Which privacy law applies to your SaaS company?
The answer is often both — and understanding why requires understanding each law's jurisdictional trigger. GDPR applies whenever you process personal data of EU residents, regardless of where your company is based. CCPA applies when you do business in California and meet certain size thresholds. A SaaS company based in Texas with users in Germany and California must comply with both frameworks simultaneously.
The fundamental difference in approach
GDPR is a "privacy by design" regulation — it requires you to build data protection into your product architecture from the outset, document your processing activities, justify each processing purpose with a lawful basis, and give users comprehensive rights over their data. It is proactive and prescriptive.
CCPA is more focused on transparency and consumer rights — requiring disclosure of what data you collect and share, the right to opt out of the "sale" or "sharing" of data, and the right to delete personal information. The 2026 CPRA amendments have expanded CCPA significantly, but it remains less architecturally demanding than GDPR.
| Feature | GDPR | CCPA / CPRA (2026) |
|---|---|---|
| Jurisdictional trigger | Processing data of EU residents | Business in California meeting size thresholds |
| Legal basis required? | Yes — one of six bases for each activity | No — transparency and opt-out model |
| Maximum fine | €20M or 4% global revenue | $7,500 per intentional violation |
| Private right of action? | Yes — for data breaches | Yes — limited to data breaches |
| Children's data | Under 16 (or lower if member state sets) | Under 16 (opt-in required) |
| Data deletion right? | Yes — Right to Erasure (Art. 17) | Yes — Right to Delete |
| Data portability? | Yes — Right to Data Portability | Yes — Right to Know includes portable format |
GDPR lawful basis — the concept CCPA does not have
GDPR's most demanding requirement — the one most commonly misunderstood by US SaaS founders — is the requirement to document a lawful basis for every processing activity. You cannot process EU personal data without fitting within one of six categories: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests.
For most SaaS companies, the primary bases are contract performance (processing necessary to deliver the subscribed service) and legitimate interests (analytics, security monitoring, fraud prevention). Consent is often over-relied upon — it is the weakest basis because it can be withdrawn at any time and requires genuine freely given choice, meaning it is difficult to use consent as the basis for processing that is essential to your service.
CCPA's expanded "sale" and "sharing" concept in 2026
The 2026 CPRA amendments confirmed and expanded the definition of "sharing" personal information — now encompassing making personal information available for cross-context behavioural advertising, even without monetary consideration. This means if you use any third-party advertising pixels, retargeting tools, or analytics platforms that use personal data for advertising optimisation, you are likely "sharing" data under CCPA and must provide a "Do Not Sell or Share My Personal Information" opt-out mechanism and honour Global Privacy Control signals.
What both laws require of your privacy policy
Both GDPR and CCPA require your privacy policy to disclose: what categories of personal data you collect; the purposes for which you use it; who you share it with; and what rights users have. But the specifics differ significantly — GDPR requires disclosure of your lawful basis for each processing activity and international transfer mechanisms, while CCPA requires disclosure of specific "categories" of personal information sold or shared in the preceding 12 months.
A single privacy policy can address both frameworks, but it must be structured carefully to satisfy the distinct disclosure requirements of each. TECHLAWG drafts dual-compliance privacy policies that address GDPR, CCPA, and the growing body of US state privacy law simultaneously. See our Privacy Policy Drafting service for details.
The enforcement reality in 2026
GDPR enforcement reached €1.7 billion in fines in 2023, according to the IAPP Enforcement Tracker, with enforcement accelerating in 2024 and 2025. The Irish Data Protection Commission, CNIL, and Italian Garante are now conducting proactive sector audits rather than waiting for complaints. AI processing practices, cookie consent mechanisms, and international transfer compliance are the current enforcement priorities.
CCPA enforcement by the California Privacy Protection Agency is similarly accelerating, with the CPPA's 2026 investigative programme focused on automated decision-making, sensitive data handling, and Global Privacy Control compliance.
Frequently Asked Questions
Does GDPR or CCPA have bigger fines?
GDPR has significantly larger maximum fines — up to €20 million or 4% of global annual revenue, whichever is higher. CCPA fines are up to $7,500 per intentional violation. However, CCPA fines can aggregate rapidly across large user populations, and California also has a private right of action for data breaches. Both create material financial exposure for non-compliance.
Do I need two separate privacy policies — one for GDPR and one for CCPA?
No — a single privacy policy can address both frameworks, but it must be carefully structured to satisfy the distinct disclosure requirements of each. Many SaaS companies use a single policy with jurisdiction-specific sections for EU users and California residents. The alternative — separate regional privacy policies — creates maintenance complexity and inconsistency risk.
Can I use consent as my lawful basis for all GDPR processing?
Not reliably. Consent is the weakest GDPR lawful basis for processing that is essential to your service — because users can withdraw it at any time, and regulators have voided consent for processing that users cannot meaningfully refuse. Contract performance is the appropriate basis for processing necessary to deliver your subscribed service. Consent is most appropriate for optional processing — marketing emails, optional personalisation features, and analytics not essential to the core service.
Does CCPA apply to B2B SaaS companies?
CCPA applies to personal information of California residents, including individual business contacts — so B2B CRM data and business email addresses of California-based individuals can be subject to CCPA. The law does not have a general B2B exemption. However, the practical impact on B2B SaaS companies is typically less extensive than on B2C companies with large consumer data sets.
What is the Global Privacy Control and do I need to honour it?
The Global Privacy Control is a browser-level signal that users can activate to automatically opt out of the sale and sharing of their personal information. California, Colorado, Connecticut, and several other states now legally require businesses to honour GPC signals. If you use any third-party advertising or analytics that constitutes "sharing" under CCPA, you must detect and honour GPC signals from California users.