If you're a California company building AI-powered features, CCPA applies to your AI pipeline — not just your traditional database. And based on what we've seen working with mid-market companies across Southern California, most teams don't realize this until it's too late.
The gap isn't malicious. It's structural. Engineering teams think about CCPA as a database and cookies problem. But the moment you feed customer data into an AI model, LLM API, or automated decision-making system, a new set of obligations kicks in.
Where Companies Trip Up
Sending PII to Third-Party AI APIs
When your application sends customer data to OpenAI, Anthropic, or any third-party API for processing, that's a data transfer. Under CCPA, you need to disclose this in your privacy policy, ensure the third party has adequate data protection agreements, and honor deletion requests across all systems — including any data retained by the AI provider.
Most companies we audit have AI features that send customer names, emails, and behavioral data to LLM APIs without updating their privacy policy or data processing agreements. This is low-hanging fruit for regulators.
AI-Generated Customer Profiles
If your application uses AI to create customer segments, risk scores, or behavioral predictions, those outputs are "inferences" under CCPA — and they're considered personal information. Customers have the right to know what inferences you've drawn about them and the right to request deletion.
A SaaS client in Newport Beach was using AI to generate "customer health scores" for their B2B platform. Those scores were derived from usage patterns, support ticket sentiment, and payment history. Under CCPA, every one of those scores is personal information subject to access and deletion requests.
Training Data Retention
If you fine-tune models or build embeddings using customer data, that data doesn't disappear when the customer deletes their account. It lives inside your model weights or vector database. CCPA's deletion requirements mean you need a strategy for handling this — whether that's retraining models, maintaining deletion logs, or designing your pipeline to avoid persistent customer data in training sets.
The Practical Fixes
Audit your data flow. Map every place customer data touches an AI system — LLM APIs, embedding databases, fine-tuning pipelines, automated decision systems. Most companies discover three to five undocumented data flows.
Update your privacy policy. Disclose AI-related data processing specifically. Generic language about "service providers" doesn't cover LLM API usage adequately.
Implement AI-specific deletion. When a customer requests deletion, your process needs to cover not just your primary database but vector stores, cached embeddings, conversation logs, and any derived data.
Add human review for consequential decisions. If AI is making decisions that affect customers — credit approvals, pricing, service levels — CCPA's opt-out provisions for automated decision-making apply. Build a human review pathway.
Log everything. Maintain records of what data was sent to which AI systems, when, and for what purpose. When a regulator asks, you need to answer quickly and accurately.
The Enforcement Reality
California's AG and the new Privacy Protection Agency are actively enforcing CCPA, with a focus on AI and automated decision-making. Fines of $2,500 per violation add up fast when every customer record counts as a separate violation.
For a mid-market company with 50,000 customer records and a non-compliant AI feature, the theoretical exposure is $125 million. Regulators rarely pursue the maximum, but even a fraction of that is existential for a mid-market company.
The fix isn't expensive. The audit typically takes two weeks. The engineering changes take four to six weeks. Compared to the alternative, it's the best investment you'll make this year.