Data Privacy Compliance Decision Tree
Purpose
This recipe determines which data privacy regulations apply to a startup based on user locations, data types, business model, and revenue thresholds. The output is a prioritized compliance matrix with applicable laws, key requirements, implementation tasks, and a gap analysis.
Prerequisites
- User location data — countries and US states where users are located
- Data inventory — categories of personal data collected
- Business model clarity — how data is used (product, ads, sharing)
- Revenue estimate — for threshold-based regulations
- Entity formed — completed legal checklist
Constraints
- Privacy laws apply by user location, not company location. US startup with EU users = GDPR. [src1]
- Multiple regulations apply simultaneously. Comply with the strictest standard. [src4]
- 20 US states enforce privacy laws by 2026. Three more effective in 2026 (RI, KY, IN). [src5]
- CCPA applies at $26.6M+ revenue OR 100K+ consumers OR 50%+ data revenue. Any single threshold triggers full compliance. [src2]
- GDPR fines up to 4% global turnover or EUR 20M. Over EUR 6.7B in fines issued as of 2025. [src6]
Tool Selection Decision
| Regulation | Applies When | Threshold | Max Penalty | Consent Model |
|---|---|---|---|---|
| GDPR (EU) | Any EU/EEA user data | None | 4% revenue or EUR 20M | Opt-in |
| UK GDPR | Any UK user data | None | GBP 17.5M or 4% | Opt-in |
| CCPA/CPRA | $26.6M+ OR 100K+ users | Revenue or volume | $7,988/violation | Opt-out |
| PIPEDA | Commercial activity in Canada | None | CAD 100K/violation | Meaningful |
| LGPD | Brazil resident data | None | 2% revenue, BRL 50M max | Opt-in |
| US State Laws | State resident data | ~100K+ consumers | Varies | Mostly opt-out |
Execution Flow
Step 1: Map User Locations to Regulations
Duration: 30 minutes. Identify user jurisdictions. No-threshold laws: EU = GDPR, UK = UK GDPR, Canada = PIPEDA, Brazil = LGPD, children under 13 = COPPA. Threshold-based: CCPA ($26.6M+ or 100K+ CA consumers), 20 US state laws (most at 100K+).
Verify: All jurisdictions mapped. Applicable regulations identified.
Step 2: Assess Data Types and Processing Activities
Duration: 30-60 minutes. Map special categories: GDPR Art. 9 (health, biometric, genetic, racial, political, religious), CCPA sensitive PI (SSN, financial, geolocation, biometric). Cross-regulation: health data = HIPAA + GDPR Art. 9; financial = GLBA + privacy laws; children = COPPA + GDPR Art. 8.
Verify: All data categories mapped to enhanced requirements.
Step 3: Determine Consent and Legal Basis Requirements
Duration: 30 minutes. GDPR: opt-in (6 legal bases). CCPA: opt-out + "Do Not Sell" link + honor GPC. PIPEDA: meaningful consent. If GDPR applies, build opt-in by default (satisfies most other laws).
Verify: Consent mechanism identified per law. Legal basis documented.
Step 4: Map Required Rights and Mechanisms
Duration: 30-60 minutes. Universal rights: access, deletion, correction. GDPR-specific: portability, restrict processing, object. CCPA-specific: opt-out of sale, limit sensitive data. Build verifiable request mechanism with response timelines (GDPR: 30 days, CCPA: 45 days).
Verify: All required rights identified. Timelines documented.
Step 5: Build Implementation Roadmap
Duration: 30-60 minutes. Week 1-2: privacy policy, consent mechanism, "Do Not Sell" link, request intake. Week 3-4: processing records, rights workflows, vendor DPAs, DPO appointment. Month 2-3: DPIA, retention policies, breach procedures, training.
Verify: Roadmap complete with owners and deadlines.
Quality Benchmarks
| Quality Metric | Minimum | Good | Excellent |
|---|---|---|---|
| Regulation coverage | Major laws identified | State-level included | Attorney-validated |
| Data inventory | Core types mapped | All collection points | Third-party SDKs included |
| Rights mechanisms | Access + deletion | All applicable rights | Automated fulfillment |
| Consent implementation | Basic banner | Jurisdiction-specific | Full preference center |
Error Handling
| Error | Cause | Recovery |
|---|---|---|
| Missed jurisdiction | Users from unexpected region | Add regulation, implement within 30 days |
| Incorrect threshold | Revenue/user count changed | Reassess quarterly, implement before threshold reached |
| Request timeout | No process in place | Set up intake immediately, respond within legal deadline |
| Consent not captured | Technical error | Audit mechanism, ensure no cookies before consent |
| Missing vendor DPA | Oversight | Execute DPA immediately, audit vendor practices |
Cost Breakdown
| Component | DIY | Privacy Tool | Full Legal |
|---|---|---|---|
| Regulation mapping | $0 | $0 | $3K-$10K |
| Privacy policy | $10-$50/mo | $10-$50/mo | $2K-$5K |
| Consent management | $0-$12/mo | $50-$200/mo | $5K+ |
| Rights fulfillment | Manual ($0) | $100-$500/mo | $5K-$20K |
| Total Year 1 | $120-$600 | $2K-$10K | $15K-$80K+ |
Anti-Patterns
Wrong: Assuming GDPR doesn't apply because you're a US company
GDPR applies to any organization processing EU/EEA resident data, regardless of company location. [src1]
Correct: Map regulations by user location, not company location
Use analytics to identify user jurisdictions. EU users = GDPR compliance required regardless of company HQ.
Wrong: Using a single privacy policy template for all jurisdictions
GDPR and CCPA have different disclosure requirements. A combined template without jurisdiction-specific sections creates gaps. [src3]
Correct: Unified policy with jurisdiction-specific sections
Build one policy addressing shared requirements, with labeled sections for GDPR rights (EU), CCPA rights (California), and other provisions.
When This Matters
Use after entity formation, before launching any product collecting personal data. Privacy compliance must be built into architecture — retrofitting is 5-10x more expensive.