You’re running a 150-person SaaS company. Your board keeps asking when you’ll achieve GDPR compliance. California just fined a competitor $2 million. And your Australian customer asked which Privacy Principles you follow.
Which framework do you tackle first? How much will this cost? Can you leverage work from one framework for the others?
This guide is part of our comprehensive tech regulatory compliance guide, where we explore the evolving landscape of global privacy regulations. Here, we provide clear decision criteria based on your customer base, side-by-side comparisons of requirements, and a phased implementation strategy that prevents duplicating work across frameworks.
Which privacy framework applies to my business based on customer location?
Your framework obligations depend on where customers are located, not where you operate. GDPR (General Data Protection Regulation) applies if you process data of EU/EEA residents. CCPA (California Consumer Privacy Act) applies to California residents if you meet revenue or data volume thresholds. Australian Privacy Act 1988 applies if you operate in Australia with AUD 3 million+ annual turnover.
GDPR has the broadest reach. If you’re processing personal data of anyone in the EU/EEA, GDPR applies regardless of your business location. There’s no revenue threshold. No minimum number of users. One EU customer puts you in scope.
CCPA applies to for-profit organisations collecting personal data about California residents that meet at least one of three criteria: annual gross revenues above $25 million, buying/receiving/selling personal information of 50,000 or more California residents/households/devices, or deriving 50% or more of annual revenue from selling California residents’ personal information.
The 50,000 threshold catches more businesses than expected. IP addresses count as personal information under CCPA, so any website with 50,000 visitors from California hits the threshold. That’s roughly 135 unique California visitors per day.
Australian Privacy Act applies to Australian government agencies and organisations with yearly turnover of AUD $3 million. It also covers foreign entities processing personal data about individuals in Australia. Recent Australian Privacy Act enforcement examples demonstrate the regulator’s increasingly assertive stance toward tech companies.
Map your customer distribution to understand obligations:
- Count users by location (EU/EEA, California, Australia, rest of world)
- Calculate revenue by region
- Identify where data is processed and stored
- Document data flows across borders
This assessment determines which frameworks apply. Most global SaaS companies need all three.
What are the main differences between GDPR, CCPA, and the Australian Privacy Act?
GDPR requires opt-in consent and has the strictest penalties (up to 4% global revenue). CCPA uses an opt-out model with lower penalties (up to $7,500 per violation). Australian Privacy Act focuses on 13 Privacy Principles with penalties up to AUD 50 million or 30% domestic turnover for serious breaches.
GDPR allows supervisory authorities to impose fines up to €20 million or 4% of annual global turnover, whichever is higher. That’s global turnover, not just EU revenue. For a $100 million revenue company, maximum GDPR fines reach $4 million.
CCPA fines businesses $2,663 per unintentional violation and $7,988 per intentional violation. These are per-violation fines. Consumers can also sue for statutory damages between $100 and $750 per incident for data breaches due to lack of reasonable security.
Australian Privacy Act penalties for serious breaches reach AUD 50 million, 30% of domestic turnover during the breach period, or three times the value of benefits obtained. Whichever amount is greater applies.
Consent models differ fundamentally.
GDPR requires opt-in consent. You must obtain explicit affirmative permission before collecting or processing personal data. Consent must be freely given, specific, informed, and unambiguous. Silence or pre-ticked boxes don’t satisfy GDPR requirements.
CCPA operates primarily on an opt-out model. Businesses can collect data unless consumers request to stop, primarily for data sales. The regulation requires consent for selling or sharing data from minors aged 13 to 16, or handling data from children under 13 which needs parental approval.
Australian Privacy Act requires reasonable steps to obtain consent for sensitive information—more flexible than GDPR’s strict requirements. This applies particularly to health data, racial information, and biometrics.
Enforcement approaches vary by jurisdiction.
GDPR enforcement involves data protection authorities across EU member states. Enforcement is proactive, with regulators investigating complaints and conducting audits. They don’t wait for consumer complaints.
CCPA relies on the California Attorney General for enforcement, with consumers having a private right of action for specific data breaches. Businesses get a 30-day cure period for certain violations before fines apply. This gives you breathing room that GDPR doesn’t.
Australian Privacy Act enforcement uses a graduated response through the Office of the Australian Information Commissioner (OAIC): education, enforceable undertakings, then penalties. The regulator prefers working with businesses to achieve compliance.
Data subject rights scope also differs. GDPR provides comprehensive rights: access, rectification, erasure, portability, restriction, and objection. CCPA focuses on access, deletion, and opt-out of data sales. Australian Privacy Act emphasises access and correction rights through Australian Privacy Principles (APPs) 12 and 13.
How do I choose which framework to implement first?
Implement the framework matching your largest customer segment first. If serving EU customers, start with GDPR as it provides the strongest foundation for other frameworks. For US-focused companies, begin with CCPA. Australia-only businesses should prioritise Australian Privacy Act. Use gap analysis to leverage existing compliance for subsequent frameworks.
Map revenue and user count by jurisdiction. If 60% of revenue comes from EU customers, start with GDPR. If California accounts for 70% of users, begin with CCPA. Australian companies with domestic focus start with Australian Privacy Act.
Risk-based prioritisation considers penalty exposure. GDPR’s 4% global revenue penalty represents significant financial risk. CCPA’s per-violation fines accumulate for high-volume businesses. Australian Privacy Act’s AUD 50 million maximum represents substantial exposure.
GDPR’s comprehensive requirements generally exceed CCPA standards, making it a solid foundation for both. GDPR requires opt-in consent, comprehensive data subject rights, DPIAs for high-risk processing, Privacy by Design, and DPOs for certain organisations. Build this properly and you’ve done most of the work for other frameworks.
For organisations operating globally, creating a unified program meeting the highest standards reduces duplication while ensuring compliance. Typical sequence: GDPR → CCPA → Australian Privacy Act. Once you’ve selected your framework, our framework implementation guide provides detailed compliance program steps from risk assessment through audit preparation.
Decision Matrix
Score each factor (1-10) and apply weights:
- Customer geography: 40%
- Revenue distribution: 30%
- Data sensitivity: 20%
- Expansion plans: 10%
Highest score determines starting framework.
What are the key compliance requirements I need to implement for each framework?
All three frameworks require data mapping, privacy policies, individual rights fulfilment, security controls, breach notification, and vendor management. GDPR additionally mandates Privacy Impact Assessments for high-risk processing, explicit consent, and Data Protection Officers for certain organisations. CCPA requires “Do Not Sell” mechanisms and separate consumer rights disclosures.
Universal Requirements
Data inventory forms the foundation. Organisations must maintain comprehensive inventories supporting GDPR’s lawful basis documentation and CCPA’s transparency requirements. Document what you collect, where it’s stored, how it’s processed, who has access, and retention periods.
Privacy policies must transparently explain collection, use, sharing, and individual rights. Security safeguards protect against unauthorised access—GDPR mandates encryption and pseudonymisation; CCPA holds businesses accountable for reasonable security.
GDPR-Specific
DPIAs required for high-risk processing (large-scale sensitive data, systematic monitoring, automated decision-making). DPO appointment mandatory for public authorities, large-scale monitoring, or large-scale sensitive data processing. Privacy by Design (Article 25). Standard Contractual Clauses for transfers outside EU/EEA. For organisations building AI products, GDPR Article 22 automated decision-making creates additional compliance obligations beyond standard privacy requirements.
CCPA-Specific
“Do Not Sell My Personal Information” link prominently displayed. Separate consumer notice at collection. Financial incentive disclosures if you offer different prices or services based on data collection. 12-month data lookback for requests. Authorised agent verification process.
Australian Privacy Act Specifics
13 APPs guide information handling across the lifecycle. Collection principles (APPs 1-5) cover transparency and notices. Use principles (APPs 6-9) include APP 8 cross-border disclosure accountability. Integrity principles (APPs 10-13) mandate security and access/correction rights.
Implementation Tiers
Tier 1 (immediate): data mapping, privacy policy, security basics Tier 2 (3 months): consent management, DSAR process Tier 3 (6 months): DPIAs, vendor audits, training
How much does it cost to implement GDPR, CCPA, or Australian Privacy Act compliance?
For 50-500 employee SMB tech companies, expect $75,000-$250,000 for initial GDPR compliance, $40,000-$120,000 for CCPA, and $30,000-$90,000 for Australian Privacy Act. Costs cover gap analysis, consent management platform, data mapping tools, policy development, and 6-12 months staff time. Multi-framework approach saves 30-40% vs separate implementations.
Component Breakdown
Gap analysis: $10K-$25K Legal consultation: $15K-$40K Consent management platform: $12K-$60K annually Data discovery tools: $8K-$30K Staff time: 0.5-2 FTE for 6-12 months ($75K-$300K)
Framework-Specific Costs
GDPR highest: DPIAs, Privacy by Design, optional DPO ($100K-$200K annually if required) CCPA moderate: “Do Not Sell” mechanism ($10K-$30K), consumer request handling ($15K-$40K) Australian Privacy Act lowest: $20K-$40K incremental for GDPR-compliant organisations
Phased Budget Allocation
Year 1: $75K-$250K (Foundation framework) Year 2: $30K-$80K (Second framework additions) Year 3: $20K-$60K (Third framework) Total: $125K-$390K spread across three years
Ongoing costs: $50K-$150K annually (platforms $12K-$60K, DSAR handling $30K-$75K, audits $15K-$35K, training $5K-$15K)
For a $50M revenue SaaS company, maximum GDPR penalties reach $2M (4% of revenue). Implementation costs of $75K-$250K represent 3.75%-12.5% of penalty exposure—clear ROI before considering customer trust and competitive advantage.
What is the difference between opt-in consent under GDPR and opt-out under CCPA?
GDPR requires opt-in consent: you must obtain explicit affirmative permission before collecting or processing personal data. CCPA uses opt-out: you can collect data unless consumers request to stop, primarily for data sales. Pre-ticked boxes don’t satisfy GDPR. CCPA requires prominent “Do Not Sell My Personal Information” link.
GDPR consent requires active agreement via ticking boxes or selecting settings. Each processing purpose requires separate consent. Withdrawal must be as simple as giving consent. If opting in takes two clicks, opting out must take no more than two clicks.
Other GDPR legal bases exist: contract performance, legal obligations, vital interests, public tasks, legitimate interests. Consent is one option, not always required. Many businesses over-rely on consent when legitimate interests would suffice.
CCPA operates on opt-out: businesses collect data unless consumers exercise opt-out rights. Exceptions: selling data from minors 13-16 requires opt-in; under 13 requires parental approval.
Multi-Framework Implementation
Implement layered consent using geolocation: explicit opt-in for EU users, clear opt-out for California residents. Your CMP detects user location and presents appropriate flows. Australian users receive APPs-compliant notices.
Can I use my GDPR compliance program as a foundation for CCPA and Australian Privacy Act?
Yes, GDPR provides the strongest foundation because its requirements are most comprehensive. Gap analysis reveals CCPA needs adding opt-out mechanisms and financial incentive disclosures. Australian Privacy Act requires verifying cross-border disclosure accountability and APP-specific policy updates. This approach saves 30-40% implementation costs versus separate programs.
GDPR compliance delivers complete data mapping, consent management, DSAR processes, security controls, breach notification, vendor DPAs, policies, and training that serve all frameworks. You’re building the hardest framework first—everything else becomes incremental additions.
CCPA Gaps (2-3 months with GDPR infrastructure vs 4-8 months from scratch):
- “Do Not Sell” link and mechanism
- California-specific consumer notice
- Authorised agent process
- Financial incentive disclosures
- 12-month data lookback
Australian Privacy Act Gaps:
- APP compliance verification
- OAIC breach notification format
- Cross-border disclosure documentation (APP 8)
- Anonymity options (APP 2)
- Australian-specific policy language
APPs share common principles with GDPR: transparency, consent, data minimisation, and security. Existing GDPR controls satisfy most requirements.
Unified Program Benefits
Single data inventory supports all frameworks. One CMP handles jurisdiction-specific flows. Consolidated vendor DPAs cover all frameworks. Unified training with incremental jurisdiction additions.
Implementation sequence: GDPR compliance (6-12 months) → CCPA gap analysis and additions (2-4 months) → Australian Privacy Act (1-2 months).
What are the Australian Privacy Principles and how do they compare to GDPR requirements?
The 13 Australian Privacy Principles (APPs) govern collection, use, disclosure, quality, security, access, and correction of personal information. APPs align closely with GDPR on transparency, data minimisation, security, and individual rights but offer more flexibility in implementation and don’t mandate Privacy Impact Assessments or Data Protection Officers.
APPs cover the entire lifecycle: Collection principles (APPs 1-5) address transparency, anonymity options, and collection notices. Use and disclosure principles (APPs 6-9) cover use limitations, direct marketing, and cross-border accountability. Integrity and security principles (APPs 10-13) mandate data quality, security safeguards, and access/correction rights.
GDPR Alignment
APP 1 requires clear and accessible policies, aligning with GDPR Articles 12-14. Data minimisation (APP 3/GDPR Article 5), security safeguards (APP 11/GDPR Article 32), and access/correction rights (APPs 12-13/GDPR Articles 15-16) overlap substantially.
Key Differences
GDPR requires DPOs for certain entities; APPs have no equivalent. GDPR mandates DPIAs for high-risk processing; Privacy Act recommends but doesn’t require them. Cross-border transfers require SCCs under GDPR vs reasonable contractual steps under APP 8.
Implementation for GDPR-Compliant Organisations
Existing GDPR controls satisfy most APP requirements. Add APP 8 cross-border documentation, OAIC breach notification format, anonymity options where practical, and Australian-specific policy language. Two to four weeks of work for most organisations.
How do I implement a phased multi-framework compliance strategy?
Start with the framework covering your largest customer base (typically GDPR for global SaaS). Complete full implementation in 6-12 months. Conduct gap analysis for next framework, implement deltas in 2-4 months. Repeat for third framework. This spreads costs over 18-24 months and reuses 60-70% of work across frameworks. For detailed implementation steps, see our complete compliance program guide.
Phase 1: Foundation Framework (Months 1-12)
Implement your primary framework completely. This includes data mapping, privacy governance structure, consent management platform, DSAR processes, vendor assessment and Data Processing Agreements, breach notification procedures, and staff training.
Resource allocation: 1-2 FTE over 6-12 months. Budget: 60-70% of total.
Phase 2: Gap Analysis (Month 13)
Compare existing controls to second framework requirements. List all requirements, map each to existing controls, identify gaps and overlaps. This analysis typically reveals 30-40% reuse from your foundation framework.
Resource allocation: 0.3 FTE over 2-4 weeks.
Phase 3: Second Framework (Months 14-17)
Add jurisdiction-specific mechanisms. For CCPA after GDPR: implement “Do Not Sell” mechanism, add California-specific notices, create authorised agent process, configure CMP for opt-out, update policies.
Resource allocation: 0.5-1 FTE over 2-4 months. Budget: 25-30% of total.
Phase 4: Third Framework (Months 18-24)
Repeat gap analysis for Australian Privacy Act. Add APP-specific policy updates, cross-border disclosure documentation, OAIC breach notification format, and anonymity options.
Resource allocation: 0.3-0.5 FTE over 2-4 months. Budget: 10-15% plus ongoing costs.
Budget phasing: Year 1 ($75K-$175K), Year 2 ($30K-$80K), Year 3 ($20K-$60K) spreads $125K-$315K across three years instead of a single overwhelming budget hit.
What consent management platform should I choose for multi-framework compliance?
Select platforms supporting GDPR granular consent, CCPA opt-out signals, and Australian Privacy Act flexibility. OneTrust and TrustArc serve enterprise needs ($50,000+ annually). CookieYes and Cookiebot suit SMBs ($5,000-$15,000 annually). Open-source options like Klaro reduce costs but require developer resources.
Essential features include jurisdiction detection, framework-specific consent flows, preference centres, consent receipts, and audit logs. Platforms must support both opt-in consent for GDPR and opt-out mechanisms for CCPA.
Enterprise Platforms
OneTrust ($50K-$100K+ annually): Comprehensive features including automated cookie scanning, consent orchestration, DSAR automation, and vendor risk management. Best for 500+ employees or highly regulated industries.
TrustArc ($40K-$80K annually): Compliance automation with assessment tools and certification support. Strong for financial services and healthcare.
SMB-Friendly Platforms
CookieYes ($5K-$12K annually): Good GDPR/CCPA coverage with cookie scanning, consent banners, preference centres. Simple implementation, reliable performance.
Cookiebot ($8K-$15K annually): Excellent automated cookie scanning and detailed compliance reports. Strong developer documentation.
Open-Source
Klaro: Free JavaScript consent manager requiring developer customisation (1-3 weeks implementation, 2-5 hours monthly maintenance). Good option if you have engineering capacity and want control.
Selection Criteria
Buy commercial platforms if you have limited developer resources, need quick deployment, or require compliance guarantees. Build custom solutions if you have unique requirements and strong development resources.
For most 50-500 employee SMB tech companies, CookieYes or Cookiebot provide the best value. They handle the complexity without enterprise pricing.
FAQ Section
What happens if I don’t comply?
GDPR penalties reach €20 million or 4% of global revenue. CCPA fines are $2,663-$7,988 per violation. Australian Privacy Act penalties reach AUD 50 million or 30% of domestic turnover. Beyond fines, non-compliance damages customer trust and triggers regulatory audits that consume months of executive time.
Do I need a Data Protection Officer?
GDPR requires DPOs for public authorities, large-scale monitoring, or large-scale sensitive data processing. Most SMB SaaS companies don’t qualify. Appoint a Privacy Officer for accountability even when not required—someone senior who can push back when product wants to cut corners.
How long does implementation take?
6-12 months for GDPR, 4-8 months for CCPA, 3-6 months for Australian Privacy Act. Phased multi-framework approach: 18-24 months total. Don’t try to rush this—cutting corners creates technical debt that costs more later.
Can startups afford compliance?
Yes. Open-source tools, templates, and internal resources enable $15K-$40K initial compliance. Upgrade as revenue grows. Pre-seed startups can start with basics and mature the program alongside the business.
How do cross-border transfers work?
GDPR requires SCCs, BCRs, or adequacy decisions. CCPA has minimal restrictions. APP 8 requires contractual obligations. Use GDPR mechanisms as baseline—they satisfy other frameworks by default.
Do I need separate privacy policies?
No. Create one comprehensive policy with jurisdiction-specific sections. Use geolocation to show relevant portions. This reduces maintenance burden and prevents policy drift across versions.
How do I handle DSARs across frameworks?
Implement unified process meeting strictest requirements. Process all requests within 30 days to satisfy all frameworks. Build the workflow once, use it everywhere.
What is Privacy by Design?
Embedding privacy protections from system inception. GDPR mandates it (Article 25); CCPA and Australian Act recommend it. Think privacy before you write code, not after you ship.
Can I get certified?
No direct regulatory certification exists. ISO 27701, ISO 27001, and SOC 2 demonstrate privacy program maturity. They’re optional but helpful for enterprise sales.
What are notifiable data breaches?
GDPR requires notification within 72 hours. CCPA requires notification without unreasonable delay. Australian Act requires OAIC notification when likely to cause serious harm. Build incident response procedures before you need them.
How does vendor management differ?
GDPR requires DPAs specifying processing terms. CCPA requires contracts prohibiting retention outside business relationship. APP 8 requires reasonable steps for vendor compliance. Use GDPR DPAs as baseline, add framework-specific provisions in annexes.
Next Steps
Framework selection represents your first critical compliance decision. Once you’ve determined which regulation applies to your business, the real work begins: building controls, implementing technical safeguards, and establishing processes that satisfy regulatory requirements while supporting business operations.
For a complete overview of the regulatory landscape and guidance on criminal penalties, personal liability risks, and AI-specific compliance requirements, explore our regulatory compliance overview. To begin implementation, our compliance program guide provides step-by-step guidance from risk assessment through audit preparation.
