GDPR consent for analytics, the HIPAA pixel-tracking enforcement wave, and a side-by-side of GDPR vs CCPA. Privacy is the most operationally complex compliance layer — these pieces strip it down.
The HHS Office for Civil Rights and the FTC have made tracking pixels on health apps a top enforcement priority since 2023. The math is brutal because the violations are per-affected-user — a single Meta Pixel firing on a checkout page that mentions a medication can produce a six- or seven-figure settlement. Here's the pattern, the recent cases, and what to actually check.
If you're operating a SaaS or consumer app from anywhere in the world, you probably need to comply with both GDPR and CCPA — they reach you based on customer location, not company location. The good news: the requirements overlap significantly, and a single compliance architecture can satisfy both. Here's what triggers each, what they actually require, and where they diverge.
The cookie banner is the most-implemented and most-wrong piece of vibe-coded compliance. Either you don't have one and you're loading Meta Pixel on page-1 (GDPR violation), or you have one but it doesn't actually block tracking until consent (also GDPR violation). Here's the actual rule, the actual setup, and the cookieless option that skips the whole problem.
There is no federal US privacy law. Instead, there are 19 state laws as of 2026, each with its own thresholds, definitions, and consumer rights. Most indie SaaS founders ignore everything outside California and Texas — and most are missing real obligations. Here's the actual map of who you need to comply with, in plain English.
Analytics is the single most common place EU privacy law trips up SaaS founders. The rule is simpler than it looks: if your analytics involves reading or writing to the user's device (cookies, localStorage, fingerprinting) or processing personal data, you need consent before it fires. Here's the actual law, the narrow exceptions, and what regulators have done about it.