CCPA / CPRA is a contractual standard before it is an infrastructure one. The work is a service-provider addendum on top of Bubble's DPA, a working "Do Not Sell or Share" link, Global Privacy Control honouring, and a DSAR flow. Almost no Californian deal requires a rebuild. The exposure is real — $7,988 per intentional violation with no aggregate cap, plus a private right of action for breaches — but the fix lives in contracts and product, not in moving off Bubble.
The honest verdict
Partially. Not the way you’d ship CCPA / CPRA in production.
Bubble has the certification at platform level — but it does not transfer to your app. Bubble lists CCPA / CPRA among the US state privacy laws in its "Other frameworks" page "for information purposes," without claiming the platform itself meets the standard. The DPA and Bubble's privacy tooling get you most of the way; the service-provider terms, DSAR flow, opt-out signals, and CPPA reporting belong to the developer.
Reviewed by
Greg· Founder, bubbletocode.com — has migrated 30+ Bubble apps to code
Bubble's stance
Partial
Listed in "Other frameworks" for information
Worst-case penalty
$7,988 / violation
Per affected consumer, no aggregate cap
Industries impacted
B2B SaaS · Consumer · E-commerce · AdTech · Data brokers
Compliant rebuild
$40k–$100k · 6–14 weeks
Only when a parallel standard forces it
What CCPA / CPRA actually requires
CCPA as amended by CPRA gives Californians the rights to know, delete, correct, and opt out of sale or sharing of personal information. The California Privacy Protection Agency (CPPA) and the California Attorney General enforce it. Civil penalties are CPI-adjusted to $2,663 per unintentional and $7,988 per intentional violation in 2025–2026, with no aggregate cap.
Post a notice at collection plus a privacy policy disclosing the categories, purposes, and sale or sharing of personal information (Cal. Civ. Code 1798.100, 1798.130).
Honour consumer rights to know, delete, and correct personal information within the statutory timeframes for response (Cal. Civ. Code 1798.105, 1798.106, 1798.110).
Provide a working "Do Not Sell or Share My Personal Information" mechanism and honour opt-out preference signals such as Global Privacy Control (Cal. Civ. Code 1798.120, 1798.135).
Allow consumers to limit the use of sensitive personal information to disclosed purposes (Cal. Civ. Code 1798.121).
Implement reasonable security procedures and practices appropriate to the data, with the private right of action attaching to breaches caused by their absence (Cal. Civ. Code 1798.100(e), 1798.150).
Conduct risk assessments for processing presenting significant risk and report assessment activity to the CPPA on the published schedule (CCPA Regulations, effective Jan 1, 2026; reporting by April 1, 2028).
Official source: cppa.ca.gov
Why Bubble fails CCPA / CPRA
Every reason below comes from Bubble’s published platform limits or their own documentation. Reading the list top-to-bottom tells you which one will bite you first.
Bubble's "Other frameworks" page names CCPA / CPRA but says it is included for information purposes. There is no service-provider contract baked into the standard plan that mirrors the CPRA's "limit purposes / no sale or sharing" language. To meet the statute you sign a service-provider addendum on top of the published DPA, which Bubble Sales is willing to discuss for enterprise customers.
Sources[01]
Bubble's continuous point-in-time backups default to a 20-year window on Enterprise dedicated. The CPRA right to delete applies across copies, so the controller has to document how erasure is reconciled with the backup chain. The 8-day-minimum Enterprise window helps; the shared tier does not give you the same level of control.
Sources[04]
CPRA requires consumers to know who else handles their data, and the CPPA's enforcement against Tractor Supply in September 2025 turned partly on opacity in the sharing chain. Bubble's sub-processor page is JavaScript-rendered and only AWS and Cloudflare are confirmed as named sub-processors from other bubble.io pages — a deliberately transparent CCPA disclosure has to be produced by hand.
Third-party Bubble plugins load JavaScript in the user's browser and can pass data to vendors that have not signed your service-provider addendum. Under CPRA, that becomes "sharing" subject to the opt-out. Each plugin has to be inventoried, evaluated for whether it triggers sharing, and either gated behind GPC or replaced.
Sources[06]
Bubble's server log search is limited to the previous two weeks. CPPA investigations can demand records of consumer requests and opt-out handling over months, and the audit log is not documented as tamper-proof. A CCPA-defensible deployment ships its own request log to a longer-retention store.
Sources[07]
Bubble vs a compliant stack
The same 7requirements an auditor will ask about, scored on both stacks. Read across each row — every red cell is a deal you can’t close on Bubble.
CPRA service-provider addendum
Partial
Negotiable on top of DPA
Not in the standard plan terms
Pass
Service-provider terms in your DPA
Do Not Sell or Share link + GPC honouring
Partial
Build-your-own in the editor
Pass
Server-rendered with audit trail
DSAR queue with statutory deadlines
Partial
Workflows + custom UI
Pass
Dedicated DSAR service + SLA dashboard
Right to delete across backups
Partial
20-year default; 8-day minimum
Configurable on Enterprise only
Pass
Backup window under your control
Sub-processor / sharing transparency
Partial
JS-rendered list; AWS + Cloudflare confirmed
Pass
Maintained list in your DPA
CPPA risk-assessment record (Jan 1 2026)
Partial
Document yourself
Pass
Standard control library covers it
Long-retention audit trail for investigations
Fail
Logs limited to two weeks
Pass
Immutable log shipped to long-term store
What it costs your business
CCPA pain is mostly contractual and product-level. Californian B2B buyers fail you on the service-provider clause and a missing or broken DSAR / opt-out flow. The CPPA also has a private right of action for breaches at $107–$799 per incident, so security misses turn into class actions before they turn into CPPA fines. The Tractor Supply settlement is the warning shot.
A Californian enterprise buyer asks for a service-provider addendum on top of the Bubble DPA — without it, their privacy team won't sign the MSA.
Your "Do Not Sell or Share" link forwards to a confirmation page but doesn't actually stop any plugin tracking — the CPPA's $1.35M Tractor Supply settlement (Sept 30, 2025) was substantively that failure.
A DSAR comes in and the response misses the statutory deadline because the request log is buried in two-week Bubble logs — the CPPA opens an inquiry under the new no-cure-period model.
A breach exposes Californian credentials and the private right of action fires at $107–$799 per consumer for unencrypted data — class-action class size matters more than any single fine.
Three honest paths forward
We don’t recommend a rebuild for every founder. Below: what each path costs you, what it preserves, and where it breaks for CCPA / CPRA.
Cheapest now · riskiest later
ViableSign the Bubble DPA, add a CPRA service-provider addendum, build a working DSAR flow, ship the Do Not Sell / Share link, honour Global Privacy Control headers, and prepare a CPPA risk assessment for any significant-risk processing. Recommended for almost all Californian deals.
Pros
Cons
Phased · auditor-defensible
Partial fitKeep Bubble for the app; move the DSAR queue, opt-out preference log, and CPPA risk-assessment record into a Next.js service on Vercel or AWS with longer retention and an immutable audit log. Only useful when a Californian regulator-facing buyer asks for evidence Bubble's two-week log won't give.
Pros
Cons
Highest upfront · clean audit
ViableOnly justified when CCPA is layered with HIPAA, FedRAMP, or other standards that already demand a non-Bubble stack. Target stack: Next.js on Vercel Enterprise (DPF, SOC 2 Type 2, ISO 27001) or AWS US under your own DPA and CPRA service-provider terms.
Pros
Cons
Composite case study
US SaaS · 18 months on Bubble · California enterprise pilot
Founder had a Californian enterprise customer ready to sign when the buyer's privacy counsel pushed back on the MSA: they needed a CPRA service-provider addendum on top of Bubble's DPA, a documented DSAR flow with a working Do Not Sell or Share link, and confirmation that the app honoured the Global Privacy Control header. The team negotiated the service-provider addendum with Bubble Sales, shipped a DSAR queue and a GPC-aware opt-out endpoint inside Bubble, inventoried plugins for sharing relationships, and produced a one-page record of the new CPPA risk assessment for processing of California consumer accounts.
Outcome: Privacy counsel approval in 13 working days; the same artefact pack moved two further Californian pilots from "legal review" to "signed" the next quarter.
Composite case study assembled from patterns we've seen across multiple US privacy migrations. Anonymised for client privacy — happy to walk you through the actual CPPA-aligned playbooks on a scoping call.
Frequently asked
Pulled from real conversations with founders running healthcare, fintech, and B2B SaaS apps off Bubble. Every answer is grounded in the source we cited above — no marketing fluff.
Sources
The numbered references in the body link here. We cite first-party documents — regulator guidance, vendor manuals, industry standards — never marketing copy.
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.bubble.io
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.bubble.io
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.manual.bubble.io
California Privacy Protection Agencycppa.ca.gov
California Privacy Protection Agency · 2024-12-17cppa.ca.gov
Want a real answer for your app, not your category?
Free. 10 minutes. No call. Reads every workflow, surfaces every PII / WU / scaling risk, and produces a fixed-price rebuild plan grounded in CCPA / CPRA’s real requirements.