Tax & Compliance
GDPR + CCPA: When US Startups Become Subject to Data Privacy Laws
Collated by Aparna Devalla, CPA
Curated by Rubric Financial
1 / 4
When GDPR Applies to a US Startup
- GDPR applies if you process personal data of EU/EEA residents, regardless of where YOUR company is based.
- Triggers: signing your first EU enterprise customer, having any EU end users on your platform, even running marketing campaigns targeting EU residents.
- Penalties are existential: up to €20M or 4% of annual global revenue, whichever is higher. Even smaller fines (€10K-100K) for procedural violations are common.
- If you have ANY EU footprint, you need a GDPR compliance program. The good news: most of it is good privacy hygiene that helps with other regulations too.
Related Resources
Tax & Compliance
PCI DSS Basics Every Finance Leader Should Know
A practical primer on PCI DSS scope, responsibilities, and how SaaS companies limit their compliance burden.
Tax & ComplianceISOs vs NSOs: Structuring Option Grants
How Incentive Stock Options and Non-Qualified Stock Options differ in tax treatment, eligibility, and when to use each type in your startup's equity compensation plan.
Tax & ComplianceSection 754 Election: Step-Up Basis for Partnerships (and Why S-Corps Can't)
The §754 election is the mechanism that lets partnerships and LLCs step up the inside basis of their assets when a partner dies, transfers their interest, or takes a distribution. S-corps have no equivalent, a real cost founders often discover too late.