GDPR and CCPA Compliance: What SaaS Companies with US and EU Users Need to Know
GDPR and CCPA compliance is the baseline privacy requirement for any SaaS company serving both European and California users. GDPR governs all EU and UK residents' personal data. CCPA (and its 2023 update, CPRA) governs California consumers who meet specific thresholds. For a B2B SaaS with global customers, both almost certainly apply simultaneously.
The good news: roughly 70% of the compliance work overlaps. The bad news: the 30% that diverges includes some of the most operationally expensive requirements. This brief maps both.
What Triggers Each
GDPR
Applies to any organization processing personal data of EU or UK residents, regardless of company location. No revenue threshold. No minimum user count. If a single EU resident uses your product, GDPR applies to that data.
CCPA / CPRA
Applies to for-profit businesses doing business in California that meet at least one of these thresholds:
- Annual gross revenue over $25 million
- Buys, sells, or receives the personal information of 100,000+ California consumers per year
- Derives 50% or more of annual revenue from selling or sharing California consumers' personal information
Most growth-stage SaaS companies hit the 100,000 consumer threshold before the revenue threshold. B2B SaaS processing employee or contact data of California residents counts toward the threshold.
Core Requirements Compared
| Requirement | GDPR | CCPA / CPRA |
|---|---|---|
| Legal basis for processing | Required before processing (Art. 6) | Not required — opt-out model |
| Privacy notice | Required — must include lawful basis, retention periods, international transfers | Required — categories collected, purposes, third-party sharing |
| Consent | Required for certain processing (cookies, marketing, special categories) | Required only for sensitive data and minors under 16 |
| Data subject rights | Access, rectification, erasure, portability, restriction, objection | Access, deletion, correction, portability, opt-out of sale/sharing |
| Processor contracts | DPA required for every processor | Service provider contract required; less prescriptive than DPA |
| Data breach notification | 72 hours to supervisory authority | No CCPA-specific timeline; California's general breach law applies (45 days) |
| Enforcement | National DPAs; fines up to €20M or 4% global revenue | California Privacy Protection Agency (CPPA); fines up to $7,500 per intentional violation |
The 70% Overlap: Build This Once
The following work satisfies both frameworks and should be built as shared infrastructure:
Data inventory and mapping GDPR's Record of Processing Activities and CCPA's requirement to disclose categories of personal information both require the same underlying work: a complete inventory of what data you collect, why, where it goes, and how long you keep it. Build one data map, tag each field as "GDPR personal data," "CCPA personal information," or both, and feed both compliance programs from it.
Privacy notice One document can cover both if it explicitly includes GDPR-required elements (lawful basis, DPO contact if applicable, international transfer mechanism) and CCPA-required elements (categories of personal information sold or shared, right to opt-out). Structure with clearly labeled sections.
Data subject rights workflow Both frameworks require processes to receive, verify, and fulfill individual rights requests. The rights differ (see below), but the intake process, identity verification, 30-day response window (CCPA) vs one month (GDPR), and record-keeping can be unified. Build one rights management workflow with conditional logic based on request type.
Vendor management GDPR requires a Data Processing Agreement with every third-party processor. CCPA requires a service provider contract that restricts the vendor from using personal information beyond the defined purpose. Different document names, similar function. A well-drafted DPA typically satisfies CCPA's service provider requirements with minimal additions.
Consent for marketing and cookies Both frameworks restrict use of personal data for marketing without consent or a valid legal basis. Cookie consent banners built to GDPR's opt-in standard automatically satisfy CCPA's opt-out-of-sale requirement, since you're already getting consent before dropping tracking cookies.
Security program GDPR Article 32 requires appropriate technical and organizational measures. CCPA's implied security requirement (backed by its private right of action for data breaches) points to the same outcome. One security program — access controls, encryption, logging, vulnerability management — satisfies both.
The 30% That Diverges
Lawful basis (GDPR only) GDPR requires documenting a lawful basis under Article 6 before processing personal data. CCPA operates on a notice-and-opt-out model — you can process data unless the consumer opts out. This means your GDPR compliance work includes a processing register that CCPA does not require, but that is useful to build regardless.
Opt-out of sale and sharing (CCPA only) CCPA requires a "Do Not Sell or Share My Personal Information" opt-out mechanism for consumers. GDPR has no equivalent sale-specific right, though its objection right achieves a similar outcome in many contexts. You need a CCPA-specific opt-out link — typically in the website footer and within your privacy settings — that has no direct GDPR equivalent.
Special category data (GDPR only) GDPR Article 9 imposes stricter requirements on health, biometric, genetic, racial/ethnic origin, political opinion, religious belief, trade union membership, and sexual orientation data — requiring explicit consent or another Article 9 basis on top of the Article 6 basis. CCPA/CPRA has a "sensitive personal information" category with opt-out rights, but it's a narrower list and the remedy is an opt-out, not a prior basis requirement.
Data Protection Officer (GDPR only) GDPR may require appointing a DPO if you process special category data at scale or engage in systematic monitoring. CCPA has no equivalent role requirement.
International transfer mechanisms (GDPR only) GDPR restricts transfers of EU personal data to third countries without an adequate safeguard — Standard Contractual Clauses (SCCs), an adequacy decision, or Binding Corporate Rules. Transfers to US-based processors require SCCs or a US entity certified under the EU-US Data Privacy Framework. CCPA has no equivalent cross-border transfer restriction.
Private right of action (CCPA only) CCPA grants California consumers a private right of action for data breaches caused by failure to implement reasonable security — statutory damages of $100–$750 per consumer per incident without needing to prove actual harm. GDPR's equivalent is a complaint to a supervisory authority, though EU member states also allow individual compensation claims. The CCPA private right of action creates direct litigation exposure that GDPR's enforcement model does not replicate exactly.
Rights Comparison Table
| Right | GDPR | CCPA / CPRA |
|---|---|---|
| Access / know | ✅ | ✅ |
| Delete / erasure | ✅ | ✅ |
| Correction / rectification | ✅ | ✅ (CPRA addition) |
| Portability | ✅ | ✅ |
| Opt-out of sale | ❌ (objection covers some scenarios) | ✅ |
| Restriction of processing | ✅ | ❌ |
| Objection to processing | ✅ | ❌ |
| Opt-out of automated decisions | ✅ | ✅ (CPRA addition for profiling) |
The Practical Dual-Compliance Program
- Data inventory first — map everything before writing policies or implementing workflows. Every other step depends on knowing what you process.
- Write privacy notice to GDPR standard — it will satisfy CCPA if you add sale/sharing disclosures and opt-out instructions.
- Implement cookie consent to GDPR opt-in standard — CCPA opt-out requirement is automatically satisfied.
- Build a unified rights intake workflow — branch on request type, not requestor geography.
- Draft DPAs to include CCPA service provider language — one contract covers both.
- Add CCPA opt-out of sale mechanism — footer link + privacy settings toggle; GDPR has no equivalent.
- Document lawful bases for GDPR — CCPA does not require this, but it forces precision that improves the entire program.
- Implement SCCs for US-EU data transfers — CCPA has no equivalent requirement but the DPA infrastructure you build for GDPR creates the foundation.
For GDPR-specific implementation detail, see GDPR for SaaS and the GDPR service page. For CCPA-specific requirements, see CCPA requirements and the CCPA service page.
Frequently Asked Questions
Can one privacy policy cover both GDPR and CCPA? Yes, but only if it explicitly addresses the requirements of both. A single document can satisfy both laws if it discloses categories of personal information collected and sold (CCPA), explains the lawful basis for processing (GDPR), describes all data subject rights under both frameworks, and includes CCPA's opt-out of sale and GDPR's right to erasure and portability. Many SaaS companies use a single policy with clearly labeled GDPR and CCPA sections.
Is CCPA compliance enough for GDPR? No. CCPA compliance does not satisfy GDPR. The key gaps: GDPR requires a documented lawful basis before processing (CCPA does not), GDPR requires a Data Processing Agreement with every third-party processor (CCPA does not), and GDPR's breach notification window is 72 hours vs no specific CCPA timeline. GDPR is the stricter framework on almost every dimension.
What is the difference between GDPR and CCPA data subject rights? GDPR grants: access, rectification, erasure, portability, restriction, and objection. CCPA/CPRA grants: access, deletion, correction, portability, and opt-out of sale or sharing. The key CCPA-only right is opt-out of sale/sharing. The key GDPR-only rights are restriction and objection to automated decision-making.
Does CCPA apply to EU companies with California customers? Yes. CCPA applies based on where consumers reside, not where the business is incorporated. An EU-based SaaS that meets the thresholds must comply with CCPA for its California users regardless of where the company is located.
Ready to Build One Program That Covers Both?
ShieldKey designs privacy programs for SaaS companies operating under GDPR, CCPA, and both simultaneously. We map your data flows, identify the overlap, and build a unified program that eliminates duplicated work.