Privacy Laws Explained – GDPR, CCPA, and New State Requirements

Every website that collects visitor data is subject to privacy laws. Whether you run a small online shop or a SaaS business, you must comply with regulations like GDPR in Europe, CCPA in California, and eight new U.S. state privacy laws taking effect in 2025. Here's what you need to know in plain English.

What is GDPR?

The General Data Protection Regulation (GDPR) is Europe's privacy law. It requires businesses to:

• Get clear consent before collecting personal data
• Provide a privacy policy explaining what data you collect and why
• Allow users to access, correct, or delete their data
• Notify authorities within 72 hours of a data breach

Penalties: up to €20 million or 4% of annual global turnover.

What is CCPA?

The California Consumer Privacy Act (CCPA) gives California residents rights over their data:

• Right to know what data you collect
• Right to opt out of data sales (must show "Do Not Sell My Data" link)
• Right to request deletion of personal data

Penalties: $2,500–$7,500 per violation.

8 New Privacy Laws Starting January 1, 2025

Montana, Oregon, Texas, Delaware, Iowa, Nebraska, New Hampshire, and New Jersey have passed laws similar to CCPA. If you do business online, you likely need to comply.

Penalties: $7,500–$20,000 per violation depending on the state.

Do You Need a Cookie Banner?

If your website uses tracking tools like Google Analytics, Facebook Pixel, or Hotjar, you must show a cookie banner to EU visitors (GDPR) and California residents (CCPA).

• Banner must appear before setting non-essential cookies
• Users must be able to accept or reject cookies
• Banner must link to your privacy policy

Key Requirements for All Privacy Laws