If your SaaS product collects, stores, or processes personal data from users, customers, or their end users, you are operating in one of the most rapidly evolving areas of business law. Privacy regulations have multiplied significantly over the past several years, and the trend is continuing. States are passing their own laws. Enforcement is increasing. Enterprise customers are asking harder questions during procurement.
You do not need to become a privacy expert to build a compliant SaaS company. You do need to understand which laws apply to you, what they require, and what to put in place before you scale. This article covers the essentials.
GDPR: The Global Baseline
The General Data Protection Regulation applies to any organization that processes the personal data of individuals located in the European Union, regardless of where the organization is based. If you have a single EU user, GDPR applies to how you handle their data.
The core principles of GDPR require that you collect only the data you actually need, use it only for the purposes you disclosed, protect it with appropriate security measures, and be prepared to respond to individuals who exercise their rights under the law. Those rights include the right to access their data, correct inaccurate data, delete their data in certain circumstances, and object to certain types of processing.
For SaaS companies, the most immediately practical GDPR requirements are these: a privacy policy that accurately describes your data practices, a lawful basis for each type of processing you perform, data processing agreements with your vendors and sub-processors, and a process for responding to data subject requests within the required timeframes.
If you experience a data breach that is likely to result in risk to individuals, GDPR requires notification to your supervisory authority within 72 hours of becoming aware of it. That clock starts immediately, so having an incident response process in place before a breach occurs is not optional.
GDPR's 72-hour breach notification clock starts when you become aware of the incident, not when you finish investigating it. Build your response process before you need it.
CCPA and CPRA: California Sets the Standard
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies to for-profit businesses that meet certain thresholds: annual gross revenues over $25 million, annual purchase or sale of personal information of 100,000 or more consumers or households, or deriving 50 percent or more of annual revenue from selling personal information.
Even if you do not currently meet these thresholds, the CCPA framework matters because it has influenced laws across the country and because enterprise customers in California often contractually require CCPA-compliant practices from their vendors regardless of whether the law technically applies.
CCPA gives California consumers the right to know what personal information a business collects about them, the right to delete that information, the right to opt out of the sale or sharing of their information, and the right not to be discriminated against for exercising these rights. Businesses subject to CCPA must provide a clear privacy notice, a mechanism for opt-out requests, and a process for honoring deletion requests within 45 days.
The State Privacy Law Wave
California was first, but it is no longer alone. Virginia, Colorado, Connecticut, Utah, and Texas have all enacted comprehensive consumer privacy laws. More states pass new laws each legislative session. While these laws share significant similarities with GDPR and CCPA, they differ in scope, exemptions, and enforcement mechanisms.
For most SaaS companies, the practical response to this proliferating landscape is to build privacy practices that satisfy the most demanding applicable requirements rather than attempting to maintain separate compliance programs for each state. A privacy program that meets GDPR and CCPA standards will generally satisfy most state law requirements as well.
The Texas Data Privacy and Security Act, which took effect in 2024, applies to businesses that conduct business in Texas or produce products or services consumed by Texas residents and that process the personal data of at least 100,000 Texas consumers annually. The law gives Texas consumers similar rights to those under CCPA, and enforcement is carried out by the Texas Attorney General.
What Every SaaS Company Needs in Place
Regardless of which specific laws apply to your company today, the following baseline should be in place before you onboard paying customers.
- A current, accurate privacy policy: Your privacy policy must describe what data you collect, why you collect it, how you use it, who you share it with, how long you retain it, and how individuals can exercise their rights. Generic templates pulled from the internet frequently describe practices that do not match what a product actually does. Your privacy policy should be drafted to reflect your actual data flows.
- Terms of service that address data: Your terms of service should include provisions addressing data ownership, your license to use customer data, data security obligations, and what happens to data when a customer terminates. Enterprise customers will review these carefully.
- Data processing agreements with your vendors: Every service you use that processes personal data on your behalf, including cloud infrastructure providers, analytics tools, email platforms, and customer support software, should have a data processing agreement (DPA) in place. Most major vendors offer standard DPAs. Execute them and keep records.
- Cookie consent for web properties: If your website or product uses cookies or similar tracking technologies, you need a mechanism for obtaining consent from users in jurisdictions that require it. For EU visitors, that means prior consent for non-essential cookies. For US visitors, it typically means a clear disclosure with opt-out options.
- An incident response plan: Know what you will do if a breach occurs. Who is responsible for containment and investigation? Who decides whether notification is required? Who drafts and sends notifications? Having a written plan and practicing it before you need it dramatically reduces the cost and liability of an actual incident.
Privacy During the Sales Process
Enterprise and mid-market customers increasingly conduct privacy and security reviews as part of their vendor onboarding process. You may be asked to complete security questionnaires, provide your privacy policy and DPA, demonstrate compliance with specific frameworks, or submit to a vendor risk assessment.
Companies that have their privacy documentation in order close enterprise deals faster. Companies that do not have it in order lose deals they would otherwise win, sometimes without ever knowing why. Privacy compliance is not just a legal obligation. It is a competitive factor in B2B sales.
If you are a SaaS founder working through your privacy compliance for the first time, or if you are preparing for an enterprise sales motion and need your documentation reviewed and updated, Thaler Law can help you get there efficiently and at a predictable cost.