← All posts

CCPA vs. GDPR: Analytics Compliance for SaaS Founders

If you run a SaaS product with users in California or Europe, here is a clear explanation of what each law actually requires, who it applies to, and what it means specifically for the analytics tools you use.

This guide cuts through the vague advice. By the end, you will know whether each law applies to you, what it requires for analytics specifically, and what you need to do about it.

The Two Laws and Who They Actually Cover

GDPR: The EU's Regulation

The General Data Protection Regulation came into force on May 25, 2018. It replaced the 1995 Data Protection Directive and applies across all EU member states without requiring domestic legislation.

Who it applies to: Any organization that processes personal data of EU residents, regardless of where the organization is headquartered. A startup incorporated in Delaware with no EU employees is still subject to GDPR if EU residents use its product or visit its website. This is the territorial scope defined in Article 3.

Penalties: Up to 4% of global annual revenue or 20 million euros, whichever is higher, for the most serious violations. Smaller violations have a lower ceiling (2% of global revenue or 10 million euros). These are maximums. Regulators apply proportionality. A 5-person startup is unlikely to receive the same fine as a multinational, but the legal exposure is real.

Enforcement: The supervisory authority in the EU member state where the affected users are located handles complaints. The Irish Data Protection Commission has been active against US tech companies. Germany's DPAs are aggressive on cookie consent enforcement.

CCPA: California's Law

The California Consumer Privacy Act came into force on January 1, 2020. It was amended by the California Privacy Rights Act (CPRA), which became fully effective on January 1, 2023. The CPRA created a dedicated enforcement agency, the California Privacy Protection Agency.

Who it applies to: For-profit businesses that do business in California AND meet at least one of these thresholds:

  • Gross annual revenue exceeding $25 million
  • Buys, sells, or shares personal information of 100,000 or more consumers or households per year
  • Derives 50% or more of annual revenue from selling or sharing personal information

The $25 million revenue threshold is the one that most SaaS founders should pay attention to. If your company grosses less than $25 million annually, and you are not in the business of selling data, CCPA almost certainly does not apply to you. This is a meaningful exemption that often goes unmentioned.

Penalties: $2,500 per unintentional violation, $7,500 per intentional violation. Enforcement is by the California Attorney General and the California Privacy Protection Agency.

How Each Law Defines Personal Data

The definitions matter enormously for analytics, because the obligations only apply when you are processing "personal data."

GDPR Article 4 definition: Personal data means "any information relating to an identified or identifiable natural person." An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or factors specific to physical or genetic identity.

IP addresses are personal data under GDPR. The European Court of Justice ruled on this in the Breyer case (C-582/14) in 2016. Even a dynamic IP address that changes with each connection can constitute personal data if the data controller has the legal means to identify the natural person behind it. Cookie identifiers are personal data. Browser fingerprints are personal data.

CCPA definition: Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular consumer or household. The CCPA explicitly lists IP addresses as personal information.

The definitions are similar in scope. Both laws treat IP addresses and cookie identifiers as personal information that triggers compliance obligations.

What Each Law Requires for Analytics Specifically

GDPR Requirements for Analytics

GDPR requires a lawful basis for every instance of personal data processing. Article 6 lists six lawful bases. For analytics, the relevant ones are:

Consent (Article 6(1)(a)): The user explicitly agrees to data processing before it occurs. This is the basis cookie-based analytics tools typically rely on, which is why you see consent banners before any tracking begins on GDPR-compliant sites.

Consent under GDPR has specific requirements: it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. Bundled consent (agreeing to analytics as part of agreeing to terms of service) does not count for purposes unrelated to contract performance. The user must be able to withdraw consent as easily as they gave it.

Legitimate interests (Article 6(1)(f)): Processing is necessary for the legitimate interests of the data controller, unless those interests are overridden by the interests or rights of the data subject. Some companies argue that basic analytics constitutes a legitimate interest. This is legally contested. Several European data protection authorities, including CNIL in France, have indicated that analytics cookies cannot generally rely on legitimate interests as a basis.

No personal data, no requirement: If your analytics system genuinely processes no personal data, Article 6 does not apply. You are not required to have a lawful basis for processing data that does not exist. This is the position taken by cookieless analytics tools: because they do not process or store personal data, the consent requirement does not arise.

CCPA Requirements for Analytics

CCPA does not require consent before collecting data. Its mechanism is different: it requires businesses to give consumers the right to opt out of the sale or sharing of their personal information. If you collect analytics data and that data is shared with third parties for cross-context behavioral advertising (which is CCPA's definition of "sharing"), you need to provide a "Do Not Sell or Share My Personal Information" link.

For a SaaS company running its own analytics to understand product usage, with no data sharing with advertisers or data brokers, the opt-out requirement is not triggered. You are collecting data to provide your own service. That is not selling or sharing under CCPA's definitions.

CCPA also requires that businesses with applicable revenue thresholds provide privacy notices disclosing what categories of personal information they collect and the purposes for which they use it. This is a transparency obligation, not a consent requirement.

What "Cookieless" Analytics Means for Compliance

Under GDPR

The analysis is straightforward if you reason from the definition of personal data.

If your analytics tool processes personal data (stores cookies, logs IP addresses, uses fingerprints), you need a lawful basis. The most legally defensible basis is consent, which requires a consent banner and accepts some data loss from users who decline.

If your analytics tool does not process personal data because it hashes IP addresses before storage with a mechanism that prevents reconstruction of the original IP, stores no cookies, and uses no fingerprints, then you are not processing personal data at the point of storage. GDPR's consent requirement does not apply.

Recital 26 of GDPR states: "The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable." A session token derived from a daily-rotating salt that cannot be reversed to recover the source IP qualifies as anonymous information under this recital.

The practical result: a properly implemented cookieless analytics tool like Abner requires no consent banner, no cookie notice for analytics purposes, and generates no GDPR obligations with respect to the analytics data itself.

Under CCPA

If your company is below $25 million in annual revenue, CCPA likely does not apply at all, regardless of your analytics approach.

If you are above the threshold, the key question is whether you are selling or sharing analytics data. Running your own analytics dashboard and making product decisions based on the data is not selling. You are not transferring personal information to a third party for monetary or other valuable consideration. CCPA's core opt-out mechanism does not apply.

You would still need to disclose in your privacy policy that you collect analytics data and describe how it is used, but this is a transparency obligation, not a consent or opt-out requirement.

GDPR vs. CCPA at a Glance

Topic GDPR CCPA Jurisdiction European Union (all 27 member states) California, USA In force since May 2018 Jan 2020 (CPRA 2023) Who is covered Any org processing EU resident data For-profit businesses in CA with >$25M revenue IP addresses are... Personal data (ECJ Breyer) Personal information Consent before collecting data? Yes, if personal data is processed No (opt-out model, not opt-in) Cookieless analytics exempt? Yes, if no personal data stored (Recital 26) Largely yes, if not selling data Maximum penalty 4% of global revenue or 20M euros (higher) $7,500 per intentional violation Enforced by National DPAs (e.g. CNIL, DPC) CA AG + CPPA

Compliance Checklist for SaaS Analytics

Work through each item for your current setup:

  1. Are you using Google Analytics 4? If yes, you are processing personal data (GA4 stores cookie identifiers and sends data to Google's servers, which are US-based). EU users' data requires a consent mechanism and a Data Processing Agreement with Google. French regulator CNIL has found GA4 non-compliant with GDPR in certain configurations.
  2. Do you store raw IP addresses in any analytics database or log file? If yes, those IP addresses are personal data under GDPR and must have a lawful basis for processing. At minimum, IP addresses should be truncated (drop the last octet of an IPv4 address) or hashed before storage.
  3. Does your analytics JavaScript set cookies? Check your browser's developer tools on your own site. If you see cookies set by _ga, _gid, _fbp, amplitude_id, or similar third-party analytics cookies, you are storing persistent identifiers that require consent for EU users.
  4. Do you have a consent banner for EU users? If you answered yes to items 1, 2, or 3, and you have EU visitors, you need a consent mechanism that meets GDPR standards. Pre-ticked boxes do not comply. "Cookie settings" buried in a footer does not comply unless the banner appears before tracking begins.
  5. Is your analytics data sent to US-based servers? EU personal data transferred to the US requires a legal mechanism. Standard Contractual Clauses (SCCs) are the most common. Check whether your analytics vendor provides a Data Processing Agreement (DPA) and whether they use SCCs. Google Analytics offers a DPA. Many smaller tools do as well.
  6. Is your annual gross revenue above $25 million? If yes, check whether you meet CCPA's other thresholds. If you are subject to CCPA, ensure your privacy policy discloses the categories of personal information collected and their purposes.
  7. Do you share analytics data with any third party for advertising purposes? If yes and you are subject to CCPA, you may need a "Do Not Sell or Share My Personal Information" link. This is the CCPA provision most likely to affect SaaS companies that use advertising platforms.
  8. Do you have a privacy policy that accurately describes your analytics? Every site collecting any data should have a privacy policy, regardless of GDPR or CCPA applicability. It should state what analytics tool you use, what data it collects, and how long it is retained.
  9. Does your analytics tool have a data retention period? GDPR's storage limitation principle requires that you keep personal data only as long as necessary. If your analytics vendor retains raw event data indefinitely, confirm the data is genuinely anonymized or that you have configured a retention period.
  10. If you use a cookieless tool, have you verified it is genuinely cookieless? Check the vendor's technical documentation. Some tools claim "cookieless" but still write to localStorage (same legal treatment as cookies under ePrivacy). Verify that no identifiers are stored client-side and that IP addresses are not logged in any system.

How Abner Handles Both Regulations

Abner's approach to both laws flows from a single technical decision: no personal data is stored.

The tracking script (abner.js, approximately 1.8KB) sets no cookies and writes nothing to localStorage or sessionStorage. When a pageview event arrives at the server, the ingestion layer hashes the visitor's IP address together with the User-Agent string and a salt that rotates every 24 hours. The raw IP is never written to any database or log file. The resulting hash cannot be reversed to recover the IP address, and it cannot be linked across days.

Because no personal data is stored at any point, GDPR's consent requirement does not apply. There is no cookie notice needed for Abner specifically. Your privacy policy can accurately state that no personal data is collected by your analytics system, which is a factually correct representation of how the data flows.

For CCPA: Abner does not sell or share data with any third party. Data is processed solely to provide analytics to the site owner. If you are subject to CCPA (over $25 million in revenue), you are not selling personal information through your analytics when using Abner, so the opt-out mechanism is not triggered.

If your company is below the CCPA revenue threshold and you switch to Abner from a cookie-based tool, your compliance posture simplifies significantly. You can remove your consent banner, simplify your privacy policy analytics section, and stop worrying about Data Processing Agreements for your analytics vendor.

A final note on legal advice: this article describes the general legal landscape as accurately as possible, but it is not legal advice. Privacy law is jurisdiction-specific and fact-dependent. If you have specific concerns about your legal obligations, consult a privacy attorney who practices in the relevant jurisdictions.

Ready to try Abner? Start your free 14-day trial — no credit card required.