Purpose

This recipe determines which data privacy regulations apply to a startup based on user locations, data types, business model, and revenue thresholds. The output is a prioritized compliance matrix with applicable laws, key requirements, implementation tasks, and a gap analysis.

Prerequisites

User location data — countries and US states where users are located
Data inventory — categories of personal data collected
Business model clarity — how data is used (product, ads, sharing)
Revenue estimate — for threshold-based regulations
Entity formed — completed legal checklist

Constraints

Privacy laws apply by user location, not company location. US startup with EU users = GDPR. [src1]
Multiple regulations apply simultaneously. Comply with the strictest standard. [src4]
20 US states enforce privacy laws by 2026. Three more effective in 2026 (RI, KY, IN). [src5]
CCPA applies at $26.6M+ revenue OR 100K+ consumers OR 50%+ data revenue. Any single threshold triggers full compliance. [src2]
GDPR fines up to 4% global turnover or EUR 20M. Over EUR 6.7B in fines issued as of 2025. [src6]

Tool Selection Decision

Regulation	Applies When	Threshold	Max Penalty	Consent Model
GDPR (EU)	Any EU/EEA user data	None	4% revenue or EUR 20M	Opt-in
UK GDPR	Any UK user data	None	GBP 17.5M or 4%	Opt-in
CCPA/CPRA	$26.6M+ OR 100K+ users	Revenue or volume	$7,988/violation	Opt-out
PIPEDA	Commercial activity in Canada	None	CAD 100K/violation	Meaningful
LGPD	Brazil resident data	None	2% revenue, BRL 50M max	Opt-in
US State Laws	State resident data	~100K+ consumers	Varies	Mostly opt-out

Execution Flow

Step 1: Map User Locations to Regulations

Duration: 30 minutes. Identify user jurisdictions. No-threshold laws: EU = GDPR, UK = UK GDPR, Canada = PIPEDA, Brazil = LGPD, children under 13 = COPPA. Threshold-based: CCPA ($26.6M+ or 100K+ CA consumers), 20 US state laws (most at 100K+).

Verify: All jurisdictions mapped. Applicable regulations identified.

Step 2: Assess Data Types and Processing Activities

Duration: 30-60 minutes. Map special categories: GDPR Art. 9 (health, biometric, genetic, racial, political, religious), CCPA sensitive PI (SSN, financial, geolocation, biometric). Cross-regulation: health data = HIPAA + GDPR Art. 9; financial = GLBA + privacy laws; children = COPPA + GDPR Art. 8.

Verify: All data categories mapped to enhanced requirements.

Step 3: Determine Consent and Legal Basis Requirements

Duration: 30 minutes. GDPR: opt-in (6 legal bases). CCPA: opt-out + "Do Not Sell" link + honor GPC. PIPEDA: meaningful consent. If GDPR applies, build opt-in by default (satisfies most other laws).

Verify: Consent mechanism identified per law. Legal basis documented.

Step 4: Map Required Rights and Mechanisms

Duration: 30-60 minutes. Universal rights: access, deletion, correction. GDPR-specific: portability, restrict processing, object. CCPA-specific: opt-out of sale, limit sensitive data. Build verifiable request mechanism with response timelines (GDPR: 30 days, CCPA: 45 days).

Verify: All required rights identified. Timelines documented.

Step 5: Build Implementation Roadmap

Duration: 30-60 minutes. Week 1-2: privacy policy, consent mechanism, "Do Not Sell" link, request intake. Week 3-4: processing records, rights workflows, vendor DPAs, DPO appointment. Month 2-3: DPIA, retention policies, breach procedures, training.

Verify: Roadmap complete with owners and deadlines.

Quality Benchmarks

Quality Metric	Minimum	Good	Excellent
Regulation coverage	Major laws identified	State-level included	Attorney-validated
Data inventory	Core types mapped	All collection points	Third-party SDKs included
Rights mechanisms	Access + deletion	All applicable rights	Automated fulfillment
Consent implementation	Basic banner	Jurisdiction-specific	Full preference center

Error Handling

Error	Cause	Recovery
Missed jurisdiction	Users from unexpected region	Add regulation, implement within 30 days
Incorrect threshold	Revenue/user count changed	Reassess quarterly, implement before threshold reached
Request timeout	No process in place	Set up intake immediately, respond within legal deadline
Consent not captured	Technical error	Audit mechanism, ensure no cookies before consent
Missing vendor DPA	Oversight	Execute DPA immediately, audit vendor practices

Cost Breakdown

Component	DIY	Privacy Tool	Full Legal
Regulation mapping	$0	$0	$3K-$10K
Privacy policy	$10-$50/mo	$10-$50/mo	$2K-$5K
Consent management	$0-$12/mo	$50-$200/mo	$5K+
Rights fulfillment	Manual ($0)	$100-$500/mo	$5K-$20K
Total Year 1	$120-$600	$2K-$10K	$15K-$80K+

Anti-Patterns

Wrong: Assuming GDPR doesn't apply because you're a US company

GDPR applies to any organization processing EU/EEA resident data, regardless of company location. [src1]

Correct: Map regulations by user location, not company location

Use analytics to identify user jurisdictions. EU users = GDPR compliance required regardless of company HQ.

Wrong: Using a single privacy policy template for all jurisdictions

GDPR and CCPA have different disclosure requirements. A combined template without jurisdiction-specific sections creates gaps. [src3]

Correct: Unified policy with jurisdiction-specific sections

Build one policy addressing shared requirements, with labeled sections for GDPR rights (EU), CCPA rights (California), and other provisions.

When This Matters

Use after entity formation, before launching any product collecting personal data. Privacy compliance must be built into architecture — retrofitting is 5-10x more expensive.

Data Privacy Compliance Decision Tree