GDPR and CCPA for Startups: What You Actually Need to Know

A B2B SaaS startup got an email last month from their EU customer: “We’re exercising our GDPR right to data deletion. Please delete all our data within 30 days and confirm.”

The startup had no process for this. Their data was spread across three databases, two analytics tools, email marketing, and customer support. It took them four weeks of engineer time to even find everything, let alone delete it.

Cost of non-compliance: €20M or 4% of revenue, whichever is higher.

Cost of compliance: Way less than that.

Here’s what startups actually need to know about GDPR and CCPA in 2026.

Do These Laws Apply to You?

GDPR applies if you:

Have customers or users in the EU
Process data of EU residents
Offer products/services to people in the EU

Location of your company doesn’t matter. US startup with EU customers? GDPR applies.

One founder told me: “We’re based in California, why do we care about EU law?”

Because they had 200 EU customers and GDPR fines start at €20M. That’s why.

CCPA (California)

CCPA applies if you:

Do business in California AND
Have annual revenue over $25M OR
Buy, sell, or share personal info of 100K+ California residents OR
Derive 50% or more of revenue from selling personal information

Most early-stage startups don’t meet these thresholds yet. But if you’re growing fast, you will.

The Reality Check

If you have any customers outside your home state or country, assume privacy laws apply to you.

Better to comply proactively than to find out during a lawsuit or regulatory investigation.

1. Lawful Basis for Processing Data

You need a legal reason to collect and use personal data:

Consent - User explicitly agreed
Contract - Necessary to provide your service
Legitimate Interest - You have valid business reason
Legal Obligation - Required by law

Most B2B SaaS companies use “Contract” (need data to deliver the service) and “Legitimate Interest” (analytics, support).

Don’t just throw a cookie banner up and call it done. That’s consent, and consent has strict rules.

2. Privacy by Design

Build privacy into your product from day one, not bolt it on later.

What this means:

Collect minimum data needed (not everything possible)
Encrypt sensitive data at rest and in transit
Implement access controls (not everyone gets all data)
Design features with privacy in mind

One startup collected date of birth for all users “just in case we needed it later.” They didn’t need it. GDPR violation.

3. Data Subject Rights

EU residents have rights to:

Access - See what data you have on them
Rectification - Fix incorrect data
Erasure - Delete their data (the “right to be forgotten”)
Portability - Export their data
Object - Stop certain processing

You need processes and tools to handle these requests within 30 days.

4. Data Breach Notification

If you have a breach involving personal data:

Notify the relevant EU authority within 72 hours
Notify affected users if the breach poses high risk
Document what happened, what data was affected, and your response

One startup had a breach and didn’t notify anyone for two weeks because they “wanted to understand it first.”

Fine: €250K.

5. Privacy Policy

Your privacy policy must clearly explain:

What data you collect
Why you collect it
How you use it
Who you share it with
How long you keep it
User rights and how to exercise them

No legal jargon. Plain language. Actually readable.

6. Data Processing Agreements (DPAs)

Every vendor or partner who processes EU user data needs a DPA. This is a contract saying they’ll protect the data and comply with GDPR.

Check if your vendors have:

Standard DPAs available
GDPR-compliant terms
Sub-processor lists

Major vendors (AWS, Stripe, Twilio) all have DPAs ready. Smaller tools might not.

What CCPA Actually Requires

CCPA is similar to GDPR but with California flavor:

1. Notice at Collection

Tell users what data you’re collecting and why before you collect it.

Most companies do this in a privacy policy, but CCPA requires it at point of collection.

2. Right to Know

California residents can request:

What personal information you collected
Categories of sources
Business purpose for collection
Third parties you share with

You have 45 days to respond.

3. Right to Delete

Users can request deletion of their personal information.

Exceptions exist (you can keep data if you need it for legal compliance, security, etc.), but default is: delete when asked.

4. Right to Opt-Out

If you sell personal information, users must be able to opt out.

“But we don’t sell data!”

CCPA defines “sell” broadly. Sharing data with ad networks? That counts. Using third-party analytics? Might count.

Add a “Do Not Sell My Personal Information” link to your website footer.

5. No Discrimination

You can’t discriminate against users who exercise their CCPA rights.

Can’t charge them more, provide worse service, or deny features because they opted out.

How to Actually Comply (Without Going Crazy)

Step 1: Data Mapping

You can’t protect data you don’t know about.

Create a spreadsheet:

What data do we collect? (email, name, IP address, behavior, etc.)
Where is it stored? (database, analytics, email tool, CRM)
Why do we collect it? (user account, billing, analytics, marketing)
How long do we keep it? (forever? 2 years? 90 days?)
Who has access? (engineers? support? sales? marketing?)

This takes 4-8 hours but is required for both GDPR and CCPA.

Step 2: Update Privacy Policy

Use a template (don’t write from scratch). Good sources:

Termly (generates privacy policies)
iubenda (privacy policy generator)
Your lawyer (if you have one)

Key sections:

What data you collect and why
Third-party services you use
User rights and how to exercise them
Contact info for privacy requests

Update your policy whenever you add new tools or data collection.

Step 3: Implement User Rights

Build features or processes to handle:

Data Export:

Let users download their data
JSON, CSV, or PDF formats work
Include everything you have on them

Data Deletion:

Delete user data when requested
Remove from all systems (database, backups, analytics, third parties)
Confirm deletion within 30 days

One startup hack: If you use Supabase, Postgres, or similar, tag all user data with a user_id. Deletion becomes: DELETE FROM * WHERE user_id = X. Clean and simple.

Step 4: Vendor Audit

List every vendor that touches user data:

Cloud hosting (AWS, GCP, Azure)
Analytics (Google Analytics, Mixpanel, Amplitude)
Email (SendGrid, Postmark)
Support (Intercom, Zendesk)
CRM (HubSpot, Salesforce)
Payments (Stripe, PayPal)

For each vendor:

Do they have a DPA? (sign it)
Are they GDPR/CCPA compliant? (check their security page)
Where do they store data? (EU, US, other)

If a vendor can’t provide a DPA or proof of compliance, consider switching.

Step 5: Minimize Data Collection

The less data you collect, the less risk you have.

Ask yourself:

Do we really need date of birth? (probably not)
Do we need full addresses? (depends on product)
Do we need to track every click? (probably not)
Can we anonymize analytics data? (yes, usually)

One analytics platform switched to anonymizing IP addresses by default. GDPR risk dropped significantly.

Step 6: Set Retention Policies

Don’t keep data forever.

Example retention policy:

Active user data: Keep while account is active
Inactive users: Delete after 2 years of inactivity
Support tickets: Keep for 1 year
Analytics data: Anonymize after 90 days
Backup data: Expire backups after 30 days

Write it down. Automate it where possible.

Tools That Make Compliance Easier

Privacy Management Platforms

Osano - Privacy compliance automation ($200-$2K/month) OneTrust - Enterprise privacy management ($$$) Termly - Privacy policy and consent management ($10-$200/month) iubenda - Privacy policy generator and compliance tools ($27-$300/month)

For startups, Termly or iubenda are usually enough.

Data Discovery Tools

BigID - Find personal data across your systems Varonis - Data security and governance Manual audit - Honestly, for most startups, a spreadsheet works fine

Cookiebot - Cookie compliance ($9-$49/month) OneTrust - Enterprise cookie management Osano - Consent management included

Only needed if you use cookies beyond strictly necessary ones.

Common Startup Mistakes

“We’ll deal with it when we have EU customers.”

Then you get your first EU customer and they ask: “Are you GDPR compliant? Can we see your DPA?”

And you have to say: “Give us 3 months.”

Deal delayed or lost.

Fix: Build compliance in from day one. It’s not that hard early.

Mistake #2: Copy-Pasting Privacy Policies

Don’t copy another company’s privacy policy. It won’t match what your product actually does.

GDPR requires accurate privacy policies. Inaccurate policy = violation.

Fix: Use a template, but customize it for your actual data practices.

Mistake #3: No Process for Deletion Requests

User requests deletion. You… do what exactly?

If you don’t have a process, you’ll scramble, miss deadlines, or delete incompletely.

Fix: Document the process. Test it quarterly. Make sure it works.

Mistake #4: Forgetting About Backups

You delete user data from production. Great.

But it still exists in:

Database backups (kept for 30 days)
Log files (kept for 90 days)
Analytics tools (kept forever)
Email marketing (still subscribed)

GDPR requires deletion everywhere, including backups (or document why you can’t).

Fix: Map all systems. Include backups in deletion process.

Mistake #5: Third-Party Tools Without DPAs

You add Google Analytics, Intercom, HubSpot without checking if they’re GDPR compliant or signing DPAs.

One regulatory complaint and you’re liable for your vendors’ practices.

Fix: Vendor audit. Sign DPAs. Document everything.

Enforcement Reality in 2026

Early years of GDPR (2018-2022): Most fines were warnings or small amounts.

2026: Regulators are aggressive. Recent fines:

Small ecommerce company: €50K for not responding to deletion request
Analytics company: €2.5M for tracking without consent
SaaS company: €750K for data breach notification delay

It’s not just the Googles and Facebooks anymore. SMBs get fined too.

CCPA Enforcement is Growing

California Attorney General is ramping up enforcement. Private lawsuits are increasing.

Recent settlements:

$1.2M for failing to honor opt-out requests
$800K for not disclosing data sales
$500K for discriminating against users who opted out

If you hit the CCPA thresholds ($25M revenue or 100K users), compliance is mandatory.

The Minimum Viable Compliance Approach

If you’re an early-stage startup, here’s the minimum:

Time: 8-12 hours Cost: $0-500

Data mapping spreadsheet (4 hours)
Privacy policy with template (2 hours)
User data export feature (2 hours dev time)
User deletion process documented (1 hour)
Sign DPAs with major vendors (1 hour)
Add “Do Not Sell” link if selling to California (1 hour)

This won’t make you 100% compliant, but it covers the basics and shows good faith effort.

As you grow, invest more:

Hire a privacy lawyer for policy review
Implement automated deletion
Use privacy management platform
Conduct regular audits

For more on building security into your startup, see Building Your First Engineering Team and When to Pursue SOC 2.

The Bottom Line

GDPR and CCPA aren’t optional if you have customers in those regions.

But compliance doesn’t have to be expensive or complicated for startups:

Map your data (know what you have)
Update your privacy policy (be transparent)
Implement basic user rights (export and deletion)
Sign DPAs with vendors (protect yourself)
Document everything (prove compliance)

Start small. Build it into your product from day one. Scale compliance as you grow.

Better to spend 8 hours now than deal with a €250K fine later.

Need help with privacy compliance or security strategy? Book a call to discuss your specific situation and compliance requirements.