, Montana, Texas, Delaware, New Hampshire, Nebraska, New Jersey, Kentucky, Rhode Island, and Minnesota follow a broadly similar structure with variations in thresholds and specific rights.
Common features across this group: applicability thresholds based on number of consumers whose data you process (typically 100,000) or a combination of a lower consumer threshold (25,000-35,000) plus a revenue-from-data-sales component. Consumer rights including access, deletion, correction, opt-out of targeted advertising, and opt-out of sale. B2B and employment data exemptions. Enforcement by the state attorney general (no private right of action in most states).
The primary differences between states are in the applicability thresholds, cure periods (some states provide a period to fix violations before penalties apply, others don’t), and specific rights (some states include opt-out of profiling, others don’t).
Lower Threshold States
A few states have notably lower applicability thresholds that may catch smaller companies: Connecticut and Delaware apply at 35,000 consumers. Montana applies at 25,000 consumers. Maryland applies at 35,000 consumers, with a lower 10,000 threshold if more than 20% of revenue comes from selling data.
If your B2B SaaS marketing site receives significant consumer traffic from these states, the lower thresholds mean you may be in scope even if you wouldn’t trigger the 100,000 threshold in other states.
Maryland: The Outlier
Maryland’s Online Data Privacy Act (effective October 2025, with a compliance grace period through April 2026) stands out for imposing stricter data minimization requirements than other states. It requires businesses to minimize the data they collect from the outset, rather than simply providing consumers with rights over already-collected data. For B2B SaaS companies, this primarily affects consumer-facing data collection on your marketing site and any direct-to-consumer features.
States Without Cure Periods
Several of the more recent state laws have eliminated or limited cure periods, meaning the attorney general can pursue enforcement without giving you an opportunity to fix the violation first. California, Colorado (as of 2025), and several newer state laws fall into this category. This trend toward immediate enforcement makes proactive compliance more important.
Reference Table: State Privacy Laws at a Glance
| State | Effective | B2B Exempt | Consumer Threshold | Cure Period |
|---|---|---|---|---|
| California (CCPA/CPRA) | Jan 2020 / Jan 2023 | No | $25M revenue OR 100K consumers | No |
| Virginia | Jan 2023 | Yes | 100K consumers OR 25K + 50% revenue from data sales | 30 days |
| Colorado | Jul 2023 | Yes | 100K consumers OR 25K + revenue from data sales | Eliminated 2025 |
| Connecticut | Jul 2023 | Yes | 35K consumers OR 25K + 25% revenue from data sales | 60 days (sunsets) |
| Utah | Dec 2023 | Yes | 100K consumers OR 25K + 50% revenue from data sales | 30 days |
| Iowa | Jan 2025 | Yes | 100K consumers OR 25K + 50% revenue from data sales | 90 days |
| Delaware | Jan 2025 | Yes | 35K consumers OR 10K + revenue from data sales | 60 days |
| Oregon | Jul 2024 | Yes | 100K consumers OR 25K + revenue from data sales | 30 days (sunsets 2026) |
| Texas | Jul 2024 | Yes | Conducts business in TX (no minimum) | 30 days |
| Montana | Oct 2024 | Yes | 25K consumers | 60 days |
| Tennessee | Jul 2025 | Yes | 100K consumers OR 25K + 50% revenue from data sales | 60 days |
| Minnesota | Jul 2025 | Yes | 100K consumers OR 25K + 25% revenue from data sales | 30 days |
| Maryland | Oct 2025 | Yes | 35K consumers OR 10K + 20% revenue from data sales | None |
| New Hampshire | Jan 2025 | Yes | 35K consumers OR 10K + 25% revenue from data sales | 60 days |
| New Jersey | Jan 2025 | Yes | 100K consumers OR 25K + revenue from data sales | 30 days |
| Nebraska | Jan 2025 | Yes | Conducts business in NE (no minimum for some provisions) | 30 days |
| Indiana | Jan 2026 | Yes | 100K consumers OR 25K + 50% revenue from data sales | 30 days |
| Kentucky | Jan 2026 | Yes | 100K consumers OR 25K + 50% revenue from data sales | 30 days |
| Rhode Island | Jan 2026 | Yes | 35K consumers OR 10K + revenue from data sales | None |
Note: Thresholds and cure periods are simplified for reference. Consult the specific statute for precise applicability criteria. This table reflects the state of the law as of early 2026 and may not capture subsequent amendments.
What This Means for Your Privacy Policy
One common misconception worth addressing: choosing Delaware (or any other state) as the governing law in your customer agreements does not determine which state privacy laws apply to your business. Privacy law applicability is based on where the data subjects reside, not the governing law of your contracts. If you process personal information of California residents, the CCPA applies whether your Terms of Service specify Delaware, New York, or Texas as the governing jurisdiction. Founders who choose Delaware governing law sometimes assume it shields them from California’s privacy requirements. It doesn’t. Governing law controls how your contract is interpreted. Privacy statutes apply based on who you’re collecting data from and where they live.
If you’re a US-focused B2B SaaS company, your privacy compliance strategy should be built around three layers.
First, build to the California standard. If you meet the CCPA thresholds (and most growing B2B SaaS companies will eventually), your privacy policy should include CCPA-compliant disclosures, and your data practices should support the consumer rights the CCPA requires. This becomes your baseline.
Second, include a jurisdiction-specific section in your privacy policy that addresses California separately and notes the rights available to California residents. If you also serve consumers in other states (through your marketing site or consumer-facing features), include a general statement about additional state privacy rights.
Third, keep your privacy policy consistent with your DPA and Terms of Service. The rights you describe, the data sharing you disclose, and the retention periods you state all need to match what your other documents commit to.
The patchwork of state laws sounds overwhelming in the abstract. For B2B SaaS, the practical compliance burden is concentrated in California, and building to that standard covers you for everything else.
No Boiler provides self-service legal document generation and educational content. This material and our service is not a substitute for legal advice. Please have a qualified attorney review any documents before relying on them. No Boiler is not a law firm, and communications with us do not create an attorney-client relationship or carry any expectation of confidentiality. Use of our platform and content is governed by our Terms of Service and Privacy Policy.
This is part of the Privacy Policy pillar. Previously: Privacy Policies for B2B SaaS: What’s Different From Consumer Apps. Next up: Subprocessors, Third-Party Services, and the Data Sharing Disclosure Nobody Gets Right.