You've heard of GDPR and CCPA. Maybe someone mentioned them in a meeting. Maybe you got a vendor questionnaire asking about compliance. Maybe you just saw the acronyms in every privacy policy you've ever skimmed.
Here's what you actually need to know: GDPR and CCPA are the two most important privacy laws in the world. If you collect user data—emails, names, payment info, anything—you probably need to comply with at least one of them.
This guide explains both laws in plain language. No legal jargon. No 50-page treatises. Just the facts you need to know.
GDPR: The European Privacy Law That Applies Globally
The General Data Protection Regulation (GDPR) went into effect in May 2018. It's the European Union's comprehensive data privacy law.
Here's the thing most people miss: GDPR isn't just for European companies. It's for anyone who handles data from EU residents.
You're a US-based startup with 50 customers in Germany? GDPR applies.
You're a Canadian SaaS company with one user in France? GDPR applies.
The law has extraterritorial reach. If EU residents use your service, you're in scope—regardless of where your company is based or where your servers are located.
What GDPR Actually Requires
At its core, GDPR gives people control over their personal data. Here's what that means in practice:
1. You need a legal basis to collect data.
You can't just collect data because you feel like it. You need a reason. Common legal bases include:
- Consent: The user explicitly agreed to data collection (like ticking a box)
- Contract: You need the data to provide a service (like an email address to send login links)
- Legitimate interest: You have a valid business reason that doesn't override the user's privacy rights (like fraud prevention)
2. Users have the right to access their data.
If someone asks, "What data do you have on me?" you must be able to tell them. And provide it in a readable format.
3. Users have the right to delete their data.
Also called the "right to be forgotten." If someone requests deletion, you must comply—unless you have a legal reason to keep it (like tax records).
4. Users have the right to data portability.
People can ask for their data in a machine-readable format so they can take it to a competitor. Think "export to CSV."
5. You must report data breaches within 72 hours.
If someone hacks your database or an employee accidentally emails customer data to the wrong person, you have 72 hours to notify the authorities. And depending on the severity, you may need to notify affected users too.
6. You need a GDPR-compliant Privacy Policy.
Your policy must explain what data you collect, why you collect it, how long you keep it, and who you share it with. Generic templates don't cut it—the policy needs to reflect what you actually do.
7. Cookies require consent.
If you use non-essential cookies (analytics, advertising, tracking), you need to ask for permission first. Those cookie banners that say "Accept All" or "Reject All"? That's GDPR compliance.
GDPR compliance isn't a checkbox. It's a set of practices. You need a privacy policy. You need a way to handle data requests. You need to think about privacy when building features. You need to train your team. It's ongoing work, not a one-time project.
What Happens If You Don't Comply
The penalties are steep: up to €20 million or 4% of annual global revenue, whichever is higher.
In practice, most fines aren't that extreme. Small companies with honest mistakes get warnings or small fines. But large companies ignoring obvious violations? Those get hit hard.
Google was fined €50 million. British Airways: £20 million. H&M: €35 million.
The EU isn't messing around.
CCPA: California's Privacy Law (With a Revenue Threshold)
The California Consumer Privacy Act (CCPA) went into effect in January 2020. Its successor, the California Privacy Rights Act (CPRA), added more requirements starting in 2023.
CCPA is California's version of GDPR. It's not identical—there are important differences—but the spirit is similar: give people control over their data.
Who Does CCPA Apply To?
This is where CCPA differs from GDPR. GDPR applies to everyone with EU users. CCPA has thresholds.
You're subject to CCPA if you do business in California and meet at least one of these criteria:
- Your annual revenue exceeds $25 million
- You buy, sell, or share personal information of 100,000+ California residents
- You derive 50% or more of annual revenue from selling consumer data
If you're a small startup with $2 million in revenue and 5,000 users, you're probably not subject to CCPA yet. But if you're growing, plan for it.
If you're a mid-sized SaaS company with $30 million ARR, you're definitely in scope.
What CCPA Actually Requires
CCPA gives California residents several rights:
1. Right to know what data you collect.
Users can ask: "What personal information do you have about me? Where did you get it? Who do you share it with?"
You must respond within 45 days.
2. Right to delete their data.
Similar to GDPR. If someone asks you to delete their data, you must comply—unless you need it for legal or operational reasons.
3. Right to opt out of data sales.
If you sell user data to third parties, you must let people opt out. This is the "Do Not Sell My Personal Information" link you see on websites.
(Note: Under CPRA, "sharing" data for targeted advertising also counts as a sale.)
4. Right to non-discrimination.
You can't penalize users for exercising their privacy rights. You can't charge them more, deny service, or give them worse quality just because they opted out of data sales.
5. You need a CCPA-compliant Privacy Policy.
Your policy must include specific disclosures: what categories of data you collect, what you use it for, whether you sell it, and how users can exercise their rights.
What Happens If You Don't Comply
CCPA penalties are less severe than GDPR, but still painful:
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation
The California Attorney General can bring enforcement actions. And under CPRA, there's now a dedicated enforcement agency: the California Privacy Protection Agency.
Additionally, consumers can sue directly for data breaches—$100 to $750 per consumer, per incident. That adds up fast.
GDPR vs CCPA: The Key Differences
Both laws protect privacy. Both give users rights. But they're not identical. Here's how they differ:
| Aspect | GDPR (EU) | CCPA (California) |
|---|---|---|
| Who it applies to | Anyone with EU users, no revenue threshold | Businesses meeting size/revenue thresholds |
| Geographic scope | EU residents, anywhere in the world | California residents only |
| Consent model | Opt-in (must get explicit consent) | Opt-out (can collect unless user objects) |
| Right to deletion | Yes | Yes |
| Data portability | Yes, full export in machine-readable format | Limited (only specific categories) |
| Cookies | Requires consent for non-essential cookies | No explicit cookie consent requirement |
| Penalties | Up to €20M or 4% of global revenue | Up to $7,500 per intentional violation |
The biggest practical difference: GDPR requires consent before you collect data (opt-in). CCPA lets you collect data unless the user objects (opt-out).
This is why GDPR cookie banners have "Accept" and "Reject" buttons, while CCPA disclosures often just have a "Do Not Sell My Info" link.
How to Comply (Without Hiring a Law Firm)
You don't need a $50,000 legal retainer to achieve basic compliance. Here's what you actually need to do:
Step 1: Audit Your Data
Before you can protect data, you need to know what data you have.
Make a list:
- What personal data do you collect? (Names, emails, IP addresses, payment info, etc.)
- Where do you store it? (Your database, Stripe, Google Analytics, email provider)
- Who has access to it? (Your team, third-party tools, contractors)
- How long do you keep it?
This is called a "data map." It's tedious but essential.
Step 2: Write (or Update) Your Privacy Policy
Your privacy policy needs to be accurate and specific. It should explain:
- What data you collect and why
- How long you keep it
- Who you share it with (payment processors, analytics tools, email providers)
- User rights under GDPR and/or CCPA
- How to contact you about privacy questions
Don't use a generic template without customizing it. Your policy should match what you actually do.
Step 3: Add Cookie Consent (If You Use Non-Essential Cookies)
If you have EU users and use analytics, advertising, or tracking cookies, you need a consent banner.
The banner must:
- Let users accept or reject cookies
- Not use cookies until the user consents
- Make it as easy to reject as to accept (no dark patterns)
Tools like Cookiebot, OneTrust, or Osano can help with this.
Step 4: Build a Process for Data Requests
You need a way for users to:
- Request their data
- Delete their data
- Opt out of data sales (CCPA)
This doesn't have to be automated. A simple email address (like [email protected]) works. Just make sure someone monitors it and responds within the legal timeframes (30 days for GDPR, 45 days for CCPA).
Step 5: Update Your Terms and Contracts
If you use third-party tools that process user data (Stripe, Mailchimp, AWS), you may need Data Processing Agreements (DPAs) with them.
Most major SaaS providers offer standard DPAs you can sign. Check their websites or contact support.
Step 6: Train Your Team
Everyone who handles user data should understand basic privacy principles:
- Don't collect data you don't need
- Don't share data without permission
- Report breaches immediately
- Respond to data requests within the legal timeframe
This doesn't require formal training sessions. A quick team meeting or written guide works.
Do You Need Both GDPR and CCPA Compliance?
Possibly.
If you have EU users, you need GDPR compliance—full stop.
If you meet CCPA's thresholds and have California users, you need CCPA compliance.
Many companies end up complying with both. The good news: the requirements overlap significantly. If you build GDPR-level protections, CCPA compliance is mostly a matter of adding a few extra disclosures.
The Bottom Line
GDPR and CCPA are here to stay. More countries and states are passing similar laws (Virginia, Colorado, Utah, Connecticut). Privacy regulation is becoming the norm, not the exception.
You can either treat this as a burden or as a competitive advantage. Companies that take privacy seriously—that build it into their products, that communicate clearly about data practices—earn user trust. And trust is valuable.
Start with the basics: accurate privacy policy, cookie consent, data request process. Get those right, and you're 80% of the way there.
And if you're ever unsure, consult a lawyer who specializes in privacy law. A one-hour consultation can save you years of headaches.